The basics
ISO 27001 sub-clause 7.1 is called “Resources” — it requires that resources required by the ISMS must be defined and made available, in order to achieve security objectives and show continual improvement.
Documentation
ISO 27001 clause 7.1 Resources does not require writing any documents.
The following document is not mandatory, and companies can decide whether to write it:
– Approved resources for the ISMS
Implementation
To comply with clause 7.1 Resources, companies can follow these steps:
- Analyze what kind of implementation is planned.
- Agree with stakeholders what kind of resources will be needed for the planned implementation.
- Define who is in charge of providing these resources.
- Get a formal approval for these resources from the top management.
The easiest way to plan changes is through the Risk Treatment Plan – this document is mandatory, and it must define how to implement controls, with which resources, and who is in charge.
Audit evidence
During the audit, an auditor might ask for the following evidence related to the provision of resources that are needed for the ISMS:
- If there are dedicated people for the ISMS implementation and maintenance.
- If enough time is allocated for relevant information security activities.
- If there is enough equipment, tools, knowledge, and know-how.
- If the budget is big enough.
