Guide to ISO 22301 Clause 7.1 Resources With Examples

What Is ISO 22301 and Why Does Clause 7.1 Matter?

ISO 22301 is the international standard for Business Continuity Management Systems (BCMS). It gives organisations a structured framework to prepare for, respond to, and recover from disruptive incidents, whether that is a cyberattack, a natural disaster, a supply chain failure, or a pandemic. If your organisation relies on this standard to maintain operations under pressure, Clause 7.1 is one of the foundational requirements you need to get right from the start.

Clause 7.1 sits within Section 7, which covers Support. Before your business continuity plans can work in practice, your organisation needs the right resources in place to build, operate, and continually improve the BCMS. That is exactly what Clause 7.1 addresses. It is not a complicated clause in terms of its wording, but it is one that organisations frequently underestimate during implementation.

This guide breaks down what Clause 7.1 actually requires, what auditors look for, and how to demonstrate compliance with real-world examples that apply to Australian businesses of all sizes.

The Exact Text of ISO 22301 Clause 7.1

The clause itself is brief. ISO 22301:2019 states that the organisation shall determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the BCMS.

That single sentence carries a lot of weight. The word “determine” means you need to actively identify what resources are required, not just assume you have enough. The word “provide” means those resources must actually be made available, not just listed in a document. And the phrase “establishment, implementation, maintenance, and continual improvement” means resources need to be available across the entire lifecycle of your BCMS, not just during the initial certification push.

What Counts as a Resource Under Clause 7.1?

The standard does not provide an exhaustive list of resource types, which is intentional. Every organisation is different, and the resources you need depend on your size, industry, the complexity of your operations, and the nature of your identified disruption risks. That said, resources generally fall into the following categories.

Human Resources

People are the most critical resource in any BCMS. This includes the staff responsible for managing the business continuity program, the teams who will execute recovery plans during an incident, and the leadership that makes decisions under pressure. You need to determine how many people are required, what competencies they need, and whether those people are actually available when a disruption occurs.

A common mistake organisations make is assigning business continuity responsibilities to a single person without any backup. If that person is unavailable during the very incident the plan is designed for, the whole system can collapse. Clause 7.1 pushes you to think about this realistically.

Financial Resources

Running a BCMS costs money. Training, testing, technology, alternate site arrangements, insurance, and external consultants all require budget. Clause 7.1 requires that your organisation actually commits financial resources to the BCMS rather than treating it as a side project that runs on goodwill and spare time.

In practice, this means having a documented budget allocation for business continuity activities. It does not need to be a separate budget line in every case, but you need to be able to demonstrate to an auditor that resources have been allocated and that spending decisions are made intentionally.

Technological Resources

Technology plays a central role in most modern BCMSs. This includes backup systems, communication platforms, cloud infrastructure, recovery tools, and the software used to document and manage the BCMS itself. Clause 7.1 requires that you identify what technology is needed and confirm it is actually in place and functional.

A business continuity plan that relies on a server that has not been tested in two years, or a communication tool that requires internet access during a network outage, is not adequately resourced. Auditors will probe whether your technology resources are fit for purpose under the specific disruption scenarios you have identified.

Physical Resources

Depending on your industry, physical resources may include alternate work locations, backup equipment, emergency supplies, vehicles, or physical storage for critical documents. For organisations in sectors like healthcare, logistics, or manufacturing, physical resources can be just as important as technology.

Information and Knowledge

Documented procedures, contact lists, recovery playbooks, supplier agreements, and institutional knowledge all count as resources. If your recovery plan depends on information that only exists in one person's head, or in a system that is inaccessible during a disruption, you have a resource gap.

How Clause 7.1 Connects to Other Clauses

Clause 7.1 does not operate in isolation. It feeds directly into several other requirements in the standard, and understanding these connections helps you build a more coherent BCMS rather than treating each clause as a separate checklist item.

Clause 7.2 covers Competence, which is about ensuring that people have the skills and knowledge to perform their roles in the BCMS. You cannot address competence without first determining what human resources are needed under Clause 7.1. Similarly, Clause 7.3 on Awareness and Clause 7.4 on Communication both depend on having the right people and tools in place.

Clause 8, which covers Operations, is where your business continuity plans actually get executed. If Clause 7.1 has not been properly addressed, your operational plans will be built on an unstable foundation. The resources identified under Clause 7.1 need to directly support the Business Impact Analysis (BIA), the risk assessment, and the business continuity strategies documented under Clause 8.

There is also a strong link to Clause 9 on Performance Evaluation. Your monitoring and measurement activities, internal audits, and management reviews all require resources. If you have not budgeted time and personnel for internal audits, for example, you are failing Clause 7.1 as much as you are failing Clause 9. For a deeper look at how internal audits function within a management system, the article on how to run ISO internal audits that actually find problems is worth reading.

Practical Examples of Clause 7.1 in Action

Abstract requirements become much clearer when you see how they apply to real organisations. Here are several scenarios that illustrate what Clause 7.1 compliance looks like in practice.

Example 1: A Medium-Sized Financial Services Firm

A financial services firm in Melbourne with 120 staff is implementing ISO 22301 for the first time. Under Clause 7.1, they conduct a resource assessment that identifies the following needs: a dedicated Business Continuity Manager (BCM), a secondary BCM who can act as backup, a cloud-based document management system for storing recovery plans, a contract with an alternate work site provider, and an annual budget of $85,000 for training, testing, and maintenance.

The firm documents this resource assessment in a Resource Register, which is reviewed annually and updated whenever a significant change occurs in the business. During their Stage 2 certification audit, the auditor reviews the register, confirms the BCM role is filled and the backup is trained, and verifies that the alternate site contract is current. The firm passes without a nonconformity against Clause 7.1.

Example 2: A Small Manufacturing Business

A small manufacturer in Brisbane with 35 staff is seeking ISO 22301 certification as a condition of a government supply contract. They do not have a dedicated business continuity role. Under Clause 7.1, they determine that the Operations Manager will hold BCM responsibilities, supported by the HR Manager during incidents. They allocate $18,000 annually for business continuity activities, invest in a cloud backup solution for critical production data, and identify a secondary supplier for key raw materials as a resource that supports continuity.

Their resource documentation is simpler than the financial services firm, but it is proportionate to their size and risk profile. The auditor does not expect a 35-person manufacturer to have the same resource structure as a 500-person bank. What the auditor does expect is evidence that the organisation has thought carefully about what it needs and has genuinely provided those resources.

Example 3: A Hospital or Healthcare Provider

A private hospital implementing ISO 22301 faces a more complex resource picture. Physical resources like backup generators, emergency medical supplies, and alternate patient care areas must be identified and maintained. Human resources need to account for 24/7 operations, shift patterns, and the need for clinical staff who can operate under crisis conditions. Technology resources include redundant communication systems, electronic health record backups, and medical equipment alternatives.

For a healthcare organisation, Clause 7.1 compliance often involves detailed resource mapping across departments, with clear ownership assigned to each resource category. This level of documentation is not excessive for an organisation where resource failures during a disruption can have life-threatening consequences.

What Auditors Actually Look For Under Clause 7.1

Having been through many ISO audits, I can tell you that auditors approach Clause 7.1 by looking for evidence of intentional resource planning rather than accidental adequacy. Saying “we have enough people” is not sufficient. You need to demonstrate that you have determined what is needed and deliberately provided it.

Typical audit evidence for Clause 7.1 includes a resource register or resource plan, budget records or financial approvals for BCMS activities, role descriptions that include business continuity responsibilities, technology inventories and maintenance records, alternate site or supplier agreements, and records showing that resource adequacy is reviewed periodically.

Auditors will also look for gaps between what is documented and what actually exists. If your resource plan says you have a fully equipped alternate work site but the contract expired six months ago, that is a nonconformity. If your plan identifies a need for trained incident commanders but no one has received that training, that is a nonconformity. The standard requires resources to be provided, not just planned.

One area that catches organisations out is the “continual improvement” element. Resources need to support improvement activities, not just current operations. If your BCMS has never changed since certification, and you have no resources allocated to reviewing and updating it, an auditor may raise a concern even if your current resource levels look adequate on paper.

Common Mistakes and How to Avoid Them

Treating Clause 7.1 as a Tick-Box Exercise

The most common mistake is listing resources in a document without genuinely assessing whether they are adequate. A resource register that was completed during implementation and never reviewed again is a red flag for auditors. Resources change as your business changes, and your BCMS needs to keep pace.

Underestimating the Human Resource Requirement

Organisations frequently underestimate how much time business continuity activities actually require. Maintaining a BCMS, running exercises, updating plans, and responding to incidents takes real time from real people. If your BCM responsibilities are buried at the bottom of someone's already full job description, the BCMS will suffer. Be honest about the time commitment and allocate it properly.

Ignoring Resources Needed for Testing and Exercises

Business continuity exercises are one of the most resource-intensive activities in a BCMS. They require staff time, sometimes physical resources like alternate sites or equipment, and coordination effort. Organisations that do not budget for exercises often skip them, which creates a cascade of compliance issues across Clause 8 and Clause 9 as well.

Failing to Review Resources After Significant Changes

If your organisation grows, restructures, changes its technology platform, or enters a new market, your resource requirements for the BCMS will change. Clause 7.1 is not a one-time assessment. Build a trigger into your management review process to reassess resources whenever a material change occurs. The article on how to check if your ISO management system is actually working covers this kind of ongoing system health check in more detail.

How to Document Clause 7.1 Compliance

ISO 22301 does not prescribe a specific document format for Clause 7.1. What matters is that you have evidence of your resource determination and provision. A practical approach for most organisations is to maintain a Resource Register that captures the following information for each resource category: the type of resource, the specific resource identified, the owner or responsible party, the current status, the review date, and any gaps or planned actions.

This register should be a living document, reviewed at least annually and updated whenever a significant change occurs. It should be referenced in your management review process so that leadership is aware of resource adequacy and can make informed decisions about allocation.

For organisations that are also certified to other ISO standards like ISO 9001 or ISO 27001, there is an opportunity to integrate resource planning across your management systems. The resource requirements for different standards often overlap significantly, and a single integrated resource assessment can reduce duplication. If you are managing multiple certifications, the article on integrated management systems explained provides a useful framework for thinking about this.

Getting Started: A Practical Checklist for Clause 7.1

If you are working through ISO 22301 implementation and want to make sure Clause 7.1 is properly addressed, the following steps will get you on the right track.

• Conduct a structured resource assessment that covers human, financial, technological, physical, and information resources required for the BCMS.
• Document the outcomes in a Resource Register with clear ownership and review dates.
• Confirm that identified resources are actually in place, not just planned.
• Allocate a realistic budget for business continuity activities including training, testing, and maintenance.
• Assign BCM responsibilities to named individuals with documented backup arrangements.
• Review resource adequacy as part of your annual management review process.
• Update the Resource Register whenever a significant change occurs in the business.
• Ensure resources are available to support continual improvement, not just current operations.

If you are finding it difficult to determine what resources your specific organisation needs, working with an experienced ISO 22301 consultant can save considerable time and reduce the risk of getting it wrong. A good consultant will have seen resource planning across multiple industries and can help you calibrate your approach to your actual risk profile. If you are not sure how to find the right consultant, how to select the best ISO consultant for certification is a practical starting point.

At CertBetter, we connect Australian businesses seeking ISO 22301 certification with verified consultants and accredited certification bodies. You submit one form and receive up to three competing quotes from vetted providers, completely free of charge. Whether you are starting from scratch or trying to close gaps before a surveillance audit, getting the right expertise in your corner from the beginning makes the process significantly smoother.