Resources for ISO 27001 Information Security

ISO 27001 Clause 7.1

This sub-clause requires the organisation to determine and provide the resources needed to establish, implement, maintain and continually improve the ISMS.

ISO 27001 Clause 7.1 - Resources

Clause 7.1 is short and broad. It asks the organisation to make sure the information security management system has what it needs to operate. The standard does not specify what those resources are - that is for the organisation to decide based on its scope, its risks and the controls it has chosen to apply.

What ISO 27001 Clause 7.1 Requires

The organisation must determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS. The clause has no documentation requirement of its own. Evidence of compliance comes from the resources actually being in place and from the absence of complaints elsewhere in the system that the organisation is under-resourced.

Resources for an ISMS typically include people with the right skills, time allocated to information security activities, technology to support the controls, financial budget to fund the work, and access to external expertise where needed. The mix is for the organisation to decide.

How Clause 7.1 Connects to Other Clauses

The resourcing decisions made under Clause 7.1 support compliance with most other clauses. Without enough trained people, Clause 7.2 Competence cannot be met. Without time for awareness activities, Clause 7.3 Awareness fails. Without budget for the controls identified in the risk treatment plan, Clause 6.1.3 falls behind. The resourcing question runs throughout the system.

The management review is the main place where resource adequacy is assessed. Top management reviews how the ISMS is performing, looks at where it is struggling, and decides what additional resource is needed.

Most organisations under-resource the management system at the start. They underestimate how long the documentation, the audits and the management review actually take. The management review is the place to flag this honestly. Top management would rather hear about resource gaps now than discover them at the certification audit.

I do not audit Clause 7.1 directly very often. I audit it indirectly, through the rest of the system. If competence is weak, awareness is patchy, audits are missing, treatments are stalled, then the resource provision is the underlying issue. The fix is at the top, not at the symptom.

Practical Compliance Guidance

Resource provision is a top management responsibility under Clause 5.1. The management review under Clause 9.3 is the formal forum where resource adequacy is reviewed.

The documents below support the planning and review of resources for the information security management system.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including the management review and objectives templates that support resource planning.
F-Q3 Management Review	Management review template where resource adequacy is reviewed and resource decisions are recorded.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does Clause 7.1 require a documented resource plan?

No. The clause requires resources to be provided, not for the planning of them to be documented separately. Evidence usually comes from the management review records, the budget documents and the resource decisions visible across the rest of the system.

What types of resource does the clause cover?

All resources needed for the ISMS - people, skills, time, technology, budget and external expertise. The organisation determines what mix is appropriate for its scope, risks and chosen controls.

UK Legislation

No UK legislation directly governs resource provision for an information security management system.

Further Resources