ISO/IEC 27001:2022 Clause 7:
- Providing necessary monetary and physical assets, resources and systems (such as personnel, plant/office, logistics, working conditions, etc.)
- Providing and maintaining monitoring and measuring resources (i.e., calibrated equipment)
- Determining and maintaining organizational knowledge
- Ensuring personnel competency and providing additional training to achieve competency
- Communicating the policy, relevant objectives, and each employee’s contribution to the ISMS
- Documenting information necessary for the operation of ISMS processes and conformance to ISO 27001:2022.
Clause 7.1: Resources
This section takes a broad view of items needed to realize the requirements of ISO 27001:2022, specifically calling for support in critical areas including establishment, implementation, maintenance and continual improvement.
Clause 7.2: Competence
The aptitude of those who execute or could affect the ISMS processes needs to be assessed against the requirements for the tasks, and any deficiencies be addressed through personnel training, exposure, outsourcing or reassignment.
Clause 7.3: Awareness
Clause 7.3 is easy to achieve. If you can meet the requirements of 7.2 competence, and 7.4 communication, 7.3 shall happen naturally. Overall, ISO 27001 7.3 is seeking that the persons doing the work are aware of:
- the ISMS Policy
- their contribution and impact on the ISMS including improved performance and benefits
- the implications of nonconformance with the ISMS
Clause 7.4: Communication
A formal plan and activities for informing the organization about the ISMS needs to include:
- Who needs to know about each specific ISMS element
- How and when that communication will take place
- Who is responsible for the information being transmitted
Clause 7.5: Documented Information
Documented information needs to not only meet the requirements by the standard, but also what is needed by the organization itself to implement the ISMS. For example, you do not need a documented procedure for every process, but you may need one for more complex processes. The extensiveness of that documentation will vary based on a variety of factors (i.e. size, mission, products, services, sophistication, etc.). The standard does provide these specific documentation criteria:
- It must include a means for proper description including its source, purpose, change history, review/approvals and the method of communicating (text, audio, video, pictorial, multimedia, interactive, etc.)
- A means must be provided to formally manage the documentation, balancing the need for access versus security
- Going further, there must be a plan and approach governing documentation dissemination (what, when, and where documentation can be accessed and by whom), integrity/validation, revision, approval, storage and destruction (if applicable)
- Documented information of external origin, determined as necessary by the organization for planning and operation of the ISMS, shall be identified and controlled.
Please note that certain text from the ISO 27001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.