What Clause 7.1 Requires
Clause 7.1 is a single sentence with two verbs that matter. The organization must determine the resources its ISMS needs, and must provide them — and the obligation spans the full lifecycle: establishing the system, implementing it, maintaining it, and continually improving it. There is no enumerated list of resource types and no mandatory documented information.
In practice "resources" reads broadly: people and their time, budget, tools and technology, infrastructure, and external expertise where internal capability is missing. Both verbs are auditable. "Determine" means somebody actually worked out what the ISMS consumes — not assumed it would be absorbed into existing jobs. "Provide" means the allocation really happened: the hours exist in someone's capacity, the tooling is licensed, the training is funded. The clause is the operational echo of clause 5.1, where top management commits to ensuring the ISMS gets what it needs.
Why This Clause Exists
To make resourcing an auditable obligation rather than a hope — an ISMS without funded people, time, and tooling is a paper system, however good its documents look.
What This Really Means
"Put your money where your policy is" — that is clause 7.1 in one line. Leadership signed an information security policy (clause 5.2) and approved objectives (clause 6.2); this clause asks whether anything real was allocated to deliver them. It is among the shortest requirements in the standard and carries some of the sharpest interview questions.
Think in four buckets. People: named individuals with actual capacity, not an "ISMS manager" title bolted onto a full-time job with five percent of nobody's week behind it. Budget: tooling licenses, training, certification body fees, external support. Tools: the categories the ISMS leans on — a vulnerability scanner, a SIEM or log platform, MDM, identity and access tooling, a GRC tracker or its spreadsheet equivalent. Time: management review attendance, internal audit windows, awareness sessions, and the evidence preparation that precedes every external audit.
The determination should be derived, not guessed. The risk treatment plan, the objectives, the internal audit program, and the surveillance audit calendar collectively define what the ISMS will consume next year. Price that, present it to leadership, and record what was decided — including what was consciously deferred. A deliberate, documented decision to defer with eyes open is defensible; silent under-allocation is not.
Here is the part practitioners miss: auditors rarely assess 7.1 from a budget document. They infer it from symptoms scattered across the audit — corrective actions that age past their due dates, internal audits that slip quarters, a risk register last touched before the previous surveillance visit, one person answering every interview question. By the time a 7.1 conversation happens, the evidence has usually already accumulated elsewhere.
Why It Matters
Under-resourcing is the root cause behind the most common recurring nonconformities — overdue actions, stale registers, missed internal audits. Auditors are trained to connect those dots, and certification bodies increasingly write the connection down: the individual findings cite other clauses, while the root-cause narrative cites 7.1.
The certification stake escalates with persistence. At Stage 1, being unable to say who runs the ISMS and with what capacity signals unreadiness. At Stage 2 and surveillance, a pattern of missed ISMS activities can shift findings from the activity clauses to clause 7.1 — and a pattern that leadership has watched without acting reaches clause 5.1, where major nonconformities live.
What chronic under-resourcing produces:
- •A paper ISMS – policies and registers exist, but nobody operates the controls or maintains the records between audits
- •The overdue-actions fingerprint – corrective actions and audit findings aging past their due dates is the first under-resourcing signal every auditor reads
- •Key-person fragility – a one-person ISMS stops the day that person resigns, and auditors increasingly probe succession and coverage directly
- •Escalation to leadership findings – resource gaps that persist across audit cycles get written against top management commitment, not just against 7.1
Regional Compliance Context
For organizations with India-connected systems, two CERT-In directions are concrete resource line items rather than abstract obligations: reporting qualifying incidents within six hours requires on-call coverage that can detect, classify, and file inside that window, and the 180-day log retention requirement carries real storage and pipeline costs. India's DPDP Act adds a planning horizon — full compliance obligations land on 13 May 2027 — so privacy-program resourcing belongs in this budget cycle and the next, not in a future one.
Documented Information Required
ISMS budget or resource plan
RecommendedAnnual line items for the ISMS — people allocations, tooling, training, certification and audit fees, external support. A finance budget extract works; it does not need to be a standalone document.
Role allocations with time commitments
RecommendedWho does ISMS work and what fraction of their capacity is committed — a RACI, role descriptions, or a simple resourcing table. This is the cleanest proof that the "determine" step actually happened.
Management review minutes covering resources
RecommendedRecorded discussion and decisions where resourcing was raised — including deliberate deferrals. The decision trail matters more than the amounts.
See the full ISO 27001 mandatory documents checklist for every document and record the standard requires.
How to Implement Clause 7.1
Inventory What the ISMS Actually Consumes
List the recurring activities: risk assessments, internal audits, management reviews, awareness programs, access reviews, supplier reviews, control operation, evidence preparation, certification and surveillance audits. Estimate hours and cost per cycle. Most organizations have never done this arithmetic, and the total usually surprises them.
Translate the Inventory into a Resource Plan
One page or one sheet: named people with percentage allocations, budget lines for tooling, training, and audit fees, and the external support you will buy rather than build. Derive the numbers from the risk treatment plan and the objectives so every line is defensible.
Get an Explicit Leadership Allocation Decision
Present the plan where leadership decides — a management review or the budget cycle — and record the outcome. If only part is funded, record what was deferred and that the consequence was understood. A conscious, documented trade-off is auditable; silent starvation is a finding.
Fill Capability Gaps Deliberately
Where the plan exposes missing skills or hands, choose consciously between hiring, training existing staff (which connects to clause 7.2), and contracting external support. If functions are outsourced — a managed SOC, an external internal-audit resource — keep oversight and accountability in-house.
Track the Under-Resourcing Indicators
Watch the metrics that reveal resource starvation early: overdue corrective actions, slipped audit or review dates, declining training completion, risk register staleness. Report them in management review as resourcing signals, not as individual performance failures.
Revisit the Determination on a Cycle and on Change
Re-run the resource determination at least annually and whenever the ISMS changes shape — scope expansion, headcount growth, new regulatory obligations, a serious incident. Clause 7.1 is continuous; a resource plan that never changes while the company doubles is its own evidence of neglect.
Audit Evidence
During Stage 1 and Stage 2 of your ISO 27001 certification audit, auditors will expect the following evidence to demonstrate conformity with Clause 7.1:
Documentation
- A resource plan or budget extract showing ISMS line items — people, tooling, training, audit fees
- Role definitions or a resourcing table showing who does ISMS work and with what time commitment
- Management review minutes recording resource discussions, decisions, and deliberate deferrals
- Procurement or license records for the security tooling the ISMS depends on
- Action trackers and audit schedules showing ISMS activities completing on time — the strongest indirect evidence of adequate resourcing
Interviews
- Top management on how security resourcing is decided, what was last funded, and what was last declined — the clause 5.1 and 7.1 questions arrive together
- The ISMS manager or security lead on whether allocated time and budget match what the plan assumed
- People with assigned ISMS duties on whether they realistically have the hours and tools to perform them
Observations
- Tooling actually in use — licenses active, dashboards populated — versus tooling merely claimed
- The currency of ISMS records (risk register, action tracker, training logs) as a live proxy for whether anyone has time to maintain them
- Whether one person answers every interview question — the visible signature of a single-point-of-failure ISMS
Practitioner Insights
Two questions tell me more about 7.1 than any budget sheet: I ask top management what the ISMS costs them, and what they most recently declined to fund. Organizations that can answer both have clearly run the determination the clause requires; organizations that cannot are usually absorbing the ISMS into the margins of other jobs. The other pattern I watch for is the single-handed ISMS — one capable, exhausted person holding everything. Auditors probe coverage and succession directly now, because we have all seen what happens to that system the month after that person leaves.
Small organizations do not fail 7.1 because leadership refuses to fund security — they fail because nobody ever counted. List the ISMS calendar for a year, multiply by honest hours, and compare against the capacity actually freed up; that one-page arithmetic is the determination the clause asks for, and it usually wins the argument it documents. And remember that provision does not mean expensive: built-in cloud security features, open-source scanners, and a disciplined spreadsheet are perfectly acceptable evidence when they genuinely cover the need.
Common Challenges & Solutions
Challenge
ISMS responsibilities are assigned on top of full-time jobs with no capacity actually freed.
Solution
Quantify the hours the assigned duties need and present the overload explicitly: either capacity is reallocated, the duties are reduced, or leadership signs off on the gap as an accepted risk. The unworkable middle — duties assigned, hours unavailable, nobody told — is where audit findings incubate.
Challenge
There is no security budget line, so every tool or training request becomes an ad hoc negotiation.
Solution
Propose a small annual ISMS budget tied line-by-line to the risk treatment plan and objectives. Even a modest dedicated line changes the dynamic: requests become draw-downs against an approved plan instead of fresh battles, and the approval itself becomes 7.1 evidence.
Challenge
Corrective actions and audits chronically run late, and the lateness is blamed on individuals.
Solution
Present overdue-action aging and schedule slippage as resourcing metrics in management review, trended over time. Reframing the conversation from "people are slow" to "the system is under-provisioned" is usually what unlocks the staffing or de-scoping decision.
Challenge
Tool gaps are covered by manual heroics — log reviews in spreadsheets, access reviews by hand across dozens of systems.
Solution
Cost the heroics honestly in hours per cycle and compare against the tooling category that automates them (log platform, identity governance, GRC tracker). Automation is a resource multiplier; presenting it that way converts a tooling request into a resourcing decision leadership can actually evaluate.
Challenge
The whole ISMS lives in one person's head, and the organization is one resignation away from losing it.
Solution
Name and train a deputy for the critical ISMS duties, document the operating procedures that currently exist only as habit, and consider an external retainer as a backstop. Spreading the load is far cheaper than rebuilding the system from scratch after a departure.
