ISO 27001 Section 7.1 - Resources
A requirement of ISO 27001 is to provide an adequate level of resources so that you can maintain and continually improve your information security management system (ISMS).
ISO 27001 Section 7.2 - Competence
The aim here is to demonstrate an adequate and proportionate level of information security knowledge and competence. These can be internal or external resources, for example, if you had an information security advisor coming into the company for a short period of time.
Competence of the individuals involved with the ISMS should be assessed, the organisation's requirements identified and agreed what is adequate competence. Then you should identify how to fill any gaps.
The organisation should commit to providing training, education or mentoring to any individual tasked with maintaining information security.
ISO 27001 Section 7.3 - Awareness
The person responsible for managing the information security management system should be aware of everything concerned with the policies and controls held within it.
- Have they read and understood the organisation's information security policy?
- Do they understand the importance of maintaining and continually improving an ISMS?
- Do they understand the implications of not maintaining the ISMS and meeting the requirements of ISO 27001?
ISO 27001 Section 7.4 - Communication
The organisation should have a plan in place for communicating, internally and externally, information about the information security management system - this could include the benefits of using an ISMS. A formal process of communication should be agreed and documented.
The process could include the following:
- what will be communicated;
- when it will be communicated;
- with whom;
- who shall own the communication; and
- the process