Clause 7 - Support - ISO27001.zip

# Clause 7: Support Clause seven does a lot of heavy lifting and provides a strong level of reflection on the functional work being done on a human level to support implementation and maintenance. The requirement to determine and provide resources for the ISMS’s implementation, maintenance and continual improvement is made here (7.1). The general (in-exhaustive) resource categories you may see in this space are - People - Infrastructure - Finance - Equipment ## Competence and Awareness (7.2 and 7.3) Simply put, this section directs the reader to: - Identify requirements for competence and meet them - Identify requirements for awareness and meet them In slightly longer words: it needs to be ensured that people who will be involved in the ISMS performance over time are ‘Competent’ (7.2a). This has to be measured on the basis of education, training or experience (7.2b) - and if competence isn’t present, actions need to be taken to develop this competence or bring it into house (7.2c). This needs to be documented (7.2d). Consider here the [[SKATE Model]] for exploring, documenting, and improving competence. >💡 **Competence** is defined as the ability to apply knowledge and skills to achieve intended results. **Awareness** does not have a definition in ISO 27000. While competence is relevant for those that affect the IS performance, all ‘persons’ doing work under the control of the organisation need to be aware of (7.3): - The information security policy - Their contribution to the effectiveness of the ISMS, including the benefits that come with improved IS performance - The implications of not conforming with ISMS requirements. >❓ **Question:** *Does everyone in the organisation need to be competent in relation to the ISMS?* **Answer:** NO! Competence in relation to the ISMS is *not* general security awareness. You need to be competent if your role will *affect* IS performance. If your role is *affected* by the ISMS, but does not affect the ISMS performance, then you only need to be aware. ## Communication (7.4) > Needs for communication > Means for communication There is a requirement to assess what needs there are for communication relating to the ISMS, in both internal and external cases (7.4). You should ask (7.4abcd): - WHAT do we communicate? - WHEN do we communicate? - WHO do we communicate with? - HOW do we communicate. ## Documented Information (7.5) [[Documented Information]] > Create standard documentation > Control, protect and track it. The organisation’s ISMS needs to keep documentation on the required sections minimum expectations set by ISO 27001, and on those sections determined by the organisation as necessary for the effectiveness of the ISMS (7.5.1ab). The fruit of this labour will inevitably vary greatly, dependant on things such as the size of the organisation, what activities they undertake, the complexity of their interactions and the competence of their employees (7.5.1b) >💡 The list of the bare minimum required information to be documented (Married to relevant clauses) can be found [[Documented Information|here]]. ### Creating and Updating, and Control of Documented Information (7.5.2 and 7.5.3) When documentation is created, the organisation needs to make sure it has suitable identification and description, as well as being created in a proper format (7.5.2abc). This requirement affects both mandatory documented information and that determined by the organisation as necessary for the planning and operation of the ISMS (7.5.3). Control of Documented Information is important to ensure that it’s protected in line with CIA objectives, and is available for use when needed (7.5.3ab). Organisations need to establish control of the documented information by considering (7.5.3cdef): - Distribution, access (Both as in awareness and as in control (7.5.3)), retrieval and use - Storage and preservation - Version control - Retention and disposition >❗ 7.5.3e Provides a point of great interest when we collaborate across multiple instances of multiple versions of documents in the modern day. Version control is slippery and needs to be done right.