Introducing ISO 27001 Clause 7: Support
ISO 27001 Clause 7 deals with all the supportive processes and resources that an ISMS needs. It ensures that people are competent and aware, information is communicated properly, and documents are controlled.
Let’s go through each part below.
Explore Each ISO Clause in More Detail by Selecting One to View
Table of Contents
Clause 7.1 – Resources
This clause simply states that the organisation must determine and provide the resources needed to establish, implement, maintain, and continually improve the ISMS.
In essence, ensure you have enough resources. Resources can be human resources (people’s time and expertise), financial resources (budget for tools, training, and external help), and infrastructure (IT systems, etc.).
For SMEs, ISO 27001 Clause 7.1 often boils down to whether management allocated sufficient budget and staff time for security activities.
For example, did they provide a consultant, a new firewall, or staff training if you needed them?
By the time of the audit, an auditor might indirectly gauge this by seeing if tasks were completed or if a lack of resources is causing gaps.
To comply, there isn’t a specific document called “resources”, but you should have evidence that needed resources were considered and provided.
For instance, if your risk treatment plan required purchasing a new backup system and you did it, that’s evidence.
Or if you decide you need a part-time security officer and you assign someone to that role (with maybe a formal appointment letter), that shows resource commitment. Often, this clause is implicitly demonstrated by the outputs of Clause 5 (management commitment) and Clause 6 (if all planned tasks are resourced).
If you are very lean, plan creatively – e.g., maybe you can’t hire new staff, but allocate 20% of an existing IT staffer’s time to ISMS coordination.
Just be ready to explain how you’re resourcing the ISMS.
Clause 7.2 – Competence
Clause 7.2 requires that persons working under the ISMS (that affects its performance) be competent based on education, training, or experience. It also requires the organisation to take actions to acquire the necessary competence and evaluate the effectiveness of those actions, where applicable.
In simpler terms:
- Identify what competencies (knowledge and skills) are needed for the ISMS roles.
- Ensure the people in those roles have them, or if not, provide training or support so they can become competent.
- Keep evidence of competence (e.g., training records, certifications, or documented experience).
For example, if you assign someone to do risk assessments, are they trained in risk assessment techniques or ISO 27001 requirements? If not, perhaps send them to an ISO 27001 lead implementer course or train them.
If you have an internal auditor, they should be trained in internal auditing (maybe an ISO 27001 internal auditor course certificate). Even general staff need some level of competence in security basics (which overlaps with awareness, 7.3).
Expected outputs: A common practice is maintaining a training and competency matrix. This might list key ISMS roles (like ISMS Manager, Risk Assessor, Internal Auditor, IT Admin, etc.) along with required competencies (knowledge of ISO 27001, technical skill X, etc.) and notes on how those competencies are met (years of experience, completed training courses, etc.).
At minimum, keep records of any training done. ISO 27001 actually mandates retaining “appropriate documented information as evidence of competence” – so certificates of training, records of on-the-job training, professional certifications, or even documented performance reviews can serve as evidence.
Auditors might ask to see certain people’s qualifications.
For example, “Who conducts your internal audit? Oh, Nikesh does—what’s his background? Has he been trained for this?”
If you show that Nikesh took an ISO 27001 internal auditor course (and have a certificate), that will tick the box. If someone learned via self-study, maybe you have an internal record “Nikesh self-studied ISO 27001 auditing and shadowed an external auditor for one audit” – something to demonstrate competence. Relevant certifications or degrees can help (though not mandated) for technical roles.
Essentially, prove that the people running the ISMS know what they’re doing.
SMEs might worry about this if they don’t have formally certified staff. Don’t fret – experience counts too. You can document that, e.g., “Bob has 5 years of IT management experience, which covers many security aspects” as part of competence. The key is you have assessed it and are satisfied they’re competent.
Clause 7.3 – Awareness
Even if people are competent, they must also be aware of the ISMS and their role in it. Clause 7.3 says that persons doing work should be aware of the information security policy, their contributions to the ISMS (including benefits of improved security performance), and the implications of not conforming with ISMS requirements.
In practice, ISO 27001 Clause 7.3 is achieved by security awareness training and communications. Every employee (and relevant contractor) within the ISMS scope should receive awareness education. Typically:
- When the ISMS is rolled out, conduct an awareness session or training module covering ISO 27001, why it’s important, the policy, key do’s and don’ts, and how to report incidents.
- Ongoing, have at least annual refresher training or frequent security tips communications.
- Ensure new hires get an introduction to info security (maybe as part of onboarding).
Specifically, employees should know: “We have an info security policy and it says X” (at least broadly), “I have a part to play (e.g., creating strong passwords, reporting suspicious emails, following clean desk, etc.)”, and “if I don’t, it could harm the company or I could face disciplinary action or we could lose business,” etc. They don’t need to quote the standard, but they should understand the importance of security.
Output/Evidence: Training materials (slides, videos, etc.), training attendance logs or completion records (like quiz results if you have e-learning), emails sent with the policy attached, etc., all serve as evidence. Clause 7.3 isn’t about a document to create; it’s about activities to do, but you must retain records that it was done. For ISO, a security awareness training record (date, topics, who attended) is typically kept. Also, posters or intranet pages can supplement awareness, though the auditor is unlikely to consider a poster alone sufficient.
Auditors might randomly ask employees: “Do you know about the information security policy or any security training you received?” If employees consistently say “No, I’ve never heard of it,” that’s an issue. Ideally, employees say “Yes, we had a training last month” or “Yes, our boss talked about it.”
An auditor may also check training records to ensure coverage (e.g., did you include all staff, did any employee miss it?).
Clause 7.4 – Communication
Clause 7.4 requires the organisation to determine the need for internal and external communications relevant to the ISMS, including what to communicate, when, with whom, who will communicate, and the processes by which it’s communicated. This is a communication plan for information security topics.
Key communications can include:
Internal
Security policies and updates to employees, incident reporting procedures (employees need to know how to report incidents internally), perhaps the results of security initiatives, reminders of security practices, communications between the ISMS manager and top management (reports, etc.), and communication within the ISMS team (like the frequency of ISMS meetings).
External
What do you communicate to outside parties about your ISMS or security? This might involve letting customers know you have certification (marketing communications), sharing certain policy info with partners, or mandatory breach reporting to authorities if an incident occurs (a kind of ISMS-relevant communication). Also, if a client asks for info like your SoA or a summary of controls, do you have a process for that?
For ISO 27001, a simple way to address 7.4 is to create a communication matrix or plan.
For example:
| What | To Whom | When | By Whom | How |
|---|---|---|---|---|
| Information Security Policy | All employees | On hire and annually | ISMS Manager / HR | Via email and intranet |
| ISMS Progress Report | Top Management | Quarterly | ISMS Manager | Management report / meeting |
| Security Incident Notification | Customers / Regulators | When trigger criteria met | Responsible person to be defined | Method dependent on trigger (e.g., email, call) |
| Certificate Achievement | Customers (external) | After certification | Sales / Marketing | Email newsletter or website update |
This ensures you haven’t missed telling someone something critical.
The plan can be small for SMEs and might be documented within the ISMS manual or procedure.
Auditors will look for evidence that important communications are happening as planned. For instance, if you said you’ll communicate policies annually, they might ask, “When was the last time the policy was communicated, and how?” Then you show the email that was sent.
Clause 7.5 – Documented Information
Clause 7.5 is about documentation – both documents and records. ISO 27001, like all management system standards, expects good document control practices. There are three subclauses:
7.5.1 General
It says your ISMS will include documented information required by the standard (i.e., all mandatory documents and records we’ve been discussing) and any others the organisation deems necessary for effectiveness. This just means having all the documents ISO explicitly requires (like the policy, scope, SoA, etc.) and whatever else you need (maybe procedures, guidelines—it’s up to you).
7.5.2 Creating and Updating
This part sets guidelines that when you create or update documents, you ensure appropriate identification (e.g., a title, date, author, version number), proper format (could be hardcopy or electronic, just consistent), and review and approval for adequacy. Essentially, it manages document version control. For example, your policy should have a version number, a date, and an approver’s signature. When it’s updated, you increment the version and re-sign, etc.
7.5.3 Control of Documented Information
This requires that documented info is controlled to ensure it is available where needed, protected (from loss, improper change, and unauthorised access), and that activities like distribution, access, retrieval, and storage are managed.
Also, retention and disposition (how long you keep records and how you dispose of them) are defined. In practice, you should:
- Store documents in a known location (e.g., a SharePoint or Google Drive folder for ISMS docs or a physical binder if old-school).
- Have access control if needed (e.g., only authorised people can edit certain documents).
- Ensure people can find the documents (so share them appropriately).
- Prevent unintended alterations (maybe PDF the approved policies for general access, keep edit rights limited).
- Define retention: e.g., “Keep audit records for at least 3 years” or “retain former versions of documents for X years.”
- Control records as well: ensure you keep records like logs, training records, etc., organised and safe from loss (backups, etc.).
Many companies implement this via a Document Control Procedure (or Information Management Procedure).
It’s not explicitly mandated to have a procedure document, but it’s common and useful.
This procedure might assign a doc control owner, how to label documents (with doc IDs or versions), where to store them, and retention rules.
Outputs: Under 7.5, the main “output” is the collection of controlled documents and records. By the audit, you should have:
- All your ISMS documents are versioned and approved.
- A document register or list (nice-to-have: a list of ISMS documents and their current versions).
- All required records maintained (training logs, monitoring logs, audit reports, etc.).
- Possibly a Document Control Policy/Procedure (to show how you manage docs).
Documentation and Outputs for ISO 27001 Clause 7
Competence & Training Records (7.2)
Keep a file of certificates or training records for all personnel with ISMS roles.
Also, maintain a skills matrix or notes showing your evaluated competence needs.
Mandatory record: Evidence of competence must be retained (e.g., training certificates, resumes, etc.).
Awareness Materials (7.3)
The information security awareness training presentation, pamphlets, or LMS module used, and logs of attendance/completion.
Also, any security-related emails or newsletters can be kept as evidence of ongoing awareness efforts.
Communication Plan (7.4)
A documented communication plan or matrix, as mentioned. And records that those communications occurred (e.g., copy of an internal memo, or example of an external communication like a customer security summary).
ISMS Documents (7.5)
This includes all policies, procedures, plans, SoA, risk assessments, etc. Make sure each document has:
- A title, version number, date, and author or approver.
- Revision history (optional but common to show changes over time).
- Classification if applicable (some label documents as “Internal” etc., though not required by ISO).
- Consistency in format (e.g., your documents look like part of one system).
Document Control Procedure (7.5)
If you have one, that document itself should follow the rules (e.g., it’s version controlled and approved). It would outline how you manage documents and records.
Master List of Documents
It’s useful to have a spreadsheet that lists all ISMS documents, current version, owner, etc.
This isn’t required, but auditors love it because it quickly shows you’re organised. It also helps you ensure you didn’t forget to update something.
Record Retention Policy
Could be part of document control procedure or separate, stating how long you keep records like logs, audit reports, etc.
For example, “Keep audit reports for 3 years, training records for 2 years, access logs for 1 year” depending on business/regulatory needs.
What Auditors Look For in Clause 7
Auditors will verify that your ISMS is well-supported by people and information. Specifically:
Evidence of Training & Competence
They may ask for proof of competence for certain roles. E.g. show the certificate of the internal auditor’s training or explain the background of your ISMS manager.
If someone is notably underqualified, they might write a finding like “No evidence of ISMS-specific training for the individual responsible for risk management.”
So anticipate that and fill in the gaps beforehand.
Employee Awareness
Auditors often interview a handful of staff (especially in stage 2 audit).
They might ask questions like:
“Can you tell me some of the information security policies or procedures you have to follow?”
or “What would you do if you noticed a security incident?”
or “Have you received any training in information security?”
The answers will indicate their awareness.
You want your employees to at least recall that they had training and know basic responsibilities (like reporting incidents, not sharing passwords, etc.).
If employees shrug and say “I have no idea,” then your awareness program is questionable. So, ensure your training messages stick – maybe do a quick quiz or follow-up with employees after training to reinforce key points.
Communication Effectiveness
The auditor might ask the ISMS team or management: “How do you communicate information security matters internally?”
They may want an example of communication to top management (like, did the ISMS manager send a monthly report?) or to all staff (like policy distribution or a security newsletter).
Externally, if applicable, they might ask how you’d communicate a breach to customers (which might also tie into regulatory requirements).
If you have the communication plan doc, they’ll read it and possibly pick one item to verify (e.g., “Your plan says you inform new hires of the ISMS during induction – can I see the induction checklist or materials?”).
Control of Documents
Auditors will examine a sample of your documents to ensure version control. For instance, they pick your incident response procedure and see “Version 1.3, approved by CISO on 10-Mar-2025” in the footer.
If they find another copy of that procedure floating around with different or uncontrolled content, that’s a problem.
They may ask, “How do employees access the latest policies?” If your answer is “We email them PDFs,” they might follow up, “How do you ensure they see updates? Do you store these on a central repository?” Ideally, you have a centralised repository (SharePoint, Google Drive, etc.) where the current versions live. If using printed manuals, you need a distribution list to ensure old versions are swapped out.
Retention of Records
The auditor might spot-check a record. For example, “Show me last year’s security incident log.”
If your policy says you retain incidents for 3 years, do you have last year’s? If not, that’s a nonconformity. They may also check if confidential records are protected.
Say you have meeting minutes with sensitive information—are they access-controlled? This relates to protecting documented information.
Document Control Procedure
If you have one, they will likely audit against it.
If your procedure says “All policies will be reviewed annually,” they might ask “Have you reviewed them in the last year? Show me evidence or new version dates.”
If your procedure says “We watermark uncontrolled copies,” they might check if you actually do. So make sure your actual practice aligns with your procedure.
Overall Organisation
A well-organised set of ISMS documents gives a great impression. Auditors often comment (informally) if documentation is clear or messy. If they struggle to find things or find conflicting info between documents, it creates doubt.
So consistency (no contradictions between policy and procedure) is considered. They might ask, “Which document outlines how you do X?” to see if you know your system well and can retrieve info quickly.
Case Study
During one audit I sat in, the auditor asked the HR manager (whose department was in scope) if she knew what to do if she suspected a phishing email.
The HR manager responded, “Yes, we were told in training to report it to IT via the help desk immediately. We also have a poster in the main seating area about suspicious emails.”
This showed good awareness (Clause 7.3 evidence right from an employee’s mouth).
The auditor then asked to see records of the last security awareness training. The company pulled up their LMS (Learning Management System) report showing 95% of staff completed the training quiz.
Later, the auditor examined the document control process: they noticed the Information Security Policy was version 3.0 but an older version 2.0 was still accessible on a public drive. They flagged that as a minor issue with document control (Clause 7.5) since an outdated policy was not removed. Pretty easy to resolve.
Explore Each ISO Clause in More Detail by Selecting One to View
ISO 27001 Clause 7 FAQs
Do I need a separate document for each ISO 27001 Clause 7 requirement?
No, ISO 27001 doesn’t mandate a separate document for each subclause in Clause 7. What matters is that the activities are carried out and evidence is retained. For example, a single training log or competency matrix can cover both Clause 7.2 (Competence) and 7.3 (Awareness). Likewise, your communication plan might live within your ISMS manual or an overarching procedure.
How detailed does the training need to be for Clause 7.3 (Awareness)?
It doesn’t need to be overly technical. The key is that staff understand the security policy, their responsibilities, and the potential consequences of non-compliance. This can be achieved through a simple onboarding session, e-learning module, or a live briefing, supported by periodic refreshers. Just make sure you retain evidence of delivery and attendance.
What counts as ‘competence’ for ISO 27001 roles?
Competence can be demonstrated through education, training, and experience. ISO 27001 doesn’t require formal qualifications. Someone with years of relevant experience may be considered competent, provided the organisation has assessed and documented that assessment. Certificates, training records, and internal evaluations can all help demonstrate this.
What’s the difference between ‘awareness’ and ‘competence’ in ISO 27001?
‘Competence’ refers to whether a person has the skills and knowledge to perform their role effectively. ‘Awareness’ means they understand the context – like the organisation’s information security policy, their responsibilities, and the risks of poor security behaviour. Even a competent person may not be aware of their obligations unless the organisation makes it clear.
How do I prove to an auditor that communications are happening?
Auditors look for evidence that planned communications are taking place. This could include:
– Emails showing the policy was shared
– Meeting minutes where ISMS topics were discussed
– Records of awareness training
– Copies of internal newsletters. A communication plan or matrix helps demonstrate that communications are structured, and supporting records show they’ve been delivered.
Further Reading
Get the ISO 27001 Standard
