Standardise
PricingSupportSign inGet started

Clause 7: Support

Resources, competence, awareness, communication, and documented information requirements for your ISMS.

Overview

Clause 7 addresses the supporting elements your ISMS needs to function effectively. Even the best-designed security framework will fail without adequate resources, competent people, organisation-wide awareness, clear communication channels, and properly managed documentation.

7.1 Resources

The organisation must determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the ISMS. This includes budget, people, tools, and time. Under-resourcing the ISMS is one of the most common reasons organisations struggle with certification.

7.2 Competence

Persons doing work that affects information security performance must be competent on the basis of appropriate education, training, or experience. You must:

  • Determine the necessary competence for each role.
  • Ensure persons are competent through education, training, or experience.
  • Where applicable, take actions to acquire the necessary competence (training courses, mentoring, reassignment).
  • Retain documented evidence of competence (training records, certifications, CVs).

7.3 Awareness

All persons doing work under the organisation's control must be aware of the information security policy, their contribution to the effectiveness of the ISMS, the benefits of improved information security performance, and the implications of not conforming with ISMS requirements.

7.4 Communication

You must determine the need for internal and external communications relevant to the ISMS, including what to communicate, when, with whom, and the processes by which communication shall be effected. This covers security incident notifications, policy updates, risk assessment results shared with management, and regulatory notifications.

7.5 Documented Information

The ISMS must include documented information required by the standard and any additional documentation the organisation determines is necessary. This is one of the most audited areas — auditors will check that documents are properly created, approved, distributed, reviewed, and retained.

Requirements for documented information include:

  • Creation and updating — appropriate identification, format, and review/approval processes.
  • Control — availability, suitability for use, adequate protection (against loss of confidentiality, improper use, or loss of integrity).
  • Distribution, access, retrieval, and use — controlled and traceable.
  • Storage, preservation, and disposition — including retention periods and disposal methods.

How Standardise Helps

  • Document Management — full document lifecycle with version control, approval workflows, owner assignment, and review scheduling. Every document change is tracked with a complete version history.
  • Evidence Collection — upload and organise evidence files (up to 25 MB each) with metadata, SHA-256 checksums, and encrypted storage. Evidence is linked to specific controls and audit findings.
  • 27 ISO 27001 templates — pre-built document templates across all 8 ISMS modules, ensuring you have the right documentation structure from day one.
  • Integration notifications — Slack and Microsoft Teams integrations keep your team informed about security events, policy changes, and review deadlines.

Related Articles

ISO 27001 Guide
Clause 6: Planning
The risk assessment process, risk treatment, the Statement of Applicability, and setting information security objectives.
ISMS Modules
Document Management
Create, version, and approve ISMS documents using 27 ISO 27001 templates, a WYSIWYG editor, and structured approval workflows.
ISMS Modules
Evidence Collection
Upload, track, and manage audit evidence with file integrity checks, encrypted storage, and control mapping for ISO 27001 compliance.
← Back to Help Center