A requirement of ISO 27001 is to provide an adequate level of resource into the establishment, implementation, maintenance and continual improvement of the information security management system.

As described before with the leadership resources in clause 5.3, ISO IEC 27001 does not actually mandate that the ISMS has to be staffed by full time resources, just that the roles, responsibilities and authorities are clearly defined and owned - assuming that the right level of resource will be applied as required.

It is the same with clause 7.1, which acts as the summary point of 'resources' commitment which are then more fully described with requirements in:

• 7.2 - Competence of the support resources for ISO 27001
• 7.3 - Awareness of the people doing the work for the ISMS to meet ISO 27001
• 7.4 - Communication about the ISMS to the interested parties internally and externally about the ISMS
• 7.5 - Documented information about the ISMS to demonstrate it conforms to the ISO 27001 standard. It is also worth remembering that Annex A 5 dovetails into this requirement nicely too, so when building out the ISMS responsibilities each of those controls could be considered at the same time.

Planning resources and considering staffing requirements for ISO 27001 clause 7

As can be seen just from the references above, ISO drops in resource requirements across a number of different angles so it is easy to get confused about the level of investment in physical resources.

Viewing all of the people oriented requirements for implementing and running the ISMS makes sense, then the organisation can consider the capacity, confidence and capability of the people involved to do the work.

Some of the resources may need to be more committed in time than others, for example legal and HR skills are important for some aspects of the ISMS during its implementation and reviews of risks, policies from time to time, but not the general ongoing administration and management.

There are many ISO 27001 information security training courses, and ISO 27001 lead auditor, ISO 27001 implementation and many other courses out there that can build confidence and capability. However our experience suggests that whilst they can sometimes be helpful, they don't always deliver a return on investment and could be problematic too.

Depending on the trainer the course might also teach old ways of working, impress counter cultural practices that won't work for your organisation and can mean taking valuable time out for learning some things are pretty darn obvious when you start the implementation!

ISMS implementations to meet certification for ISO 27001 are far easier with an application that helps guide delivery, offers a map of what needs to get done and where progress is being made.

Working on an early morning, lunchtime or weekend to get something done - no problem, the Virtual Coach is inside the platform whilst you are considering that issue and that coupled with the tips, documentation to adopt, adapt and add to, as well as the easy to use technology solution itself, you'll need less support resource than you had imagined.