Is your Quality, Health & Safety or Environmental Compliance system working for you? How much time are you wasting trying to chase people to get things done, trying to remember to follow up on tasks, getting your Audits up to date, controlling documentation, dealing with customer complaints and capturing your Health & Safety Risks or incidents?
Let MANGO help you with a simpler way that makes the system not only work for you but, gets everyone involved in the system simply so you never have to remember again.
Please complete all required fields!
ISO2001:2013 clause 7 is all about Support, what do you need, what have you got, does everyone know what they should be doing, have you documented it and a few other things besides that. In this post we are going to cover the first two clauses, clause 7.1 Resources and Clause 7.2 Competence because we think they pretty much go hand in hand, hopefully you will see why as you read through.
"The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance and continuous improvement of the information security management system"
The key part there is that you need to determine & provide the resources – which means you need to sit down as a leadership team, and then as a larger team and figure out what resources you need. Resources being the big bucket that covers people, equipment, buildings, processes, systems, software, and anything else. step 1 is figure out what you will need to do it properly for your organisation and then make sure that those resources are available when they need to be. Making a list of what you need then not providing them seems like a less than smart thing, but many companies do that, then wonder why they fail and information security breaches.
Remember that the resources need to be identified and provided for each of the stages of the Information security Management System life cycle:
It maybe that the resources you need for each step here is different, it may taper off after the implementation, it may spike after a review or an audit, as a leadership team you need to keep this in mind when you are determining your resources.
How often has your organisation given someone a role or responsibility to do something that they are just not competent to do? That is not meant as an insult, what we mean is that they do not have the qualifications, the skills the past experience to realistically be able to do that job, do they have the ability to apply this knowledge and / or past experience?. The answer, unfortunately, is probably quite often that companies pick the person with the lightest workload or the one standing still at the wrong time, you can't do that and clause 7.2 of ISO27001 for information security makes that pretty clear.
The standard requires you to assess personnel competency in terms of the information security management system and the work that they are doing. You should not have someone who is not competent doing the work, which really, when you think about it makes sense. That competency is not just about actually doing the work, those supervising or controlling on consulting on it also need to be competent. Where you don't have the required competence then you need to acquire it, i..e you need to hire a permanent employee, a contractor or a consultant to help, but ensure that they are competent!
In terms of your information security management system this competence requirement doesn't stop once you have implemented it either, you will need to provide training to people who will be involved in both implementing and working with your ISO27001 system. It's best to do this as you go along with the implementation if you are starting from scratch, if you have an existing system and someone new joins then you need a training plan for them to get up to speed on your system. As you go through this training, small tests will create the proof that people have the understanding that will help build the competence in the system. Don't make them big heavy serious tests, keep it light & enjoyable – pop quizzes or lunchtime competitions with pizza are always good.
Like any training you should look at where you believe the gaps are, so how do you do this? Well the trusty old skills matrix is really hard to beat here. On one axis your matrix list all the skills that you will need to have to ensure your quality system delivers both in terms of the Information security management System directly but also think about the skills required to deliver your products or services at the level your customers require. On the other axis you want all of your team, but here is a really helpful hint.. include the position in there as well. Over time the names will change but the positions probably wont so the matrix remains correct in terms of what skill are required per position at all times but as new people fill the roles the it becomes easy to see the gaps.
From this you can now have a gap analysis of your skills within the organisation and so where you need to carry out further training.
You should remember that people joining or existing in your organisation come with pre-existing skills from previous training, courses and experience, these need to be incorporated into your skills matrix as well. It's not uncommon for this previous knowledge to be ignored which is a huge loss to the organisation and the individual.
Now you have the gap analysis you need to take the required steps to close your gaps. Here you have a number of valid options, you can train internally or externally for it, you can of course hire new people, or you can contract in that expertise where appropriate. Our Virtual Information Security Management service would be a typical example of this step.
As part of ISO27001 clause 7.2 for Competence clause you need to maintain appropriate documentation to demonstrate you have a basis for your claimed level of competence. This is typically where you need a really clear set of training records that are easily reviewed, tracked and updated. You need to maintain this for your own employees but also for any contractors or consultants you use as well.
Paper systems can of course work but as you become a larger organisation it gets harder so having a proper management system is hugely beneficial. The HR module of the Mango QHSE system covers this section and has an e-Learning and Assessment modules which would let you create internal training and exams which of course are tracked automatically back to your employee making meeting this requirement simple.
So, there you have it ISO27001 clause 7.1 Resources and clause 2 Competence laid out for you. If I were to summarise it here is the list:
© Many Caps Consulting | All Rights Reserved
By accepting you will be accessing a service provided by a third-party external to https://www.manycaps.com/