How to demonstrate resource provision in ISO 27001

The availability of resources is a critical point in any endeavor. You can have the best ideas and the best intentions, but if you lack resources you are doomed to failure.

So, it may seem strange that ISO 27001, the leading ISO standard for implementation of Information Security Management Systems, dedicates in its resource clause only two lines, totaling 23 words, to deal with such a critical subject.

But, appearances may be deceiving. In fact, resource provision requirements are spread all throughout the standard, and this article will show you where to look and what to do to ensure these resources are available to help your ISMS protect the information under your organization’s responsibility.

ISO 27001 resources clause and examples

Regarding resources, ISO 27001 clause 7.1 requires the definition and provision of what is needed for an ISMS life cycle, from its implementation to its continual improvement. But, what is needed? Since this standard makes use of the process approach, you can think of resources in terms of:

  • capital: There is no security for free; investments will need to be made.
  • facilities: An organization’s physical environment needs to be prepared to offer security levels proportional to the risk an organization is exposed to.
  • equipment: Equipment support can provide better defenses, and detection and reaction capabilities, enhancing security levels.
  • people: While security for the majority of an organization’s employees will be a tool to achieve their business objectives, you will need to consider people to assume responsibilities to take care of that tool. Please note that this is different from clause 7.2 (competence), because that one is related to levels of skill, education, or experience required for proper security, and not the number of people needed.

With these examples in mind, we are now prepared to identify where in the standard resources are required.

Organizational roles, responsibilities, and authorities

Through clause 5.3 an organization formally designates people (e.g., CISO, system administrator, etc.) who will have to think, plan, and act to ensure information security is implemented as required and is achieving the expected outcomes. For more information, see: How to document roles and responsibilities according to ISO 27001 and What is the job of Chief Information Security Officer (CISO) in ISO 27001?

Risk treatment plans

Clause 6.1.3 e) requires that for the risks deemed unacceptable, treatment plans must be formulated, basically defining which security controls you need to implement, who is responsible for them, what are the deadlines, and which resources are required. And, while controls like clear desk and clear screen will rely mostly on policy definition and training efforts, controls involving access control and backup will also require equipment and facilities. For more information, see: Risk Treatment Plan and risk treatment process – What’s the difference?

Plans to achieve information security objectives

While the plans mentioned in the previous section specifically cover how to bring risks to acceptable levels, plans to achieve information security objectives defined in clause 6.2 also define the provision of resources required by the ISMS to fulfill information security requirements (e.g., contractual clauses), as well as to support other organizational decisions incorporated into the information security policy (e.g., business strategic objective to compete in a new market). For more information, see: ISO 27001 control objectives – Why are they important?

Resources for performance evaluation

Clauses 9.1 and 9.2 require resources to be defined for the measurement, monitoring, analysis, and evaluation of the controls’ effectiveness, as well as for performing audits for impartial verification of implementation and maintenance of the ISMS in compliance with the standard’s and the organization’s requirements. For more information, see: How to perform monitoring and measurement in ISO 27001 and How to prepare for an ISO 27001 internal audit.

Treatment of nonconformities, corrective actions, and opportunities for improvement

And, finally, if anything goes differently from what is expected, or can be done faster, cheaper, or with more added value to the business, clauses 10.1 and 10.2 require that resources must be identified and provided so that problems are solved and bad things cannot occur again – or that opportunities can be harnessed, increasing business results. For more information, see: Practical use of corrective actions for ISO 27001 and ISO 22301.

General view of resource planning

As you saw, resource planning is performed in many phases of the ISMS life cycle, for different purposes, at different times, and probably by different people, so it is important for you to be able to track all of these plans to ensure that resources are not under- or over-allocated.

There are at least three methods you should consider:

  1. All individual plans are available to the person responsible for keeping track of resource usage.
  2. Information about plan resources is compiled in a single general resource plan.
  3. Information about plan resources is compiled in separate resource plans, considering each type of resource.

The decision about which solution would be better will depend on the volume of plans you will have to handle and the organizational needs for resource allocation information.

Plan your resources for a safe journey

Resources are not endless, so decisions about them are always trade-offs between what you expect to gain and what you expect to lose. The problem is that in most cases, organizations do not have all the information they need about the resources to be spent to achieve the intended outcomes, and they may end up winning the battle, only to lose the war.

At first sight, ISO 27001 seems to not provide sufficient information about the resources required to implement, operate, maintain, and improve an Information Security Management System, but this is only an impression. As we presented in this article, this standard presents how resources to protect information should be considered during all phases of the ISMS life cycle – and, by knowing where to look, you can be prepared to ensure that your ISMS is fully prepared to fulfill its objectives and improve business results.

Use this free online training  ISO 27001:2013 Foundations Course to learn more about resource requirements, and steps in the implementation.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.