Clause 7 concerns itself with resources. This applies to people, infrastructure, and the environment as much as physical resources, materials, tools, etc. This Clause is all about getting the right resources, the right people, and the right infrastructure in place to establish, implement, maintain and continually improve the ISMS. It deals with requirements for competence, awareness, and communications to support the ISMS and it could include making training and personnel available, for example. This clause also requires all personnel working under an organization’s control to be aware of the information security policy, how they contribute to its effectiveness, and the implications of not conforming. The organization also needs to ensure that internal and external communications relevant to information security and the ISMS are appropriately communicated. This includes identifying what needs to be communicated to whom, when, and how this is delivered.
It’s in this clause that the term “documented information” is referenced. Organizations need to determine the level of documented information that’s necessary to control the ISMS. There is also an emphasis on controlling access to documented information, which reflects the importance of information security. There is also a renewed focus on knowledge as a significant resource within your organization. When planning your quality objectives, a major consideration will be the current capacity and capability of your resources as well as those you may need to source from external suppliers/partners. This clause of the standard provides the requirements supporting the establishment and operations of an ISMS. Included in Clause 7 are:
7.1 Resources required to establish and operate an ISMS
7.5 Documented Information
The organization must determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the information security management system.
Clause 7.1 provides information on the selection and allocation of resources to implement and operate an ISMS, and the requirements for ongoing awareness for all persons performing work within the scope of the ISMS and under the organization’s control. The requirement is to provide an adequate level of resources into the establishment, implementation, maintenance, and continual improvement of the information security management system. It does not actually mandate that the ISMS has to be staffed by full-time resources, just that the roles, responsibilities, and authorities are clearly defined and owned – assuming that the right level of resource will be applied as required. clause 7.1, which acts as the summary point of ‘resources’ commitment which is then more fully described with requirements in:
7.2 – Competence of the support resources for ISO 27001
7.3 – Awareness of the people doing the work for the ISMS to meet ISO 27001
7.4 – Communication about the ISMS to the interested parties internally and externally about the ISMS
7.5 – Documented information about the ISMS to demonstrate it conforms to the ISO 27001 standard
It is also worth remembering that Annex A 6 fits into this requirement nicely too, so when building out the ISMS responsibilities each of those controls could be considered at the same time.
One critical success factor for an ISMS implementation is having access to the right resources at the appropriate time. Remember that each person fulfilling a role within the ISMS is required to be competent in that role. It is therefore important to remind yourself of the core roles and consequently the core resources you will require. This applies to both the implementation and operations of the ISMS. Core roles will likely include:
- The ISMS Owner. Usually a very senior manager.
- The members of the governance forum, whatever label it is given.
- The person is responsible for information security management within the agency.
- Those responsible for various operational activities affecting information security. This includes operational support personnel such as server and network support teams, service desk personnel and human resource management staff.
- The ISMS Internal Auditor
- The role charged with the responsibility to ensure the ISMS conforms to the standard.
- The role charged with reporting the performance of the ISMS to executive management.
There are a number of questions that need to be posed and answered during implementation planning.
- Do we know what competencies we need?
- Do we have these competencies available?
- If not, can we obtain it by recruiting?
- Short term, can we contract them in?
- Longer-term, what training and development are required internally to ensure we maintain the necessary competencies?
There are a number of questions that need to be posed and answered during implementation planning. These questions primarily related to ensuring the appropriate competencies are available when required. They include questions around documenting the required competencies, identifying the existing competency set, and developing possible strategies for addressing any competency gaps. Gaps are generally addressed by:
- Hiring — obtaining permanent resources with the right competency set;
- Buying in short-term contract resources;
- Developing competencies “in house” through training and mentoring.
Decisions about these choices will depend on the extent of the competency gap and whether the competencies are required for the implementation or ongoing operation of the ISMS.
The organization must determine the necessary competence of all people doing work under its control that affects its information security performance. It must also ensure that these people are competent on the basis of appropriate education, training, or experience. Where applicable, it must take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken and must retain appropriate documented information as evidence of competence. Applicable actions may include, for example, the provision of training to, the mentoring of, or the reassignment of current employees or the hiring or contracting of competent persons.
ISO 27001 clause 7.2 basically says that the organization will ensure that it has:
- determined the competence of the people doing the work on the ISMS that could affect its performance
- people that are deemed competent on the basis of the relevant education, training or experience
- where required, take action to acquire the necessary competence and evaluated the effectiveness of the actions
- retained evidence of the above for audit purposes
Clause 7.2 requires all persons to be competent in their roles within the ISMS. Competency comes about through the provision of training, education, experience, and skills. These are all to be considered in the management of human resources. To implement and maintain an effective ISMS you need to have supporting resources in place. These resources will need to be sufficient:
- capable – if they are equipment or infrastructure; and
- competent – if they are people.
- at Management Review meetings.
There is a logical sequence that is reflected within this clause of the standard when addressing competency:
- Determine the necessary competency requirements
- Provide training or other actions to fill any gaps, considering past qualifications and experience. This may include recruiting.
- Evaluate the effectiveness of the training or actions
- Maintain records of education, training, skills, and experience, etc.
The need for people to be aware of their ISMS responsibilities is contained within Clause. The implementation of effective information security controls relies heavily on the knowledge and skills of your employees, suppliers, and contractors. To be certain of an appropriate knowledge and skills base you need to:
- define what knowledge and skills are required;
- determine who needs to have the knowledge and skills; and
- set out how you can assess or verify that the right people have the right knowledge and skills.
A whole bunch of skills and experiences required for successful implementation and ongoing management of an ISMS that is certified to ISO 27001, beyond expertise in physical security, cybersecurity, computer security, or other forms of information security per se. Those include commercial, legal, HR, IT, as well as the relevant products & services expertise for the work in scope. Building and running an ISMS is usually a collaborative team job. Your auditor will expect you to have documents detailing your knowledge and skills requirements. Where you believe the requirements are satisfied this will need to be supported with records such as training certificates, course attendance records, or internal competency assessments. Most organizations that already use tools such as training/skills matrices, appraisals, or supplier assessments can satisfy the requirement for competence records by expanding the areas covered to include information security.
The ISMS requires that all personnel are competent in terms of their role within the ISMS. Any competency gaps that have been identiﬁed need to be addressed. However, there is some speciﬁc ISMS-focussed training for some target user groups. Some of these groups and the type of training that may be required are listed in the following table.
|Audience||Type of Training|
|General users||information security user awareness training|
|The ISMS governance forum||On their role within the ISMS|
|The Information Security Manager/Ofﬁcer||The mechanisms of keeping the ISMS operating|
|Service Desk personnel|| Normal user and access management|
Their role in security event and incident management
|Human resource staff|| Responsibilities in employee|
management including recruiting,
induction and termination
|ICT support personnel|| Role in incident response|
Secure infrastructure commissioning and operations
|Executives||Role in messaging the support for the ISMS|
The training plan should consider the following:
- user awareness training
- briefings for the Governance Forum
- targeted training for key “control owner” groups
- Network support
- Server support
- Service desk (user support. incident response)
- Human resources
- briefings for key executives and line management
When developing any training plan consideration must be given to the following:
- who the target audience is?
- what messages do they need?
- how will the message/training be delivered? Face-to-face, online, PowerPoint, team brieﬁngs?
- when the training will occur and how often it needs to happen?
- who will be responsible for organizing the training, updating the content, and delivering the material?
- Are assessments or effectiveness metrics required? Quizzes? Surveys?
This type of information can be captured through a “training needs analysis” exercise. Once this type of information is captured, a training program can be developed.
The training plan should cover:
- who the target audience is
- what messages they need
- how the message/training will be delivered
- when the training will occur
- how often the training needs to happen
- who will be responsible for organizing/delivering
- Whether any assessment mechanisms are required
- If so. what would that look like?
People doing work under the organization’s control shall be aware of the information security policy, their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance and the implications of not conforming with the information security management system requirements.
Clause 7.3 of ISO 27001 combines with clause 7.2 competence and 7.4 communication about the information security management system to all the relevant interested parties. Awareness is closely related to competence in the standard. People who work under the organization’s control must be made aware of the information security policy and its contents, what their personal performance means to the ISMS and its objectives, and what the implications of nonconformities may be to the ISMS. ISO 27001 is seeking confirmation that the people doing the work are aware of:
- the information security policy
- their contribution to the effectiveness of the ISMS including benefits from its improved performance
- what happens when the information security management system does not conform to its requirements
This generally will drive some level of training and awareness sessions targeting different audience groups. Awareness of non-conformance to the requirements of the ISMS must also be addressed. In addition to ensuring the specific competence of key personnel in relation to information security, the wider group of employees, suppliers, and contractors will need to be aware of the basic elements of your ISMS. As part of the implementation of the ISMS, the people within the organization must participate in the creation of the information security policy for top management to approve. They would have a good understanding of their role because it would have been agreed and documented as part of clause 7.1. This is central to establishing a supportive culture within the organization. All staff, suppliers, and contractors should be aware of the following:
- That you have an ISMS and why you have one.
- That you have an Information Security Policy and which particular elements of it are relevant to them.
- How they can contribute to your organization protecting its valuable information and what they need to do to help the organization achieve its information security objectives.
- Which policies, procedures, and controls are relevant to them and what the consequences are of not complying with them.
- Awareness and understanding for 6.1 risk management, 6.2 ISMS objectives and 9.1 broader measurement & evaluation, 9.2 internal audits, 9.3 management reviews, 10.1 non-conformities, and corrective actions, as well as continual improvements in line with 10.2.
The communication of this information can normally be done through existing processes and documents such as inductions, employment contracts, toolbox talks, supplier agreements, employee briefings or updates.
The organization must determine the need for internal and external communications relevant to the information security management system. While determining the communication system it must determine what to communicate, when to communicate, with whom to communicate, who shall communicate and the processes by which communication shall be affected.
Communications play a key role in the implementation of an ISMS. They help garner and maintain support for the program by keeping it and its beneﬁts visible both within, and external to, the organization. The beneﬁts of strong communications programs include ensuring the information security is “front of mind” and not considered a “side issue”. Good communications strategies extend beyond implementation and into normal ISMS operations. Key security dashboards, brieﬁng’s, and alerts all form part of a strong communications regime.
Internal and external communication deemed relevant to the ISMS must be determined, as well as the processes by which they must be effected, considering what needs to be communicated, by whom, when it should be done, and who needs to receive the communication. To enable the processes in your ISMS to work effectively you will need to ensure you have communication activities that are well planned and managed. ISO 27001 details these concisely by requiring you to determine:
- what needs to be communicated;
- when it needs to be communicated;
- to whom it needs to be communicated;
- who is responsible for communication; and
- what are the processes for communication?
If your communication requirements are well defined in your processes, policies, and procedures then you do not need to do anymore to satisfy this requirement. If they aren’t then you should consider documenting your key communication activities in the form of a table or procedure that includes the headings detailed above. Remember, the content of these documents also needs to be communicated. Similar to the training domain. good communications require the identiﬁcation of the target audiences, the mechanisms that can be used (either existing or new), the content of the communications, and the frequency of such communications. Again, some processes like a Communications Needs Analysis can identify these elements and allow for the development of a comprehensive communications plan. The involvement of resources from corporate communications areas adds signiﬁcant beneﬁt in this domain. Communication strategies play an important role:
- to maintain a commitment to the implementation and operations
- to win support for the ISMS
- To continue to keep information security “front of mind”
- Development of a communications plan provides a vehicle for messaging
Communications plans should consider:
- What existing communication mechanisms can be utilized
- What involvement from corporate communications and other groups within the agency may be required
- The existing levels of support within key areas of the agency and how this could be altered
Clause 7.4 requires a clear answer to a series of questions on security issues: Who should communicate? To whom? What messages? On what? When? And how?
- On what? (content) Organizations should clearly communicate what is important to them: the need for information security and the need to conform to the requirements and policies. It will address risk management issues, new or changed security objectives, and vulnerabilities, events, or incidents to initiate the adequate answer of all, and especially the trained personnel who perform the planned reaction. Celebrating achievements and congratulating exceptional security behaviors has very positive effects. Including security clauses and requirements in the contract is also a way to communicate your requirements to services and product providers. Hence, it could be considered a part of the Communication Plan.
- What messages? (form & format) Messages should be clear in their form and content to produce the expected behavior. The type of communication medium is looked at here. You can use short stories, images, metaphors, or cartoons. Messages should be short and focused on their real intent. You certainly remember the SMART criteria that you can use to make sure the message is complete.
- Who? Organizations should clarify who is authorized to communicate, especially with external parties. Internally, top management and the CISO, and the help desk are good examples. Big companies have their Public Relations Officer to communicate with external parties. The communicator should have the appropriate authority to make sure the message will be received with the necessary attention and will be followed by the expected action or reaction.
- To whom? Not everybody should receive all the messages. Messages should be aimed at a specific audience, depending on the classification of the information, the necessary technical knowledge, and the role in the organization. The Communication Plan should be effective and addressed only to those who will benefit from it or need to act based on it – e.g., different interested parties like users, partners, internal and external service providers, regulating bodies, shareholders, etc.
- How? (process) The simplest and first way is the security policy and all the documents that describe what to do (and how) to meet the objectives of the policy. Messages should be prepared and approved, particularly in the case of incidents and crises. Defined channels (and protocols) should be utilized to make sure the communication reaches the intended audience at the best moment and with the best possible effectiveness. Examples: emails, pop-up screens, screensavers, posters, audio messages, meetings, policies, and directives, etc.
- When? Communication should be both continuous and event-based (in reaction to events). You should make sure the communicated message is continuously retransmitted, for example, to newcomers, and at repeated intervals, to make sure it won’t get forgotten. You also should be able to modify the messages or introduce new messages or formats and channels when the situation requires it. Communicating in normal conditions might be seriously different in comparison to incidents or in crises.
Internal vs. External Communication Plan. It is important to recognize that the Communication Plan has both internal and external aspects. They will respond differently to the following questions.
Internal Communication Plan. Top management uses the internal Communication Plan to send messages on its objectives and commitment toward information security. Some examples are the Information Security Policy, the security organization with the key roles and responsibilities, the Awareness plan, the general and specific requirements to respond to incidents. However, the internal Communication Plan should not remain unidirectional. The channels (telephone and email, for example) should also be known and used to communicate “bottom-up” from the base (the users) to the management about events or some new vulnerability.
External Communication Plan. Most of the examples given above relate to the internal Communication Plan but are also fully applicable to the external Communication Plan. You may need to communicate to the external world: regulatory authorities, public authorities, shareholders, clients, and partners, to announce events either positive (successes) or negative (incidents, accidents, and crises). Here also you will need a Communication Plan answering the same questions as above. However, in this case, you’ll have to use more caution as you may not expose or disseminate sensitive information that will make your situation worse.
How to document the Communication Plan?
Depending on the size of the organization and its security objectives, the Communication Plan could be more or less formal, fully documented as a separate document, or simply stated in a few sentences within other policies, procedures, and plans. As long as the desired messages are passed to those who should make the best of it, your solution will fit your needs and the resources you can devote to it.
7.5 Documented information
The organization’s information security management system shall include documented information required by ISO 27001 and those determined by the organization as being necessary for the effectiveness of the information security management system. The extent of documented information for an information security management system can differ from one organization to another due to the competence of persons, the size of the organization and its type of activities, processes, products, and services, the complexity of processes and their interactions.
7.5.2 Creating and updating
When creating and updating documented information the organization shall ensure appropriate identification and description (e.g. a title, date, author, or reference number); format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and review and approval for suitability and adequacy.
7.5.3 Control of documented information
Documented information required by the information security management system and by ISO 27001 Standard shall be controlled to ensure it is available and suitable for use, where and when it is needed; and it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). The organization shall control documented information by addressing its distribution, access, retrieval, use, storage, preservation, including the preservation of legibility, control of changes (e.g. version control), retention and disposition. As appropriate, Documented information of external origin must be identified and controlled by the organization which are necessary for the planning and operation of the information security management system. Access can mean a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc.
Clause 7.5 addresses the requirements relating to maintaining the relevant documents and records that support the operations of the ISMS. Formal records of document approval demonstrate conformance with this clause. To be of use, the documented information you use to implement and maintain your ISMS needs to:
- be accurate;
- be understandable to the individuals who use it regularly or occasionally; and
- support you to comply with legal requirements, manage information security risks and achieves your objectives.
So that your documented information always satisfies these requirements you will need to have processes in place to ensure that:
- documented information is reviewed where required by appropriate individuals before it is released into general circulation;
- access to documented information is controlled so that it cannot be changed accidentally, corrupted, deleted or accessed by individuals to whom it is not appropriate;
- information is deleted securely or returned to its owner when there this a requirement to do this; and
- you can track changes to information to guarantee that the process is in control.
Documentation is important to ensure that processes are performed in a manner consistent with the objectives of the management system. Documentation deﬁnes what you are going to do and provides evidence of you doing what you say. The extent of documentation is not deﬁned by the standard and is inﬂuenced by a number of factors. These include:
- The size and primary functions of the organization:
- The complexity and interaction of business processes;
- The control environment, possibly inﬂuenced by external obligations;
- The competence of personnel:
- Any other legal or regulatory obligations.
Documents should always be constructed with the target audience in mind. They must be useful to those who need access to the information contained within the documentation. Organizations are expected to deﬁne their processes and document as appropriate. They must then follow their own documentation. “Say what you do and do what you say”.
The procedure that is not formally documented are permissible and have the following characteristics:
- The procedure is systematical;
Documentation, however, does require management. Such management includes document approvals. requirements on access and legibility and other speciﬁcations outlined in Clause 7.5 of the standard.
The source of your documented information may be either internal or external, so your control processes need to manage documented information from both sources. Organizations that have good document control typically have one or more of the following in place:
- A single person or small team responsible for ensuring that new/modified documents are reviewed before they are issued are stored in the right location, are withdrawn from circulation when superseded and that a register of charges
- An electronic document management system that contains automatic workflows and controls.
- Robust electronic data back-up and hard-copy file archiving/ storage processes.
- Strong employee awareness of document control, record keeping, and information access/retention requirements.
“Documented information,” which you will see mentioned several times during this white paper, now covers both the “documents” and “records” concepts seen in the previous revision of the ISO 27001 standard.
This change was designed to facilitate the management of documents and records required by the standard, as well as those viewed as critical by the organization to the ISMS and its operation. It should also be noted that the amount and coverage of documented information that an organization requires will differ, according to its size, activities, products, services, the complexity of processes and their interrelations, and people’s competence.
7.5.2 Creating and updating
The standard requires that documented information created or updated in the scope of the ISMS must be properly identified and described, also considering its content presentation, and media used. All documented information must go under proper review and approval procedures to ensure they are fit for the purpose.
7.5.3 Control of documented information
The standard states that documented information required by the ISMS, and the standard itself, either from the internal or external origin, must be available and fit for use where and when needed and reasonably protected against damage or loss of integrity and identity. For the proper control of documented information, the organization must consider the provision of processes regarding the distribution, retention, access, usage, retrieval, preservation and storage, control, and disposition. The principle of Confidentiality, Integrity and Availability is applicable for documented information, it needs to be available when required and adequately protected from loss of confidentiality, unauthorized use or potential integrity compromise to address the following aspects:
- sharing and distribution clarity, controls over access to some or all of the ISMS – bearing in mind the access permissions for reading, updating, approving, deleting etc might need to differ based on the stakeholder role
- storage and preservation, including control of changes (showing older versions, historical approvals etc)
- retention and disposal also needs consideration
The difference between a document and a record: records are evidence of activity at a point in time. Documents are reviewed and updated on a periodic basis. They are usually versioned.
If you need assistance or have any doubt and need to ask any questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.