ISO 27001 Clause 7.1 Resources is a management control that requires an organisation to determine and provide the resources needed to establish, implement, maintain, and continually improve the ISMS. It ensures the security function has the necessary people, infrastructure, and budget to operate and meet its security objectives.
ISO 27001:2022 Control Attributes
| Attribute | Value |
|---|---|
| Control Type | Administrative / Management |
| Information Security Properties | Confidentiality, Integrity, Availability |
| Cybersecurity Concepts | Support, Governance |
| Operational Capabilities | Governance, Human Resource Security, Asset Management |
Implementation Difficulty & Cost
| Metric | Rating / Detail |
|---|---|
| Implementation Difficulty | 2/5 (Low-Moderate) |
| Resource Cost | Medium to High (Staffing & Tools) |
| Primary Owner | CISO / Head of IT |
| Accountability Cascade | Board → CEO → CISO → ISMS Team |
ISO 27002 Control Guidance
The guidance for Clause 7.1 focuses on three distinct resource pillars: personnel, infrastructure, and finance. Organisations must first identify what they need to satisfy their specific risk profile. In my experience, this begins with a gap analysis between your current state and the requirements of the Statement of Applicability. You cannot provide resources if you do not understand the scale of the security debt you are carrying.
Personnel resources include both internal staff and external consultants. I often see firms rely too heavily on a single “Security Hero” who handles everything from firewall rules to policy drafting. ISO 27002 suggests that roles should be clearly defined and that staff must have sufficient time allocated to ISMS duties. If your security officer spends 90% of their day on helpdesk tickets, you have failed to provide adequate resources.
Infrastructure resources refer to the physical and digital tools required to maintain the ISMS. This includes secure office spaces, server rooms, and software platforms like Jira or SharePoint for document control. You must ensure that these tools are not just present but are actively maintained and funded. Finance is the final pillar, providing the budget for training, audits, and technical security controls.
The Auditor’s Eye: Avoiding the Resource Gap
When I audit Clause 7.1, I look for the “Resource Gap.” I start by reviewing your organisational chart and comparing it to your meeting minutes. If the CISO claims to manage 50 controls but has no budget for tools and no team to help, I dig deeper. I often perform a camera walkthrough or a log review to see who is actually doing the work. If all security logs show the same person’s credentials, it proves a lack of redundancy and inadequate resource planning. You must prove that your resource allocation is based on reality, not just wishful thinking on a spreadsheet.
10 Steps to Implement ISO 27001 Clause 7.1
-
Conduct a Resource Gap Analysis
Compare your current security capabilities against the ISO 27001 requirements. Identify missing skills, tools, or staff hours needed to run the ISMS. Document these findings in a SharePoint list to track your progress toward full resource compliance.
-
Define the ISMS Budget
Create a dedicated budget line for information security. This should cover software licenses, external audit fees, and emergency incident response funds. I look for a signed budget document from the CFO to prove management commitment.
-
Appoint an ISMS Manager
Designate a lead person responsible for the ISMS. Ensure their job description explicitly mentions ISO 27001 duties. Use Jira to track their time allocation if they hold multiple roles within the business.
-
Establish an Internal Audit Team
You need people to check your work. If you are a small team, consider using external consultants or training staff from other departments. This ensures the independence required for successful internal audits later in the cycle.
-
Select Your Document Repository
Choose a central tool like SharePoint or Confluence to host your ISMS documentation. Avoid scattered local folders or generic cloud drives. A structured repository is a vital infrastructure resource that proves your system is organised.
-
Identify Technical Tooling Needs
Determine which technical tools are required to enforce security. This might include Microsoft Intune for device management or a SIEM for log monitoring. Ensure these tools have assigned owners and valid support contracts.
-
Map Roles and Responsibilities
Create a RACI matrix (Responsible, Accountable, Consulted, Informed). Link every ISO 27001 control to a specific person or department. This prevents tasks from being missed due to “ownership ambiguity.”
-
Secure Physical Infrastructure
Verify that your physical office or data centre meets security needs. This includes lockable racks, CCTV, and backup power. I find that many firms forget to budget for physical maintenance until an auditor points it out.
-
Formalise Outsourced Support
If you use an MSP, ensure their contract specifies their role in your ISMS. You cannot outsource the accountability for Clause 7.1. You must show that you manage your vendors and provide them with the necessary information to help you.
-
Review Resource Adequacy Annually
Include a “Resource Review” as a permanent agenda item in your Management Review Meetings. Document the discussion regarding whether the current team and budget are sufficient. This record is the “Gold Standard” for evidence during a Stage 2 audit.
Requirements by Environment
- The Office: Requires physical security resources like access control systems and shredding bins. Budget must cover the maintenance of these hardware items.
- Remote/Home Working: Requires secure connectivity resources like VPNs and multi-factor authentication. You must provide helpdesk resources to support remote staff effectively.
- Cloud Operations: Requires spend on SaaS security features and monitoring tools. Resources are often shifted from physical hardware to cloud licensing and configuration expertise.
The “Checkbox Compliance” Trap
| Requirement | SaaS Tool Trap | Auditor Reality |
|---|---|---|
| Personnel Allocation | The tool says “Role Assigned” in a dashboard. | I check if the person actually knows they own the control. |
| Infrastructure Support | Buying a tool and never configuring it. | I look for logs showing the tool is actively utilised. |
| Budgetary Proof | A generic “Security Budget” number. | I ask to see specific invoices for ISMS training and audits. |
10 Steps to Audit Clause 7.1 (Internal Audit Guide)
- Review the Org Chart: Verify that the security roles listed in the ISMS actually exist in the HR records.
- Check Job Descriptions: Ensure that key security staff have ISO 27001 responsibilities written into their contracts.
- Interview the CISO: Ask them directly if they feel they have enough time and money to do their job.
- Inspect the Budget: Look for evidence of spend on security training and external audit fees over the last 12 months.
- Sample Meeting Minutes: Search for discussions regarding resource shortages or requests for new headcount.
- Verify Tool Ownership: Pick a random security tool (e.g., Antivirus) and ask the owner to demonstrate a recent configuration change.
- Check Training Records: Ensure budget was allocated for staff to attend ISO 27001 awareness or lead implementer courses.
- Evaluate External Support: Review the Service Level Agreements (SLAs) for any outsourced security providers.
- Look for Redundancy: Ask what happens to the ISMS if the primary manager is on leave for a month.
- Assess Infrastructure Health: Check if server rooms or secure areas have received the maintenance they require.
Clause 7.1 Audit Evidence Checklist
| Evidence Item | Pass/Fail Criteria | Owner |
|---|---|---|
| Signed Budget Approval | Must show explicit spend for ISMS activities. | CFO |
| ISMS Role Descriptions | Must include specific security responsibilities. | HR / CISO |
| Resource Review Minutes | Must show management discussed resource adequacy. | CISO |
| Software Licenses | Must be current and cover all users in scope. | IT Manager |
Required Policy Content: A Lead Auditor’s Checklist
While Clause 7.1 doesn’t require a standalone “Resource Policy,” the following elements must be present across your ISMS documentation to satisfy an auditor:
- Resource Allocation Statement: A high-level commitment in the Information Security Policy stating that management will provide necessary resources.
- Role Definitions: Detailed sections in your Roles and Responsibilities document that define the time commitment required for security tasks.
- Training & Competency Clause: A section defining how the organisation identifies resource gaps in staff knowledge and how it funds the training to fill them.
- Infrastructure Maintenance Schedule: A documented plan for how physical and digital security infrastructure is kept in good working order.
- Budgetary Review Cycle: A defined process for how the CISO requests additional funds based on the results of risk assessments.
What to Teach Employees
- Resource Reporting: How to report when a security tool is failing or when they lack the time to follow a security process.
- Tool Usage: How to use the provided infrastructure (VPN, MFA, SharePoint) correctly to protect information.
- Ownership: Understanding who the “Resource Owners” are for different assets and how to contact them for support.
Enforcement and Consequences
Failure to provide resources is a direct violation of the standard and often leads to a Major Non-Conformity (NC). If management fails to fund the ISMS, the system will eventually fail. Personnel who neglect their assigned security roles due to “being too busy” must face the standard disciplinary path: Verbal Warning, followed by Written Warning, and eventually Termination if the risk remains unmitigated.
Common Implementation Challenges
| Challenge | Root Cause | Solution |
|---|---|---|
| Hidden Staff Costs | Security tasks take longer than anticipated. | Use Jira to track actual time spent on ISMS tasks for better planning. |
| Stagnant Budgets | Management sees security as a one-time cost. | Link budget requests directly to the findings of your latest Risk Assessment. |
| Single Point of Failure | One person holds all the ISMS knowledge. | Resource cross-training and documented procedures in Confluence. |
Sample Statement of Applicability (SoA) Entry
“Clause 7.1 Resources is Applicable. The organisation provides the necessary personnel, infrastructure, and financial resources to operate the ISMS. Evidence is maintained through signed budget approvals, job descriptions, and Management Review minutes. This control is managed by the CISO and reviewed annually by the Board.”
Changes from ISO 27001:2013
| ISO 27001:2013 | ISO 27001:2022 |
|---|---|
| Clause 7.1 Resources | Clause 7.1 Resources (Largely Unchanged) |
| Focus on “Establishment” | Increased focus on “Continual Improvement” of resources. |
How to Measure Effectiveness (KPIs)
- Budget Variance: The difference between the planned security budget and the actual spend on ISMS improvements.
- Staffing Ratio: The number of dedicated security hours available compared to the number of identified security tasks.
- Infrastructure Uptime: The availability of core ISMS tools (e.g., SharePoint, Jira, SIEM) over a 12-month period.
Related ISO 27001 Controls
- ISO 27001 Annex A 5.1 Policies for Information Security: This control provides the management intent that drives resource allocation. Without a strong policy, you will never secure the budget you need.
- ISO 27001 Annex A 5.9 Inventory of Assets: You cannot provide resources for assets you do not know you have. This control ensures your resource planning is based on a complete asset list.
- ISO 27001 Annex A 8.1 User Endpoint Device Security: Providing the actual hardware (laptops, phones) is a key infrastructure resource requirement of Clause 7.1.
ISO 27001 Clause 7.1 FAQ
Do I need a dedicated CISO for Clause 7.1?
Not necessarily. Small organisations can assign the role to an existing manager, provided they have sufficient time and the required skills to manage the ISMS effectively.
What counts as an “infrastructure” resource?
This includes your office space, server rooms, hardware, software platforms, and even the utilities like electricity and internet required to keep your systems running.
Can an auditor fail us if our budget is small?
An auditor won’t fail you for a small budget alone, but they will fail you if that small budget results in unmitigated risks or a failure to maintain the ISMS.
How do I prove management commitment to resources?
Signed meeting minutes where budget and staffing are discussed are the best evidence. Seeing a CFO’s signature on a security purchase order is also very persuasive.
Is outsourced IT considered a resource under Clause 7.1?
Yes. External consultants and MSPs are part of your personnel resources. You must document how you manage them and what specific ISMS tasks they perform.