ISO/IEC 27001:2022 Clause 7: Support – a brief
INTENT:
To implement and maintain an effective ISMS, supporting resources plays a vital role.
Resources include but not limited to; Man, Machine Material and Method
These resources will need to be:
- Capable – If they are equipment or infrastructure.
- Competent – If they are people.
INDEX
Let us discuss each one of them one by one:
Clause 7.1 – RESOURCES
This applies to people, infrastructure and environment as much as physical resources, materials, tools etc. Also, knowledge as a significant resource is addition. When planning objectives, a major consideration shall be current capacity and capability of resources as well as those need to source from external suppliers/partners.
Clause 7.2 – COMPETENCE
The implementation of effective information security controls relies on the knowledge and skills of organization’s employees, suppliers and contractors, sub-contractors, vendors, service providers etc.
Appropriate knowledge and skills criteria:
- Defining what knowledge and skills are required.
- Determining who needs to have the knowledge and skills.
- Set out how you to assess or verify that the right people have the right knowledge and skills.
All this will need to be supported with records such as training records/certificates, course attendance records or internal competency assessments.
Some good examples of related tools for any organization can be; training/ skills matrices, supplier evaluation records etc.
Clause 7.3 – AWARENESS
Further; In addition to ensuring specific competence of key personnel in relation to information security, the wider group of employees, suppliers and contractors will need to be aware of the basic elements of organization’s ISMS. This is central to establishing a supportive culture within the organization.
All staff, suppliers and contractors should be aware that the organization have ISMS implemented, have ISMS policy in place and how the ISMS is helping the organization in protecting valuable information and what they need to do to help the organization achieve its objectives.
The communication of this information can normally be done through inductions, employment contracts, toolbox talks, supplier agreements, employee briefings or updates, emails, display boards etc.
Clause 7.4 – COMMUNICATION
Communication activities should be well planned and managed to ensure ISMS works effectively in an organization. Organization need to ensure that they have communication activities that are well planned and managed, including:
- What needs to be communicated.
- When it needs to be communicated.
- Who needs be included in communications.
What the processes is for communication.
Note: Documenting the communication requirements is always better to ensure effectiveness. Also, the documented requirements need to be communicated to IPs and organization to make sure it’s effective awareness among all employees.
Clause 7.5 – DOCUMENTED INFORMATION
Information Security Management System (ISMS) refers to a systematic approach to managing sensitive company information, ensuring it remains secure. Organization to ensure the information is documented and controlled by access rights associated with an ISMS.
The documented information shall be; Accurate, Understandable to the individuals who use it, Supportive to comply with legal requirements, manage information security risks and achieve objectives. The documented information must be created, updated and controlled in such a way to ensure effectiveness of Information security
The documented information shall have processes in place to ensure that:
- The documented information is to be reviewed where required by appropriate individuals before it is released into general circulation.
- Access to documented information is controlled so that it cannot be changed accidentally, corrupted, deleted or accessed by individuals to whom it is not appropriate.
- Information is deleted securely or returned to its owner when there is a requirement to do this.
- Can track changes through logs.
