ISO 27001 Clause 7.1 is about making sure a company has the right resources to manage its information security system. This includes people, money, and tools. The rule states that a company must figure out what it needs and then provide it. This helps a company build, use, and improve its security system.
What is ISO 27001 Clause 7.1 Resources?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Resources”.
What is the ISO 27001 Clause 7.1 control objective?
The formal definition and control objective in the standard is: “The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.“
What is the purpose of ISO 27001 Clause 7.1?
The purpose of ISO 27001 Clause 7.1 is “To make sure you have the resources you need for an effective information security management system (ISMS).“
Is ISO 27001 Clause 7.1 Mandatory?
ISO 27001 Clause 7.1 (Resources in the 2022 standard) is a mandatory clause in the main body of the standard.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. The following are the key steps:
- Find the needs: You must figure out what people, money, and tools you need. This could be a security manager, training for staff, or new software.
- Provide the resources: Once you know what you need, you must provide it. This can be done by hiring people, giving training, and buying tools.
- Use a plan: You can use a plan to help you. For example, you can use a list to keep track of the people you need for each job.
Segregation of Duties
When considering resources for your small organisation, a common question is whether a single person can have more than one role. The answer is yes. In smaller organisations, it’s normal for one or two people to be responsible for many different tasks. This is perfectly fine.
The main thing you must remember is segregation of duties. This means you must separate certain responsibilities. For example, the person who asks for approval shouldn’t be the same person who gives the approval.
ISO 27001 Internal and External Resources
If you want to get skills and experience inside your company, you can think about ISO 27001 training. You can choose from many good courses, like ISO 27001 lead auditor and lead implementor training.
In our experience, these courses teach great book knowledge about the standard, but they offer little help with real-world use. They do not come with guides or offer specific, personal advice.
If you want training, you should think about book training and companies like High Table. High Table offers low-cost, one-on-one training that happens while you work on your project and teaches your team. The ISO 27001 Toolkit also gives you lots of free training and help. There are also free things online, like this great YouTube Channel about ISO 27001 that shows you how to do it yourself.
To get your ISO 27001 certificate, you need to work with trained and skilled people. You can hire a professional, like a High Table ISO 27001 Consultant, hire someone full-time, or teach your own staff using courses.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will:
- Check if you have smart people who know about security.
- Check if your staff has been trained.
- See if you have provided all the money and tools needed for your security system.
