Resources

It is the requirement for the organization to identify and supply the assets (people, money, time, technology) needed to set up, run, and improve the ISMS.

Resources typically include financial budget, personnel (time and skills), information infrastructure (hardware/software), and specialized knowledge (consultants or training).

Resource needs are determined by the scope of the ISMS, the complexity of the environment, the results of the risk assessment, and the extent of controls selected in the Statement of Applicability.

Clause 7.1 focuses on providing the capacity (enough people/budget/tools), while Clause 7.2 focuses on the competence (skills/training/experience) of the people provided.

It requires human resources (staff time), financial resources (budget for tools/audits), and infrastructure (servers, software, facilities) necessary to achieve security objectives.

Auditors look for budgets, organizational charts, job descriptions, evidence of tool procurement, and management review minutes where resource needs were discussed and approved. Tools like WatchDog Security's Compliance Center can centralize these artifacts and show a clear link between resource approvals, control ownership, and ongoing evidence collection.

Resource planning often fails when security spend and staffing are not tied to specific risks, controls, and audit deliverables, which makes it hard to defend budgets and avoid last-minute scramble before audits. A GRC platform helps by mapping required resources to the ISMS scope, selected controls, and open gaps, then tracking progress and evidence in one place. For example, WatchDog Security's Compliance Center can highlight control gaps that require tooling or effort, associate owners and due dates, and show audit-ready evidence that resources were approved and used.

Even with budget and tools, ISMS activities slip when time is not explicitly allocated, measured, and followed up—tasks like policy reviews, evidence collection, and internal audits become 'whenever we get to it.' The practical fix is to assign owners, define recurring responsibilities, and track completion so workload is visible and sustainable. For example, WatchDog Security's Compliance Center can assign control owners, schedule recurring evidence tasks, and provide dashboards that show whether ISMS duties are being completed within the time allocated.

The main focus of Clause 7 (Support) is ensuring the organization provides everything necessary—resources, competence, awareness, communication, and documentation—to back up the ISMS.

Budget is allocated during the planning phase based on the cost of controls (e.g., buying a firewall), the cost of audits, training expenses, and the cost of personnel time, often reviewed during the Management Review.