ISO 27001 Clause 7 Support

Written by: Alan Parker, ISO 27001 Consultant
Last Updated: 27/4/26

Explore Each ISO 27001 Clause in More Detail by Selecting One to View

Clause 7.1 – Resources

This clause simply states that the organisation must determine and provide the resources needed to establish, implement, maintain, and continually improve the ISMS.

In essence, ensure you have enough resources.

Resources can be human resources (people’s time and expertise), financial resources (budget for tools, training, and external help), and infrastructure (IT systems, etc.).

For smaller businesses, ISO 27001 Clause 7.1 often boils down to whether management allocated sufficient budget and staff time for security activities.

For example, did they provide a consultant, a new firewall, or staff training if you needed them?

By the time of the audit, an auditor might indirectly gauge this by checking whether tasks were completed or whether a lack of resources is causing gaps.

To comply, there isn’t a specific document called “resources”, but you should have evidence that the needed resources were considered and provided. However, a resource plan will certainly help.

For instance, if your risk treatment plan required purchasing a new backup system and you did it, that’s evidence.

Or, if you decide you need a part-time security officer and assign someone to that role (with, maybe, a formal appointment letter), that shows a commitment of resources. Often, this clause is implicitly demonstrated by the outputs of Clause 5 (management commitment) and Clause 6 (if all planned tasks are resourced).

If you are very lean, plan creatively – e.g., you may not be able to hire new staff, but allocate 20% of an existing IT staffer’s time to ISMS coordination.

Personally, I tend to recommend creating a resourcing plan. Something that outlines the activities you want to undertake over the next 6 to 12 months, along with the levels of resources needed to make them happen. The resource plan is typically a simple spreadsheet with a monthly financial breakdown so the CFO, or whoever, can see when funding is needed and what for.

Just be ready to explain how you’re resourcing the ISMS.

Before we go too much further into Clause 7, I usually tell people that 7.2 (Competence), 7.3 (Awareness) and 7.4 (Communication) are three sides of the same coin (pun intended). You cannot have one without the others. Awareness leads to Competence, and cannot be achieved without good communications. So, I tend to approach them as a joint trio of activities rather than individual things.

Clause 7.2 – Competence

Clause 7.2 requires that persons working under the ISMS (that affects its performance) be competent based on education, training, or experience. It also requires the organisation to take actions to acquire the necessary competence and, where applicable, to evaluate the effectiveness of those actions.

• Identify the competencies (knowledge and skills) required for ISMS roles.
• Ensure the people in those roles have them, or if not, provide training or support so they can become competent.
• Keep evidence of competence (e.g., training records, certifications, or documented experience).

For example, if you assign someone to do risk assessments, are they trained in risk assessment techniques or ISO 27001 requirements? If not, perhaps send them to an ISO 27001 lead implementer course or train them.

If you have an internal auditor, they should be trained in internal auditing (e.g., an ISO 27001 internal auditor certification). Even general staff need some level of competence in security basics (which overlaps with awareness, 7.3).

A common practice is to maintain a training and competency matrix alongside training records. This might list key ISMS roles (such as ISMS Manager, Risk Assessor, Internal Auditor, IT Admin, etc.), along with required competencies (e.g., knowledge of ISO 27001, technical skill X), and notes on how those competencies are met (e.g., years of experience, completed training courses).

At a minimum, keep records of any training done. ISO 27001 actually mandates retaining “appropriate documented information as evidence of competence” – so certificates of training, records of on-the-job training, professional certifications, or even documented performance reviews can serve as evidence.

Auditors might ask to see certain people’s qualifications. For example, “Who conducts your internal audit? Oh, Nikesh does—what’s his background? Has he been trained for this?”

If you show that Nikesh took an ISO 27001 internal auditor course (and has a certificate), that will tick the box. If someone learned via self-study, maybe you have an internal record, “Nikesh self-studied ISO 27001 auditing and shadowed an external auditor for one audit” – something to demonstrate competence. Relevant certifications or degrees can help (though they are not mandated) for technical roles.

Essentially, you need to prove that the people running the ISMS know what they’re doing.

SMEs might worry about this if they don’t have formally certified staff. Don’t fret – experience counts too. You can document that, e.g., “Bob has 5 years of IT management experience, which covers many security aspects” as part of his competence.

The key is that you have assessed it and are satisfied they’re competent, not that you’ve spent thousands on courses.

My Full ISO 27001 Toolkit includes a competency matrix, training records, a multi-week awareness campaign, and a communication plan.

Clause 7.3 – Awareness

Even if people are competent in security and its activities, they must also be aware of the ISMS and their role in it. Clause 7.3 states that persons performing work should be aware of the information security policy, their contributions to the ISMS (including the benefits of improved security performance), and the implications of not conforming to ISMS requirements.

As I mentioned earlier, in practice, ISO 27001 Clause 7.3 is achieved through security awareness training and communication. Every employee (and relevant contractor) within the scope of the ISMS should receive awareness training. Typically:

• When the ISMS is rolled out, conduct an awareness session or training module covering ISO 27001, why it’s important, the policy, key dos and don’ts, and how to report incidents.
• Ongoing, have at least annual refresher training or frequent security tips communications.
• Ensure new hires get an introduction to info security (maybe as part of onboarding).

Specifically, employees should know: “We have an info security policy and it says X” (at least broadly), “I have a part to play (e.g., creating strong passwords, reporting suspicious emails, following clean desk, etc.)”, and “if I don’t, it could harm the company or I could face disciplinary action or we could lose business,” etc. They don’t need to quote the standard, but they should understand the importance of security.

Output/Evidence: Training materials (slides, videos, etc.), training attendance logs or completion records (like quiz results if you have e-learning), emails sent with the policy attached, etc., all serve as evidence. Clause 7.3 isn’t about a document to create; it’s about activities to do, but you must retain records of when it was done. For ISO, a security awareness training record (date, topics, who attended) is typically kept. Also, posters or intranet pages can supplement awareness, though the auditor is unlikely to consider a poster alone sufficient.

Auditors might randomly ask employees: “Do you know about the information security policy or any security training you received?” If employees consistently say “No, I’ve never heard of it,” that’s an issue. Ideally, employees say, “Yes, we had a training last month” or “Yes, our boss talked about it.”

An auditor may also check training records to ensure coverage (e.g., did you include all staff, did any employee miss it?).

Clause 7.4 – Communication

Clause 7.4 requires the organisation to determine the need for internal and external communications relevant to the ISMS, including what to communicate, when, with whom, who will communicate, and the processes by which it will be communicated. This is a communication plan for information security topics.

Key communications can include:

Internal Communication

Security policies and updates to employees, incident reporting procedures (employees need to know how to report incidents internally), perhaps the results of security initiatives, reminders of security practices, communications between the ISMS manager and top management (reports, etc.), and communication within the ISMS team (like the frequency of ISMS meetings).

External Communication

Everyone overlooks this, in favour of the internal communications, but the need to also ask what do you need to communicate to outside parties about your ISMS or security? This might involve letting customers know you have certification (marketing communications), sharing certain policy information with partners, or reporting mandatory breaches to authorities if an incident occurs (a kind of ISMS-relevant communication). Also, if a client asks for info like your SoA or a summary of controls, do you have a process for that?

For ISO 27001, a simple way to address 7.4 is to create a communication matrix or plan.

For example:

This ensures you haven’t missed telling someone something critical.

The plan can be small for SMEs and might be documented within the ISMS manual or procedure.

Auditors will look for evidence that important communications are happening as planned. For instance, if you said you’ll communicate policies annually, they might ask, “When was the last time the policy was communicated, and how?” Then you show the email that was sent.

Clause 7.5 – Documented Information

Clause 7.5 concerns documentation—both documents and records. ISO 27001, like all management system standards, expects good document control practices. There are three subclauses:

7.5.1 General

It says your ISMS will include the documented information required by the standard (i.e., all mandatory documents and records we’ve been discussing) and any other information the organisation deems necessary for effectiveness. This just means having all the documents ISO explicitly requires (like the policy, scope, SoA, etc.) and whatever else you need (maybe procedures, guidelines—it’s up to you).

7.5.2 Creating and Updating

This part sets guidelines for when you create or update documents: ensure appropriate identification (e.g., title, date, author, version number), proper format (hardcopy or electronic, as long as consistent), and review and approval for adequacy. Essentially, it manages document version control. For example, your policy should have a version number, a date, and an approver’s signature. When it’s updated, you increment the version and re-sign, etc.

7.5.3 Control of Documented Information

Also, retention and disposition (how long you keep records and how you dispose of them) are defined. In practice, you should:

• Store documents in a known location (e.g., a SharePoint or Google Drive folder for ISMS docs or a physical binder if old-school).
• Have access control if needed (e.g., only authorised people can edit certain documents).
• Ensure people can find the documents (so share them appropriately).
• Prevent unintended alterations (maybe PDF the approved policies for general access, keep edit rights limited).
• Define retention: e.g., “Keep audit records for at least 3 years” or “retain former versions of documents for X years.”
• Control records as well: ensure you keep records such as logs, training records, etc., organised and protected from loss (backups, etc.).

Many companies implement this via a Document Control Procedure (or Information Management Procedure).

It’s not explicitly mandated to have a procedure document, but it’s common and useful.

This procedure might specify who the doc control owner is, how to label documents (with doc IDs or versions), where to store them, and retention rules.

Documentation and Outputs for ISO 27001 Clause 7

What Auditors Look For in Clause 7

Common Mistakes in Clause 7

In ten or so years of helping organisations through Clause 7, certain mistakes come up so often that I can almost predict them at the start of an engagement. Clause 7 is also where audit findings tend to cluster around documentation, which is unfortunate, because most of these mistakes are easy to avoid if you know what to look for.

Confusing competence with awareness. These are related but distinct. Competence (7.2) concerns whether someone has the skills to perform their role; awareness (7.3) concerns whether they understand the policy and their part in it. A competent IT manager might still fail an auditor’s awareness check if they can’t articulate what the Information Security Policy says. Both need separate evidence – a competency matrix and a training/awareness record – and auditors check both.

Generic e-learning that doesn’t reflect your business. I see this a lot – off-the-shelf phishing training that mentions banking scams to a SaaS company, or generic GDPR modules being passed off as ISO 27001 awareness. Auditors can usually tell within ten minutes of a staff interview whether the training was bespoke or boilerplate. Role-specific, business-specific awareness lands; generic e-learning rarely does.

Treating training as a one-off at certification. Awareness isn’t a single annual session you tick off and forget. It needs reinforcement throughout the year – reminders, refreshers, role-specific updates, and response to incidents. A staff member who completed training 11 months ago and hasn’t heard a security message since will struggle to convince an auditor that awareness is “embedded” in your culture.

Thinking documentation control is just version numbers. Document control (7.5) covers the entire lifecycle: creation, review, approval, distribution, and retirement. The most common audit finding I see is that documents have version numbers but no clear approval trail, distribution evidence, or retirement process. That’s a finding waiting to happen.

Letting old policy versions live alongside current ones. This is the single most common Clause 7.5 audit finding, in my experience. An old version 2.0 of the Information Security Policy is sitting on a shared drive next to the current version 3.0 – one staff member reads the old one, swears blind that’s the policy, and the auditor has both their inconsistent answers and physical proof of the breakdown. Tidy up your shared drives before the audit.

Forgetting external workers. Clause 7.3 applies to anyone working under your control who could affect information security, including contractors, agency staff, key suppliers, and sometimes consultants. I see this missed routinely – an awareness programme that covers all 25 employees but ignores the 6 contractors who have system access. The standard doesn’t distinguish; your awareness programme shouldn’t either.

Producing a competency matrix once and never updating it. A matrix from 18 months ago that lists three people who’ve left the company is worse than no matrix at all – it actively misrepresents your competence position. The matrix should be a living document, updated when people join, leave, or change roles, and reviewed at least annually as part of your management review. If it doesn’t reflect today’s reality, it’s a finding.

Case Study

During one audit I sat in on, the auditor asked the HR manager (whose department was in scope) if she knew what to do if she suspected a phishing email, and where to report issues.

The HR manager responded, “Yes, we were told in training to report it to IT via the help desk immediately. We also have a poster in the main area about suspicious emails.”

This showed good awareness (Clause 7.3 evidence right from an employee’s mouth).

The auditor then asked to see the records for the most recent security awareness training. The company pulled up their LMS (Learning Management System), which had a nice automated report showing approximatly 95% of staff completed the training quiz.

Later, the same auditor examined the document control process and noticed that the Information Security Policy was version 3.0, but an older version, 2.0, was still accessible on a public drive. They flagged it as a minor issue under document control (Clause 7.5) because the outdated policy was not removed. Pretty easy to resolve, nothing tragic.

ISO 27001 Clause 7 FAQs

Further Reading

Get the ISO 27001 Standard

Author Background

This article was written by Alan Parker, an ISO 27001 consultant and founder of Iseo Blue Limited. He helps UK SMEs achieve certification in 90 days or less – often without a dedicated security team or a large budget.

With over 30 years in IT governance and information security, Alan works with software companies, IT service providers, managed service providers, and professional services firms across the UK, Europe, and internationally.

Qualifications: ITIL v3 Expert, ITIL v4 Bridge, PRINCE2 Practitioner. Named IT Project Expert of the Year (2024, UK). Alan writes in plain English for busy teams who need to get things done.

Connect on LinkedIn or Bluesky, or explore his free ISO 27001 tools and templates at iseoblue.com. B.Sc (Hons) Information Systems, CISMP certified.

Alan Parker