In this blog I’m combining the Resources, Competence, Awareness and Communication clauses. These really do go hand in hand with each other.
Keep these questions in the back of your mind as we go:
I’d say these are pretty standard questions for any business or organisation regardless of whether or not they happen to be seeking a certification.
No secrecy around this one, the standard keeps it short and to the point with just the two lines.
The organisation must identify and provide any and all resources required to establish and appropriately maintain the Information Security Management System (ISMS).
There are 5 key tasks when it comes to your resources –
Follow these 5 steps and you can’t go wrong!
However, resources is a broad term; and there can be quite a few categories that you’ll need to turn your mind to particularly when you are at the beginning stage of the ISO 27001 journey. For instance, resources could refer to ensuring that you’ve got enough competent staff available to carry out the activities required as part of your ISMS, and that they do it in a timely matter. That’s right – time is also a resource and needs to be considered in line with the above 5 steps the same as any other.
At Mango we met this clause (as all others) just by going about our everyday business routine. We use the Plant/Equipment module to manage any equipment or tools that relate to employees and/or the workplace. This is a one stop shop that let’s us see at a glance, what we currently have, any associated records, who it’s assigned to and if applicable when it needs to be reviewed and/or replaced.
As for managing others such as people and time, we would do in combination of our Human Resources module and our monthly management and operations meetings. The agenda are set so at these meetings we’ll discuss current and upcoming projects, who these are assigned to, the deadline set for this work to be completed by and if there are any additional resources required in order to achieve this.
Again, this is fairly straightforward. The organisation needs to determine which competencies a staff member must have in order to carry out work that affects the ISMS and then ensure that the employee has them. If they don’t, how do you expect them to gain these? And how will you measure their success?
At Mango we use a skills matrix in the Human Resources module to manage and track much of the above – to read about how we set this up – check out How to Implement a QMS and Achieve ISO 9001 Certification Part 17
Once established it’s important that you maintain the skills matrix, update information where training has been undertaken, add new skill requirements if needed and always keep an eye out for any gaps!
Note that competency doesn’t only relate to certificates, so long as it’s properly documented then past experience and other various forms of knowledge gathering can be taken into consideration. It may be helpful to note that you can use ‘wisdom’ in relation to determining competence.
This applies too if you needed to temporarily fill a role, maybe via an external contractor – you’ll need to give them the same considerations and fully document how they meet the ISMS requirements.
In my view awareness is so closely tied in with competence that if you’re doing 7.2 right, you should almost be able to tick this one off too, it all comes down to growing an employee’s knowledge.
There are though just a couple of little extras in this clause to be mindful of –
The organisations employees shall be aware of the functions that relate to the ISMS and how their role directly impacts on these - nothing too mysterious so far right?
But let’s take it just a bit further.
The employee needs to have an understanding as to why improved information security is a good thing AND, they also need to know about the possible consequences of not complying with the ISMS requirements.
It’s not that every employee needs to be able to recount the information security policy word for word, so long as staff understand their responsibilities and how their role fits within the organisation.
Meeting the requirements of this clause can be done fairly easily via methods that your possibly already using, such as:
The clause states “The organisation shall determine the need for internal and external communications relevant to the ISMS including:
OK, that doesn’t seem too difficult – communicating is pretty fundamental to any organisation and there’s a good chance that as you read this you’re nodding; happy in the knowledge that you’re already doing this.
Here at Mango we’ve documented a procedure which outlines the different forms of communication, i.e. formal or informal meetings, what we would expect to be discussed (you could use agenda templates as a prompt for the more formalised meetings) and who the communications should be sent to.
Once we’ve held a meeting or catch up then where appropriate a record of this is added to the employees’ profile in Mango as a skill. Three birds with one stone, communication which increases both competency and awareness...Nice!
Here is a list of takeaways that will help you achieve these clauses:
View previous blogs in this series "How to Implement a QMS and Achieve ISO 9001 Certification":
ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values
ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 5.1 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 5.2 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 5.3 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 6.1 of ISO 27001:2013