ISO 27001 Information Security - Clause 7.1 Resources
23 ,June 2022 - ISO 27001 Information Security in plain English - Blog post #10.
ISO 27001 - Clause 7.1 Determine and provided the resources needed for the ISMS.
ISO 27001 Information Security in plain English
Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard. However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.
Determine and provide resources
Clause 7.1 Resources is one of the briefest clauses in ISO 27001. It bascially requires you to determine, plan, and provide the resources necessary for your ISMS. It's one of those clauses that has a strong interaction with a number of other clauses and controls in the standard. That will become apparent in the discussion below.
Resources need to be determined and made available for the complete life-cycle of the ISMS. That includes:
- Initial analysis
- Risk assessment
- Implementation of controls
- Disaster recovery / business continuity
- Internal audits, reviews and logging
- Continual improvement
- Certification (if required)
The determination and provision of resources should take into account what capabilities are already available inside the organization, and what needs to be procured or obtained from external providers. Hardware, software, external expertise and other resources should be procured where necessary.
At a strategic level, a logical time for consideration and planning for the necessary resources would be at the periodic management review of the ISMS. It may be useful to have one or more specific agenda items for resource planning to help ensure that the topic is given the attention it deserves. In common with most management system standards, ISO 27001 Clause 9.3 has a specific requirement for such management reviews and we'll be discussing that later in this series. On a more operational level, resources may be considered as part of addressing Clause 8.1 Operational planning and control. That might include rosters, schedules, departmental / project planning, team meetings, procurement etc.
The elements of resource planning that should be considered are discussed in the sections below.
Types of resurces
Perhaps the most important resource in any organization is its people. The standard requires you to determine and make available the people needed to effectively implement your ISMS.
We need to consider what roles are required and then to fill those roles. This element may be considered in conjunction with arrangements for Clause 5.3 Organizational roles, responsibilities and authorities, Clause 7.2 Competence, and Annex Control 7 - Human resource security. We will be discussing those in other articles in this series.
Facilities and Infrastructure
Adequate facilities need to be made available. These need to be appropriate to protect against the risks faced. They may include:
- Buildings / Physical security. For example: Secure areas such as server rooms, Doors, locks and facilities for physical security
- Hardware. For example: Servers, personal computers, laptops etc.
- Software. For example: Anti-malware software, MDM (Mobile Device Management) software, Management system software such as Qudos 3 IMS
- Communications systems
- Energy and service utilities
None of these resources will be made available with an adequate budget being available. A certification auditor will often ask questions relating to budget allocation for information security resources and may take an appropriate provision being made in their assessment against Clause 5.1 leadership and commitment.
As we mentioned at the start of this article, clause 7.1 Resources has a strong interaction with a number of other clauses and controls in ISO 27001. We are sure you will agree.
About the series 'ISO 27001 Information Security in plain English'
This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.
This blog series began with an introductory webinar. A copy of the slide deck is available for you here:
Qudos_ISO_27001 Information_Security_in_plain_English (PDF)
Click the LinkedIn Follow button below to receive notifications.
There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.
Ready to start your journey to ISO 27001?
The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.
Contact us today to discuss your needs!