Module 4: Resource Gathering

Resource Planning

15 min
+50 XP

Resource Planning (Clause 7.1)

Clause 7.1 requires you to determine and provide the resources needed for establishing, implementing, maintaining, and continually improving your ISMS. Without proper resources, even the best security strategy will fail.

Understanding Clause 7.1

ISO 27001:2022 Clause 7.1 states: "The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system."

This short clause has enormous implications—it's where security dreams meet budgetary reality.

Types of Resources Needed

1. Human Resources

Internal Personnel:

  • ISMS Manager/Information Security Officer
  • Security team members
  • IT security specialists
  • Compliance officers
  • Internal auditors
  • Process owners across departments

Time Allocation: Consider how much time each role needs:

  • Full-time dedicated roles vs. part-time responsibilities
  • Time for training and awareness
  • Time for audits and reviews
  • Time for incident response

2. Financial Resources

Budget Categories:

  • Personnel costs (salaries, training)
  • Technology and tools (security software, hardware)
  • Consulting and external support
  • Certification costs (auditor fees, surveillance audits)
  • Documentation and infrastructure
  • Ongoing maintenance and improvements

Typical Budget Breakdown:

  • Small organization (50 employees): $50,000-$150,000 initial, $30,000-$60,000 annual
  • Medium organization (500 employees): $150,000-$300,000 initial, $80,000-$150,000 annual
  • Large organization (5000+ employees): $300,000+ initial, $200,000+ annual

3. Technological Resources

Infrastructure:

  • Security tools (firewalls, antivirus, DLP, SIEM)
  • Access control systems
  • Monitoring and logging systems
  • Backup and recovery systems
  • Encryption tools
  • Vulnerability scanning tools

Documentation Systems:

  • Document management system
  • Policy management platform
  • Risk register tools
  • Incident tracking system
  • Training management system

4. Knowledge Resources

External Expertise:

  • ISO 27001 consultants
  • Technical security specialists
  • Legal and compliance advisors
  • Certification auditors

Information Sources:

  • ISO standards documentation
  • Security frameworks and guidelines
  • Threat intelligence feeds
  • Industry best practices
  • Training materials

Building Your Resource Plan

Step 1: Assess Current State

Inventory what you already have:

  • Existing security staff and their skills
  • Current security tools and systems
  • Available budget
  • Existing processes and documentation

Step 2: Identify Gaps

Compare your current state against:

  • ISO 27001 requirements
  • Your risk assessment outcomes
  • Applicable Annex A controls
  • Industry benchmarks

Step 3: Prioritize Needs

Categorize resources as:

  • Critical - Required for compliance, addressing high risks
  • Important - Needed for effective implementation
  • Nice-to-have - Enhance security posture but not immediately essential

Step 4: Create Implementation Timeline

Phase your resource acquisition:

  • Phase 1 (Months 1-3): Critical foundation resources
  • Phase 2 (Months 4-6): Core implementation resources
  • Phase 3 (Months 7-12): Enhancement and optimization resources

Common Resource Planning Mistakes

  1. Underestimating Time Requirements

    • ISMS implementation requires significant time investment
    • Don't assume people can "do it in their spare time"

  2. Focusing Only on Technology

    • Technology alone won't achieve compliance
    • People, processes, and documentation are equally critical

  3. Insufficient Ongoing Budget

    • Certification isn't one-and-done
    • Budget for surveillance audits, training, tool renewals

  4. Lack of Executive Support

    • Without top management backing, resources won't materialize
    • Present clear ROI and risk reduction arguments

  5. No Contingency Planning

    • Things cost more and take longer than expected
    • Build in 20% buffer for resources and timeline

Making the Business Case

When requesting resources, frame your proposal around:

Risk Reduction:

  • Cost of potential breaches vs. cost of prevention
  • Regulatory fines avoided
  • Reputation protection value

Business Enablement:

  • Access to new markets requiring certification
  • Competitive advantage in tenders
  • Customer confidence and retention

Operational Efficiency:

  • Streamlined security processes
  • Reduced incident response time
  • Better asset management

Resource Documentation

Maintain a Resource Plan document that includes:

  • Current resource inventory
  • Identified gaps and needs
  • Budget requirements and justification
  • Timeline for resource acquisition
  • Responsible parties
  • Review and update schedule

Next Lesson: Learn about competence and training requirements to ensure your team has the skills needed to support the ISMS.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

Security Objectives

Next

Competence & Training