Auditing ISO 27001 Clause 7.2 is the process of verifying that an organisation has determined and documented the necessary competence for personnel affecting information security. This involves confirming that individuals are qualified on the basis of appropriate education, training, or experience to ensure the effective performance of the ISMS and reduce operational risk.

Auditing Clause 7.2 requires a rigorous check of the alignment between an organisation’s security requirements and the actual capabilities of its workforce. A successful audit demonstrates that the business has not only identified what skills are needed to protect its assets but has also taken proactive steps to bridge any identified gaps through structured training or recruitment, backed by verifiable documentation.

1. Establish Formal Competence Requirements for ISMS Roles

Identify the specific competence criteria for every role that impacts information security. This ensures that the organisation has a benchmark against which to measure the suitability of its personnel.

Inspect job descriptions for specific mentions of security-related qualifications or experience.
Verify that competence requirements are documented for internal staff, contractors, and third-party consultants.
Check that the requirements are proportionate to the risk level of the role, such as higher requirements for those with administrative access.

2. Verify Education and Experience During Recruitment

Audit the HR onboarding process to ensure that claims of education and prior experience are verified before a candidate is granted access to the production environment. This prevents the “credential gap” that often leads to internal security failures.

Sample recruitment files to check for verified certificates and references.
Confirm that background checks are conducted in accordance with the sensitivity of the assigned IAM roles.
Check for alignment between the recruitment criteria and the documented competence matrix.

3. Audit the Mapping of Technical Skills to the Asset Register

Examine whether the individuals responsible for managing critical assets possess the specific technical skills required for those technologies. This ensures that assets listed in the Asset Register are maintained by competent personnel.

Cross-reference the Asset Register with the training records of the assigned system administrators.
Verify that staff managing cloud environments hold relevant certifications, such as AWS or Azure security specialities.
Confirm that the organisation has identified “Single Points of Failure” where only one person holds the necessary competence for a critical system.

4. Provision Targeted Training for High-Privilege IAM Roles

Verify that users with elevated privileges receive specialised training beyond general security awareness. High-privilege accounts represent a significant risk and require a deeper understanding of technical security controls.

Inspect training logs for Database Administrators and Network Engineers.
Confirm that training includes the proper use of MFA and PAM (Privileged Access Management) tools.
Check that the training is updated to reflect changes in the technical environment, such as the implementation of new security tooling.

5. Evaluate the Effectiveness of Acquired Competence

Assess how the organisation measures whether training actually resulted in competence. Simply attending a course is not enough: the auditor must see evidence that the knowledge was retained and applied.

Review post-training assessment scores or practical exam results.
Inspect performance review notes for mentions of security competence improvements.
Audit the results of phishing simulations or social engineering tests as a measure of practical competence.

6. Document All Professional Certifications and Training Logs

Inspect the central repository for competence records to ensure it is accurate and up to date. Documented information is a mandatory requirement of Clause 7.2 to provide a clear audit trail of compliance.

Verify that the training log includes dates, provider names, and expiration dates for certifications.
Confirm that certificates of completion are stored securely and are easily retrievable.
Check that the training register is reviewed periodically by the CISO or HR lead.

7. Review Competence Following Significant ISMS Changes

Audit the process for reassessing competence when the ISMS undergoes major changes, such as a shift to remote working or a new software deployment. This ensures that skills evolve alongside the technology stack.

Check for competence reviews triggered by Clause 6.3 (Planning of Changes).
Verify that new training was provided when the organisation introduced new security protocols or MFA requirements.
Confirm that the competence matrix was updated following a significant security incident or “near miss”.

8. Inspect Supplier Competence Evidence

Verify that the organisation ensures the competence of third-party providers who have access to sensitive data. Outsourcing a function does not outsource the responsibility for ensuring the competence of the person performing it.

Review Right to Audit (ROE) documents or supplier assessments for mentions of staff competence.
Check for clauses in Master Service Agreements (MSAs) requiring the supplier to maintain specific certification levels.
Verify that the organisation has sighted the certifications of key contractor personnel.

9. Formalise Periodic Performance Reviews with Security KPIs

Examine how security performance is integrated into annual or quarterly appraisals. This reinforces the importance of security competence as a core part of an employee’s professional development.

Sample appraisal forms for roles with security responsibilities to find security-related objectives.
Confirm that failure to meet security competence standards is addressed through corrective action or additional training.
Check that security KPIs are used to identify future training needs for the department.

10. Retain Objective Evidence for the Duration of Employment

Ensure that the organisation retains competence records for as long as the individual is performing work for the ISMS. This allows the organisation to defend its security posture during external audits or legal challenges.

Verify that leaver files still contain relevant competence evidence in case of retrospective investigations.
Check that digital records are backed up and protected from unauthorised modification.
Confirm that the retention period for competence records matches the organisation’s Document Retention Policy.

ISO 27001 Clause 7.2 Audit Implementation Table

Table 1: Step-by-Step Audit Execution for ISMS Competence
Audit Step	How To Execute	Common Examples of Evidence
1. Role Benchmarking	Interview Department Heads to define the “Ideal Candidate” profile for security roles.	Role-specific competence matrix, updated Job Descriptions.
2. Credential Verification	Perform a “deep dive” on two recent hires to verify their claimed certifications.	Verification emails from universities, CISSP/CISM digital badges.
3. Technical Skill Mapping	Compare the list of active servers in the Asset Register with the admin training log.	AWS Certified Security Specialty certificate, Linux Admin course logs.
4. Privilege Training Audit	Identify everyone with “Root” or “Global Admin” access and check their training date.	PAM tool training certificates, specialized MFA enrollment logs.
5. Effectiveness Testing	Review the results of the most recent quarterly phishing simulation.	Phishing report summary, list of staff requiring remedial training.
6. Central Log Review	Check the Training Register for any expired certifications.	Excel or Database training log, renewal reminders in HR systems.
7. Change-Induced Review	Check if a new training session was held after migrating to a new VPN provider.	Internal webinar recordings, updated Standard Operating Procedures (SOPs).
8. Supplier Oversight	Sample a contract with an outsourced SOC provider for staff qualification clauses.	Supplier audit reports, signed Right to Audit (ROE) documents.
9. Appraisal Integration	Check for “Information Security” as a standalone section in HR appraisal software.	Signed performance reviews, documented security objectives (OKRs).
10. Retention Check	Confirm that training records for a staff member who left 6 months ago are still available.	Archived HR files, offboarding checklists.

Common SaaS and GRC Platform Audit Failures for Clause 7.2

Table 2: Why automated SaaS and GRC platforms often fail Clause 7.2 audits
Failure Mode	The SaaS / GRC Platform Bias	Audit Consequence
Generic Competence Templates	Platforms provide pre-filled matrices that don’t reflect the company’s actual tech stack.	Major non-conformity for failing to define “necessary” competence (Clause 7.2a).
Training vs. Competence	Systems mark a user as “competent” just because they clicked “next” on a generic video.	Auditor identifies a lack of “effectiveness evaluation” (Clause 7.2c).
Disconnected HR Systems	Competence data lives in the GRC tool but recruitment verification lives in a separate HR silo.	Inability to prove that experience was verified at the point of hire.
Manual Data Entry Fatigue	Users fail to upload certificates to the platform, leading to an outdated audit trail.	A finding for missing “documented information” (Clause 7.2d).
Asset Register Disconnect	The GRC tool doesn’t link the “Asset Owner” to their specific technical training records.	Auditor finds administrators managing systems they aren’t technically trained for.
Ghost Certifications	Platforms don’t automatically track the expiration dates of professional certifications.	Staff are found to be working with expired credentials during the audit.
Lack of Contextual Testing	Automated quizzes are too easy and don’t test for the specific risks of the organisation.	The auditor concludes that staff are not genuinely competent for their specific roles.
Static Role Definitions	Software defines roles once during setup and never prompts for a review when the ISMS evolves.	Competence requirements are found to be obsolete compared to current operations.
Implicit Bias in Automation	Platforms assume “admin” roles are competent by default without requiring evidence.	High-risk roles are left without verifiable competence records.
Vendor Lock-in Risk	Exporting training history for an auditor is often formatted poorly or incomplete.	Audit delays and increased scrutiny due to opaque or difficult-to-verify data.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.