The organization must identify and provide the resources needed to establish, implement, maintain and continuously improve the information security management system (ISMS).

Resources – Photo by Sincerely Media on Unsplash

Management has already defined its safety objectives (Clause 6.2), and must then provide the necessary resources for the safety team to achieve them.

It’s a reality check, because if management has unrealistic objectives and too few resources, it will be impossible to achieve them.

The allocation of resources must be measured and done with the objectives in mind. What do we need to achieve these objectives in terms of budget, human resources, technology or even space?

Here are some examples of things to consider when planning ISMS resources.

Budget

Here is a non-exhaustive list of items that an organization should have in a dedicated security program budget (ISMS):

  1. Security technology and tools: firewalls, intrusion detection and prevention systems, antivirus software, encryption tools, data backup and recovery solutions and any other security tools that may be required.
  2. Qualified security personnel: salaries and benefits for employees dedicated to information security, such as security analysts, information security managers, etc.
  3. Security training and awareness: It is essential to budget for information security training for all staff, and for awareness-raising efforts to ensure that all employees understand their information security responsibilities.
  4. Consulting and external services: consultants to help set up or audit the ISMS, consultants with skills that the security team does not possess, or the use of managed services for certain security functions.
  5. Certifications and compliance: There will be costs associated with obtaining and maintaining certifications.
  6. Maintenance and updates: Safety systems and tools will require regular maintenance and updating.
  7. Business continuity planning and disaster recovery: The cost of implementing and maintaining these plans should also be included in the budget.
  8. Security tests and audits: Costs associated with regular security tests, vulnerability assessments and security audits.

Human resources

In all project management, we talk about the amount of work per day that one person can accomplish. These people who carry out the work of implementing and maintaining the organization’s safety program need time.

Depending on the organization, this may include an “internal” project to categorize the time needed to complete tasks.

Several factors should be taken into account:

  1. Necessary skills: You need to identify the specific skills required to manage, implement and maintain your information security management system (ISMS). This may include, among other things, skills in cybersecurity, risk management, regulatory compliance, internal audit, and project management.
  2. Roles and responsibilities: Clearly defining the roles and responsibilities of each team member with regard to information security is crucial to the smooth running of the ISMS.
  3. Training and awareness: Make sure your staff are properly trained and made aware of information security. This can include training on company security policies and procedures, awareness of common threats, and training on information security best practices.
  4. External resources: In some cases, you may need to call on external consultants or experts to help you set up or manage your ISMS. Plan these needs in terms of time, cost and availability.
  5. Personnel management: Recruitment, hiring, training, retention and dismissal processes must be managed in such a way as to minimize risks to information security.
  6. Business continuity planning: Make sure you have enough staff to maintain information security in the event of an emergency or business continuity.
  7. Security culture: Developing a strong security culture among staff is a crucial element of information security management.

Technologies

In order to explode the costs defined above, here are some other specific technological aspects to consider when managing resources:

  1. Security infrastructure: This includes firewalls, intrusion detection and prevention systems (IDS/IPS), unified threat management (UTM) systems, antivirus and antimalware software, and web content filtering systems.
  2. Cryptography: Acquire and maintain encryption tools to protect sensitive information, both in storage and during data transmission.
  3. Access management: Technology to manage user access to information systems, such as identity and access management systems, is essential.
  4. Backup and recovery: Solutions for regular data backup and recovery in the event of loss or corruption are important.
  5. Audit and compliance tools: These tools enable you to monitor and report on information security activities, in order to demonstrate compliance with various regulatory and standards requirements.
  6. **Cloud technologies **: If you’re using cloud services, you need to plan how you’re going to secure these environments.
  7. Mobile device and BYOD security: If your organization allows the use of personal devices for work (BYOD), or uses mobile devices, you’ll need to plan how to secure these devices.
  8. Application security: Tools to ensure application security, such as vulnerability scans and testing tools, are required.
  9. Business continuity and disaster recovery planning: Technology for business continuity and disaster recovery is crucial.
  10. Security training and awareness: E-learning tools can be useful for training employees in information security.

Physical space

  1. Physical security of facilities: Buildings and workspaces must be secured to prevent unauthorized access, damage and interference. This can include measures such as access control systems, security cameras, alarms, security lighting and physical barriers.
  2. Server room and data center security: These areas require additional security measures, such as biometric access control systems, constant video surveillance, fire detection and appropriate cooling systems.
  3. Workstation security: Workstations must be organized in such a way as to minimize the risk of information being stolen or compromised. This can include measures such as using cable locks for laptops, restricting the display of sensitive information on screens, and implementing policies to lock workstations when the user is not present.
  4. Storage space security: Storage spaces for sensitive documents or physical storage media need to be secure. This may include the use of safes, lockable cabinets, or secure rooms.
  5. Evacuation and safety plans: Clear evacuation and safety plans must be in place and communicated to all staff. Safety equipment such as fire extinguishers and first-aid kits must be easily accessible.

Success criteria

In order to determine whether we have complied with clause 7.1 of ISO27001, here are a few questions an auditor might ask:

  1. How did you determine what resources were needed to implement, maintain and continuously improve your ISMS?
  2. How do you allocate these resources across your organization?
  3. Can you provide examples of how these resources have been used to support the ISMS?
  4. How do you ensure that you have enough staff with the right skills to manage your ISMS?
  5. Do you have a training plan for your staff?
  6. What is your budget for SGSI? How is this budget determined and managed?

I invite you to click on “Follow” to continue learning more about the field of information security.