Skip to content
27kay27kay

ISO 27001 Clause 7.1: Resources

(updated: ) · 7 min read · 27kay
ISO 27001ISMScompliance

Clause 7.1 requires your organization to determine and provide the resources needed for the ISMS - covering its establishment, implementation, maintenance, and continual improvement. This is the clause where leadership commitment becomes tangible: if top management says they support the ISMS but provides no budget, people, or tools, Clause 7.1 is not satisfied.

What the clause requires

ISO 27001:2022 Clause 7.1 is a single sentence: the organization shall determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the information security management system.

Short as it is, this clause covers everything the ISMS needs to function:

  • People - time allocated from existing staff, or dedicated security personnel
  • Budget - funding for tools, training, audits, consulting, and certification
  • Technology - platforms and tools that support security controls
  • Knowledge - access to standards, threat intelligence, and regulatory information

The standard does not prescribe specific resource levels. What constitutes “adequate” depends on your organization’s size, risk profile, and ISMS scope. A 15-person startup has different resource requirements than a 300-person financial services firm - and auditors understand that.

How to determine and allocate resources

People and time

This is where most organizations get it wrong. The ISMS needs someone to run it, and that person needs allocated time - not just a line in their job description that says “and also manage information security.”

For a small SaaS company (15-30 people), the typical resource allocation looks like:

  • ISMS manager: 20-40% of one person’s time (often the CTO, Head of Engineering, or a senior engineer). For organizations that cannot justify this internally, a vCISO fills this role on a fractional basis.
  • Risk owners and asset owners: 2-4 hours per month for each person holding a risk or asset ownership role under Clause 5.3. This covers monitoring risks, reviewing controls, and preparing for management review.
  • All employees: 4-8 hours per year for security awareness training, reading updated policies, and participating in exercises like phishing simulations.
  • Internal audit: Either dedicated time from a trained internal resource, or budget for an external internal audit service.

For larger organizations (100+ people), a dedicated information security function becomes necessary. The ISMS manager role becomes full-time, supported by security engineers, compliance analysts, or a security operations team.

Budget

The budget conversation should be driven by your risk assessment, not by arbitrary spending targets. Your risk treatment plan identifies what controls are needed - and those controls determine the budget.

Typical budget items for a small-to-medium organization include:

  • Certification body audit fees (initial certification and annual surveillance)
  • Security tooling (endpoint protection, vulnerability scanning, SIEM or log management, identity provider)
  • Compliance management platform or GRC tool
  • External consulting or vCISO support
  • Training platform for security awareness
  • Penetration testing (annual or after significant changes)

Organizations starting from scratch should expect to spend more in year one (implementation plus initial certification) and less in subsequent years (maintenance and surveillance audits).

Technology and tools

You do not need enterprise-grade security tools to satisfy Clause 7.1. The standard requires adequate resources, not the most expensive ones. For a startup, this might mean:

  • A cloud-native identity provider with MFA (many are free for small teams)
  • A vulnerability scanner running against your production infrastructure
  • A backup solution with tested recovery procedures
  • An endpoint protection platform
  • A document management system for ISMS documentation (even Notion or Confluence works)

The key is that the tools match the controls in your Statement of Applicability. If you have committed to a control, you need the resources to implement and maintain it.

Connecting 7.1 to the rest of your ISMS

Clause 7.1 is the practical foundation that makes everything else possible.

Clause 5.1 connection. Leadership commitment includes the explicit requirement to “ensure that the resources needed for the ISMS are available.” Clause 7.1 is the direct consequence - if leadership is committed, resources are provided.

Clause 6.1 connection. Your risk assessment and risk treatment plan define what resources are needed. If the treatment plan says “implement a SIEM solution” but no budget is allocated, you have a resource gap.

Clause 7.2 connection. Competence is a specific type of resource - the skills and knowledge of the people working within the ISMS. Resources include the training budget to develop those competencies.

Clause 7.3 connection. Awareness programs require resources - training platforms, time for staff to complete training, and someone to manage the program.

Clause 9.3 connection. Management review should evaluate whether current resources are adequate. If the ISMS is underperforming due to resource constraints, management review is where leadership decides to allocate more - or accept the associated risk.

What auditors check

Clause 7.1 is often assessed indirectly - auditors look at the outputs of resourcing rather than checking a budget spreadsheet.

ISMS manager allocation. Auditors ask who manages the ISMS and how much time they spend on it. If the answer is “nobody in particular” or “whoever has spare time,” that is a finding. They expect to see a named person with clearly allocated time.

Risk treatment plan execution. If your treatment plan identified controls to implement but they have not been implemented due to “resource constraints,” auditors will check whether resources were ever formally requested and whether leadership addressed the gap. A stalled treatment plan is often a Clause 7.1 issue.

Training records. Evidence that people have been trained, that training budgets exist, and that the organization invests in building competence across the ISMS. No training budget means no competence development, which means a resource gap.

Tool availability. Auditors check whether the tools needed to operate controls are actually in place. If your SoA says you monitor security events but you have no logging or monitoring tool, that is a resource issue.

Management review inputs. Auditors check whether resource adequacy is discussed during management review. The management review should include an assessment of whether the ISMS has what it needs - and evidence that leadership responds when it does not.

Common mistakes to avoid

Treating the ISMS as a zero-cost add-on. The most common mistake is expecting the ISMS to run on top of everyone’s existing workload with no additional budget or time allocation. This leads to an ISMS that exists on paper but is not maintained - policies go stale, risk registers are not updated, and training does not happen.

Over-resourcing with tools, under-resourcing with people. Some organizations buy expensive security tools but do not allocate anyone to configure, monitor, or maintain them. A SIEM that nobody reads is not a security investment - it is wasted budget. People to operate the tools matter more than the tools themselves.

No resource discussion in management review. If management review minutes never mention resources, auditors will question whether leadership is genuinely engaged with the ISMS. Include resource adequacy as a standing agenda item - even if the conclusion is “current resources are sufficient.”

Not scaling resources as the organization grows. An ISMS resourced for a 20-person company does not work for a 50-person company. As the organization scales - adding employees, products, customers, or infrastructure - the ISMS resources need to scale with it. Review resource adequacy at least annually, and proactively after significant growth.

Forgetting ongoing costs. Initial implementation gets budgeted, but ongoing costs get overlooked. Surveillance audits, annual penetration tests, training platform renewals, and the ISMS manager’s continued time allocation all need ongoing budget commitment, not just year-one funding.

How 27kay can help

We help organizations figure out the right level of resourcing for their ISMS - enough to satisfy auditors and actually protect the business, without overspending. As part of ISO 27001 implementation, we help you build a resource plan that matches your risk profile and scales with your growth. For organizations that need fractional security leadership, our vCISO service provides the ISMS management resource without a full-time hire. For the full picture, see our ISO 27001 knowledge hub.

Not sure whether your ISMS is adequately resourced? Get in touch - we will give you an honest assessment of what you need and what you can defer.