Establishing an effective information security management system (ISMS) takes careful planning and dedication of appropriate resources. Many organisations struggle with Clause 7.1 of the ISO 27001 standard around determining and allocating the right level of resources.
In this post, we’ll break down everything you need to know about ISO 27001 Clause 7.1 on resources, including:
- What types of resources need to be considered
- Common resourcing mistakes and how to avoid them
- Key success factors for allocating the right resources
- Creative tips to get more value from limited budgets
Plus we’ll answer some frequently asked questions around resourcing an ISO 27001 ISMS.
If you’re just starting out on your ISO 27001 journey with limited budgets, or struggling to determine appropriate resourcing levels, this guide is for you. Let’s dive in!
What Resources Need to be Considered Under ISO 27001 Clause 7.1?
Clause 7.1 states that organisations shall “determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system”.
This covers four key types of resources:
💰 Financial Resources
Adequate funding needs to be allocated to support activities like:
- Initial gap assessments, consultancy and certification
- Ongoing internal/external audits
- Technology improvements like encryption, backups, malware protection etc.
- Managing incidents, vulnerabilities and improvements
- Awareness training and communications
Many organisations underestimate financial requirements. But sufficient budgets are crucial for long-term success.
🧑💻 Human Resources
The right people need adequate time to establish, maintain and improve the ISMS. This can include:
- A dedicated ISMS manager: To drive the programme and manage documentation, audits, training etc. Larger organisations may need multiple dedicated security staff.
- Project teams: Cross-functional teams from IT, legal, HR etc. Project, steering and working groups will be required periodically for risk assessments, implementing controls, managing incidents etc. These people need allocated time in their schedules.
- The wider organisation: All staff play a role in security and need time for training, reading policies and procedures, reporting issues etc.
Having the right people focusing the right proportion of their time is essential.
💾 Infrastructure & Tools
Technology infrastructure underpins effective security, like:
- Risk management platforms
- Encryption tools
- Backup & recovery systems
- Vulnerability scanners
- SIEM/log analysis tools
- Patch management software
- Secure file sharing/collaboration platforms
Choosing and maintaining robust tools aligned to programme objectives takes investment but pays dividends.
📚 Information & Knowledge
Finally, appropriate information and knowledge resources empower practitioners to make better security decisions, like:
- Standards, regulatory/legal information
- Cyber threat intelligence
- Training materials
- Documented policies, procedures and records
- Incident data
- Audit and performance reports
Maintaining timely, accurate information provides the lifeblood for running an intelligent ISO 27001 ISMS.
🚨 Common Resourcing Mistakes to Avoid
Many organisations fail to adequately resource their ISO 27001 programmes, including:
🙈 Underestimating Internal Effort
- The workload is more than most people expect just for implementing and maintaining an ISMS. Organisations often try fitting it on top of people’s day jobs without adjusting other priorities. This leads to corners being cut and controls never fully embedded.
💸Focusing Too Much on Saving Money
- In the short-term it can seem expensive resourcing security properly. But this pales in comparison to the potential costs of incidents like ransomware, data breaches, and regulatory fines further down the line. View spending on robust security as an investment, not just a cost.
🤯 Neglecting the Wider Organisation
- ISMS managers often focus excessively on documentation and technology controls. But people are the weakest security link, so ongoing security and privacy training plus raising awareness across the whole business is key. This takes time and repetition.
!!️ Being Too Optimistic Around Timings
- Be realistic – things always take longer than expected when it comes to security programmes. Build in ample contingencies rather than aggressive ‘best-case’ estimates. Rushed programmes often end up with gaps being exploited later.
The keys are allocating sufficient human effort and other resources from the start, while layering on technology. Avoid cutting corners that could come back to haunt you when incidents strike further down the line.
✅ Key Success Factors for Optimal ISO 27001 Resourcing
So what helps get resourcing right when implementing and operating an ISO 27001 ISMS?
👪 Secure Executive Buy-In
Make sure senior leaders understand the value of robust information security and obtain their sponsorship. They set budgets and strategic priorities, so their buy-in ensures the ISMS gets adequate, ongoing resourcing focus.
💰 Take a Risk-Based Approach
Don’t blindly implement every possible control; instead take a pragmatic risk assessment to identify key threats and proportionate controls. This focuses resources on major risks rather than trying to eliminate every minor issue. Document reasons for excluding less relevant controls.
📅 Plan a Phased Journey
Stage the implementation in manageable chunks over a few months or a year, scaling up resourcing as the foundations solidify. For example, start with policies and basic controls, move onto higher risk areas like cloud assets later.
🧮 Track Costs and Benefits
Collect data on spend as well as the value derived to justify budgets. Metrics like prevented cyber losses, avoided fines, reduced insurance premiums make the ROI case. This also helps identify waste to cut.
🤝 Collaborate Across Functions
Leverage expertise and effort from IT, HR, legal, facilities management and business units. Shared security accountabilities foster buy-in rather than the ISMS being an isolated function. Actively gather input on controls and processes to suit wider needs.
💡 Take an Innovative Approach
Get creative in tapping budgets and resources beyond the security function e.g. leverage other digital transformation initiatives to jointly fund tools and services. Make use of free awareness materials from government and non-profits to supplement custom-built content.
Careful planning, governance and collaboration enables organisations to resource ISO 27001 programmes effectively without breaking the bank. Keep requirements under ongoing review and adjust budgets based on emerging priorities. This develops a sustainable model delivering continual security improvements.
Key Points Summary
- Clause 7.1 of ISO 27001 covers determining and providing all resources to establish, maintain and improve information security
- Financial, human, infrastructure and knowledge resources all need consideration
- Common resourcing mistakes include underestimating workloads and focusing too much on cost cutting rather than risk reduction
- Taking a phased, risk-based approach with active business engagement enables more optimal resourcing