moving on to module five.
Module five will be covering Clause seven, which pertains to support for your SMS.
resource is required for maintaining an icy mess
Well, we will covet the resource is required for a nice mess, implementation
or maintenance, as well as becoming certified
as what is the required documentation.
Now the standard doesn't say much about resource is.
In essence, the standard says two lines to be specific and they are as follows.
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement off the information security management system.
So why are resource is important,
what resources are actually required and what should be documented? Our equations. We will answer here.
The why is pretty simple
without resource is having a properly functioning and continually improving ice mess would be quite challenging.
Your level of resource is needs to match your information security risk, posture,
the size and nature of your organization
as well as the goals of the SMEs.
If you want to have your ice miss certified against Isil, 27,000 and one,
you're going to require additional budgetary resources to pay for the certification audits,
of which there are two.
You could do three if you want to be extra prepared,
but we'll get into that later on in the course when we cover the ordered process in a bit more detail.
So, of course, you need information. Security resource is
both to run your information security components and controls,
as well as a dedicated resource to oversee your eye. So 27,001 implementation and remaining compliant efforts
you need to determine where your existing resource is need to take on additional responsibilities.
For example, your HR team, your operational team, your finance team, your I t team.
They would all have an additional role to play with the implementation of a nice amis
and managing that change
culturally and getting them to be open and accepting of the change is the trick.
You will also require monetary resource is
for the implementation of a nice miss
as we mentioned the external certification orders.
This happened as a once off certification ordered split into two stages
as well. A subsequent
surveillance or it's
and re certification orders.
There are also internal, or it's to consider
another consideration is your investment of time. Resource is
especially the time from top management.
We all know how difficult it is to get time with top management for anything.
And a nice um is generally requires quite a bit of time from them
just to be on top of things, making sure they understand what's going on, sending out the communication as and when required.
So what evidence or documentation should one maintain
when it comes to an audit? And if it is your goal to have your eye Smith certified against Isil 27,001,
I would recommend having some sort of documentation
or proof to show in orderto off the resource is that have been set aside for the ice mess.
The Standard does not specify anything
specific per se pertaining to documented information,
merely that the necessary resource is to appropriately support and manage the isthmus exist.
So what could this include?
This can include job roles and descriptions for your dedicated SMS personal.
Your information security team structure and head count of resource is
minutes attendant registers and agendas off ice mess related meetings that involved top management specifically
as well as any budgets or purchases that have been made for the ISMs.
Your documentation here can also include resource is that have been discussed as previous poses.
Such is the breakdown of roles and responsibilities pertaining to the ISMs.
Keep it simple and straightforward, but also include enough information to show that you have put sufficient thought and effort behind mobilizing the required teams to support the ice Amis.
Naturally, one of the focus points will be the information security resource is that you have within your organization
and how these resources support your eyes. Miss
Other Resource is such as the budget that top management have approved for the ice Miss are great to show,
as mentioned earlier.
This demonstrates both top management commitment as well as concrete funding for the items and its continual improvement
Meeting minutes that involved top management while also being useful for other clauses could, in this instance, show the time investment made by top management into the ice mess.
time of top management is ready to come by as their attention is generally wanted in multiple avenues across the organization,
so showing that that their time has been invested into the project
demonstrates another angle of resource is committed to the SMEs
any additional resources that have been used to secure or balls to the information security posture off the organization
and also come in handy here.
External consultant, project specific for information security,
independent penetration tests,
Internal audits of the isthmus and so forth are all examples of this.
He's probably won't be asked for in your certification ordered, but depending on orderto, it's always handed to have more information available than not
We covered the types of resources that are required to support you in Ice Amis,
as well as the documentation that is required by the standard.