ISO 27001 Information Security Management Standard - Clauses 7.1, 7.2, 7.3, 7.4

Posted by Craig Thornton

Part 19 - Clauses 7.1 – 7.4 Resources, Competence, Awareness, Communication

In this blog I’m combining the Resources, Competence, Awareness and Communication clauses. These really do go hand in hand with each other.

Keep these questions in the back of your mind as we go:

  • Do you have what’s needed?
  • Are the right people dealing with it?
  • Do you know why it needs to be done?
  • Are the appropriate people being told the necessary information?

I’d say these are pretty standard questions for any business or organisation regardless of whether or not they happen to be seeking a certification.

Conceptual digital image of lock on circuit background

Let’s start with 7.1 Resources.

No secrecy around this one, the standard keeps it short and to the point with just the two lines.

The organisation must identify and provide any and all resources required to establish and appropriately maintain the Information Security Management System (ISMS).

There are 5 key tasks when it comes to your resources –

  1. Estimate what is required.
  2. Acquire what is needed
  3. Provide what is needed
  4. Maintain what is required
  5. Review progress

Follow these 5 steps and you can’t go wrong!

However, resources is a broad term; and there can be quite a few categories that you’ll need to turn your mind to particularly when you are at the beginning stage of the ISO 27001 journey. For instance, resources could refer to ensuring that you’ve got enough competent staff available to carry out the activities required as part of your ISMS, and that they do it in a timely matter. That’s right – time is also a resource and needs to be considered in line with the above 5 steps the same as any other.

At Mango we met this clause (as all others) just by going about our everyday business routine. We use the Plant/Equipment module to manage any equipment or tools that relate to employees and/or the workplace. This is a one stop shop that let’s us see at a glance, what we currently have, any associated records, who it’s assigned to and if applicable when it needs to be reviewed and/or replaced.

As for managing others such as people and time, we would do in combination of our Human Resources module and our monthly management and operations meetings. The agenda are set so at these meetings we’ll discuss current and upcoming projects, who these are assigned to, the deadline set for this work to be completed by and if there are any additional resources required in order to achieve this.

The next clause is 7.2 Competence.

Again, this is fairly straightforward. The organisation needs to determine which competencies a staff member must have in order to carry out work that affects the ISMS and then ensure that the employee has them.  If they don’t, how do you expect them to gain these? And how will you measure their success?

At Mango we use a skills matrix in the Human Resources module to manage and track much of the above – to read about how we set this up – check out How to Implement a QMS and Achieve ISO 9001 Certification Part 17

Once established it’s important that you maintain the skills matrix, update information where training has been undertaken, add new skill requirements if needed and always keep an eye out for any gaps!

Note that competency doesn’t only relate to certificates, so long as it’s properly documented then past experience and other various forms of knowledge gathering can be taken into consideration. It may be helpful to note that you can use ‘wisdom’ in relation to determining competence.

This applies too if you needed to temporarily fill a role, maybe via an external contractor – you’ll need to give them the same considerations and fully document how they meet the ISMS requirements.

Moving along to clause 7.3 Awareness.

In my view awareness is so closely tied in with competence that if you’re doing 7.2 right, you should almost be able to tick this one off too, it all comes down to growing an employee’s knowledge.

There are though just a couple of little extras in this clause to be mindful of –

The organisations employees shall be aware of the functions that relate to the ISMS and how their role directly impacts on these - nothing too mysterious so far right?

But let’s take it just a bit further.

The employee needs to have an understanding as to why improved information security is a good thing AND, they also need to know about the possible consequences of not complying with the ISMS requirements.

It’s not that every employee needs to be able to recount the information security policy word for word, so long as staff understand their responsibilities and how their role fits within the organisation.

Meeting the requirements of this clause can be done fairly easily via methods that your possibly already using, such as:

  • Having written/documented policies and procedures that are easily available
  • Ensuring that the induction of new employees (or existing employees undertaking new responsibilities) touches on their requirements as outlined above
  • Conducting regular meetings, i.e. Annual review, monthly all teams’ meetings, weekly catch ups etc.

Lastly, we come to 7.4 Communication.

The clause states “The organisation shall determine the need for internal and external communications relevant to the ISMS including:

  • What to communicate;
  • When to communicate;
  • With whom to communicate;
  • Who shall communicate; and
  • The processes by which communication shall be effected.

OK, that doesn’t seem too difficult – communicating is pretty fundamental to any organisation and there’s a good chance that as you read this you’re nodding; happy in the knowledge that you’re already doing this.

Here at Mango we’ve documented a procedure which outlines the different forms of communication, i.e. formal or informal meetings, what we would expect to be discussed (you could use agenda templates as a prompt for the more formalised meetings) and who the communications should be sent to.

Once we’ve held a meeting or catch up then where appropriate a record of this is added to the employees’ profile in Mango as a skill. Three birds with one stone, communication which increases both competency and awareness...Nice!

 

Takeaways

Here is a list of takeaways that will help you achieve these clauses:

  1. Check that you have all the resources needed for your ISMS.
  2. Ensure that there is a plan/process to acquire, provide, maintain and review these resources.
  3. Establish the competencies for each role within the ISMS – then either give the role to someone who is competent or create a plan for the person to gain the necessary competency. It’s a good idea to document the reasoning behind your decisions.
  4. Verify that staff know what the Information Security Policy is, how their role fits into it and the pros and cons of following or not following the requirements
  5. Create a plan which covers the different communication channels (internal vs external) related to the ISMS. Include which content needs to be communicated (security policies, objectives etc.), frequency, any classification needs (i.e. Confidential) and of course establish who is responsible for distributing and managing this.

View previous blogs in this series "How to Implement a QMS and Achieve ISO 9001 Certification":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

ISO 27001 Information Security Management Standard: Principle 7 - Security incorporated as an essential element of information networks and systems

ISO 27001 Information Security Management Standard: Principle 8 - Active prevention and detection of information security incidents

ISO 27001 Information Security Management Standard: Principle 9 - Ensuring a comprehensive approach to information security management 

 ISO 27001 Information Security Management Standard: Principle 10 - Continual reassessment of information security and making of modifications as appropriate

ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4 of ISO 27001:2013 

ISO 27001 Information Security Management Standard: Clause 5.1 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 5.2 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 5.3 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 6.1 of ISO 27001:2013

Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification