In this ultimate how to audit guide to ISO 27001 Clause 7.2 Competence, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Establish Formal Competence Requirements for ISMS Roles
- 2. Verify Education and Experience During Recruitment
- 3. Audit the Mapping of Technical Skills to the Asset Register
- 4. Provision Targeted Training for High-Privilege IAM Roles
- 5. Evaluate the Effectiveness of Acquired Competence
- 6. Document All Professional Certifications and Training Logs
- 7. Review Competence Following Significant ISMS Changes
- 8. Inspect Supplier Competence Evidence
- 9. Formalise Periodic Performance Reviews with Security KPIs
- 10. Retain Objective Evidence for the Duration of Employment
- ISO 27001 Clause 7.2 Audit Implementation Table
- Common SaaS and GRC Platform Audit Failures for Clause 7.2
Auditing ISO 27001 Clause 7.2 is the process of verifying that an organisation has determined and documented the necessary competence for personnel affecting information security. This involves confirming that individuals are qualified on the basis of appropriate education, training, or experience to ensure the effective performance of the ISMS and reduce operational risk.
1. Establish Formal Competence Requirements for ISMS Roles
Identify the specific competence criteria for every role that impacts information security. This ensures that the organisation has a benchmark against which to measure the suitability of its personnel.
- Inspect job descriptions for specific mentions of security-related qualifications or experience.
- Verify that competence requirements are documented for internal staff, contractors, and third-party consultants.
- Check that the requirements are proportionate to the risk level of the role, such as higher requirements for those with administrative access.
2. Verify Education and Experience During Recruitment
Audit the HR onboarding process to ensure that claims of education and prior experience are verified before a candidate is granted access to the production environment. This prevents the “credential gap” that often leads to internal security failures.
- Sample recruitment files to check for verified certificates and references.
- Confirm that background checks are conducted in accordance with the sensitivity of the assigned IAM roles.
- Check for alignment between the recruitment criteria and the documented competence matrix.
3. Audit the Mapping of Technical Skills to the Asset Register
Examine whether the individuals responsible for managing critical assets possess the specific technical skills required for those technologies. This ensures that assets listed in the Asset Register are maintained by competent personnel.
- Cross-reference the Asset Register with the training records of the assigned system administrators.
- Verify that staff managing cloud environments hold relevant certifications, such as AWS or Azure security specialities.
- Confirm that the organisation has identified “Single Points of Failure” where only one person holds the necessary competence for a critical system.
