ISO 27001 clause 7 is called “Support” — this clause defines requirements for the availability of resources, competencies, awareness, communication, and control of documents and records.
This clause is important because it defines non-security activities that are crucial for the success of security.
Clause 7 has five sub-clauses:
- Clause 7.1 — Resources — it requires that resources required by the ISMS must be defined and made available, in order to achieve security objectives and show continual improvement.
- Clause 7.2 — Competence — it requires that companies define which knowledge and skills are needed for people to perform activities defined by the ISMS. When existing competence is not enough, training must be defined and delivered, as well as measured to ensure that the required level of competence is achieved.
- Clause 7.3 — Awareness — it requires that people must be made aware of the information security policy and its contents, what their personal performance means to the ISMS and its objectives, and what implications nonconformities may have on the ISMS.
- Clause 7.4 — Communication — it requires defining which internal and external communication is needed for the ISMS, considering what needs to be communicated, by whom, when it should be done, and who needs to receive the communication.
- Clause 7.5 — Documented information — it requires that documented information (i.e., documents and records) are created and updated so that they are clearly identified, properly formatted, reviewed, and approved. An organization must control its documents and records so that they are fit for use where and when needed, and are protected against damage or loss of integrity and identity — this includes the control of distribution, retention, access, usage, retrieval, preservation and storage, and disposition.
