ISO 27001 Clause 7.1 Resources

ISO 27001 Clause 7.1 Resources

ISO 27001 Clause 7.1 is about making sure a company has the right resources to manage its information security system. This includes people, money, and tools. The rule states that a company must figure out what it needs and then provide it. This helps a company build, use, and improve its security system.

What to Do

  1. Find the needs: You must figure out what people, money, and tools you need. This could be a security manager, training for staff, or new software.
  2. Provide the resources: Once you know what you need, you must provide it. This can be done by hiring people, giving training, and buying tools.
  3. Use a plan: You can use a plan to help you. For example, you can use a list to keep track of the people you need for each job.

Segregation of Duties

When considering resources for your small organisation, a common question is whether a single person can have more than one role. The answer is yes. In smaller organisations, it’s normal for one or two people to be responsible for many different tasks. This is perfectly fine.

The main thing you must remember is segregation of duties. This means you must separate certain responsibilities. For example, the person who asks for approval shouldn’t be the same person who gives the approval.

ISO 27001 Internal and External Resources

If you want to get skills and experience inside your company, you can think about ISO 27001 training. You can choose from many good courses, like ISO 27001 lead auditor and lead implementor training.

In our experience, these courses teach great book knowledge about the standard, but they offer little help with real-world use. They do not come with guides or offer specific, personal advice.

If you want training, you should think about book training and companies like High Table. High Table offers low-cost, one-on-one training that happens while you work on your project and teaches your team. The ISO 27001 Toolkit also gives you lots of free training and help. There are also free things online, like this great YouTube Channel about ISO 27001 that shows you how to do it yourself.

To get your ISO 27001 certificate, you need to work with trained and skilled people. You can hire a professional, like a High Table ISO 27001 Consultant, hire someone full-time, or teach your own staff using courses.

What an Auditor Checks

An auditor will check if you have smart people who know about security. They will also check if your staff has been trained. Lastly, they will look to see if you have provided all the money and tools needed for your security system.

Frequently Asked Questions

Has this rule changed?

No, this rule has not changed in the 2022 version of the standard.

Who is in charge?

The senior leaders of the company are in charge of this. They must make sure the company provides all the needed resources.

Why is this rule so important? 

This rule is very important because a project can fail if there are not enough resources. Without the right people and tools, the security system cannot work well.