Font size: +
6 minutes reading time (1286 words)

ISO27001 and the Resources and Competence Requirements

ISO2001:2013 clause 7 is all about Support, what do you need, what have you got, does everyone know what they should be doing, have you documented it and a few other things besides that. In this post we are going to cover the first two clauses, clause 7.1 Resources and Clause 7.2 Competence because we think they pretty much go hand in hand, hopefully you will see why as you read through.  

Clause 7.1 Resources

This is a great example of ISO creating a really short 1 sentence (yes 1!) that actually means a heck of a lot if you just have a think about it. Here is what it says

"The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance and continuous improvement of the information security management system"

The key part there is that you need to determine & provide the resources – which means you need to sit down as a leadership team, and then as a larger team and figure out what resources you need. Resources being the big bucket that covers people, equipment, buildings, processes, systems, software, and anything else. step 1 is figure out what you will need to do it properly for your organisation and then make sure that those resources are available when they need to be. Making a list of what you need then not providing them seems like a less than smart thing, but many companies do that, then wonder why they fail and information security breaches.

Remember that the resources need to be identified and provided for each of the stages of the Information security Management System life cycle:

  1. Establishment – so the initial figuring out and creating it
  2. Implementation – rolling it throughout your organisation
  3. Maintaining it – keeping it alive, updating, and fixing things
  4. Continuously Improving it – which would be typically be outputs from your ongoing reviews, audits, employee, or external suggestions which need to be implemented and communicated.

It maybe that the resources you need for each step here is different, it may taper off after the implementation, it may spike after a review or an audit, as a leadership team you need to keep this in mind when you are determining your resources.

  Clause 7.2 Competence

How often has your organisation given someone a role or responsibility to do something that they are just not competent to do? That is not meant as an insult, what we mean is that they do not have the qualifications, the skills the past experience to realistically be able to do that job, do they have the ability to apply this knowledge and / or past experience?. The answer, unfortunately, is probably quite often that companies pick the person with the lightest workload or the one standing still at the wrong time, you can't do that and clause 7.2 of ISO27001 for information security makes that pretty clear.

The standard requires you to assess personnel competency in terms of the information security management system and the work that they are doing. You should not have someone who is not competent doing the work, which really, when you think about it makes sense. That competency is not just about actually doing the work, those supervising or controlling on consulting on it also need to be competent. Where you don't have the required competence then you need to acquire it, i..e you need to hire a permanent employee, a contractor or a consultant to help, but ensure that they are competent!

In terms of your information security management system this competence requirement doesn't stop once you have implemented it either, you will need to provide training to people who will be involved in both implementing and working with your ISO27001 system. It's best to do this as you go along with the implementation if you are starting from scratch, if you have an existing system and someone new joins then you need a training plan for them to get up to speed on your system. As you go through this training, small tests will create the proof that people have the understanding that will help build the competence in the system. Don't make them big heavy serious tests, keep it light & enjoyable – pop quizzes or lunchtime competitions with pizza are always good.

Like any training you should look at where you believe the gaps are, so how do you do this? Well the trusty old skills matrix is really hard to beat here. On one axis your matrix list all the skills that you will need to have to ensure your quality system delivers both in terms of the Information security management System directly but also think about the skills required to deliver your products or services at the level your customers require. On the other axis you want all of your team, but here is a really helpful hint.. include the position in there as well. Over time the names will change but the positions probably wont so the matrix remains correct in terms of what skill are required per position at all times but as new people fill the roles the it becomes easy to see the gaps.

  Here's an Example of a Skills Matrix

From this you can now have a gap analysis of your skills within the organisation and so where you need to carry out further training. 

You should remember that people joining or existing in your organisation come with pre-existing skills from previous training, courses and experience, these need to be incorporated into your skills matrix as well. It's not uncommon for this previous knowledge to be ignored which is a huge loss to the organisation and the individual.

Now you have the gap analysis you need to take the required steps to close your gaps. Here you have a number of valid options, you can train internally or externally for it, you can of course hire new people, or you can contract in that expertise where appropriate. Our Virtual Information Security Management service would be a typical example of this step.

  Have The Documentation

As part of ISO27001 clause 7.2 for Competence clause you need to maintain appropriate documentation to demonstrate you have a basis for your claimed level of competence. This is typically where you need a really clear set of training records that are easily reviewed, tracked and updated. You need to maintain this for your own employees but also for any contractors or consultants you use as well.

Paper systems can of course work but as you become a larger organisation it gets harder so having a proper management system is hugely beneficial. The HR module of the Mango QHSE system covers this section and has an e-Learning and Assessment modules which would let you create internal training and exams which of course are tracked automatically back to your employee making meeting this requirement simple.


So, there you have it ISO27001 clause 7.1 Resources and clause 2 Competence laid out for you. If I were to summarise it here is the list:

  1. Figure out the resources that you will need for the lifecycle of the Information Security management System from establishment to implementation to maintenance and of course to support continuous improvement.
  2. Ensure those resources have the competence to do the work assigned. Train them where you need to for the roles that people will have.
  3. Where you do not have the resources in house go get them, but ensure they are competent
  4. Keep track of all training and documentation you have used to determine the level of competence of each person

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Mango Logo
When it comes to managing your ISO or compliance system, managing documentation, capturing incidents / NCR's and ensuring that you follow through on everything having a tool that makes it easy is a must.

Mango QHSE is a cloud based QHSE system that is fully integrated to manage all of your compliance requirements in one, easy to use system.
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.


© Many Caps Consulting | All Rights Reserved

List of mandatory documents required by ISO 27001:...
ISO27001 - Information Security Objectives and Pla...

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, 02 December 2020

Captcha Image

By accepting you will be accessing a service provided by a third-party external to