In this article I lay bare ISO 27001 Competency Matrix. Exposing the insider trade secrets, giving you the ISO 27001 templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.

I show you exactly what changed in the ISO 27001:2022 update.

I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Competency Matrix.

What is ISO 27001 competence?

The ISO 27001 competency matrix is a requirement of ISO 27001 certification. It is also best practice management that we understand the competency of employees for information security. It forms part of the information security management system. We also use it to track, plan and manage information security training.

For a deep dive into competence you can read the Essential Guide to ISO 27001 Clause 7.2 Competence but let’s look at a summary:

ISO 27001 Clause 7.2 Competence

The organisation shall:
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.

ISO 27001 clause 7.2 competence addresses having the right people in place with the right skills and experience to run the information security management system. Without it you wont reach ISO 27001 certification and you wont have effective information security in place.



What is an ISO 27001 Competency Matrix?

Competency development requires us to identify the gaps in information security knowledge, experience and training.

We need to know that employees have the skills for information security.

It makes sense to understand if, and to what level, we can also skill our business technology.

We record it in an ISO 27001 competency matrix.

The ISO 27001 Competency Matrix Template is to record the skills and training level of staff against information security and business technology.

It allows you to demonstrate and evidence that you have the adequate skills to operate the Information Security Management System and to identify, track and manage any training or resourcing needs.

ISO 27001 Competency Matrix Template

The competency matrix template is a simple and effective way to record and manage employee competency.

It will save you 8 hours and you can start using straight away.

ISO 27001 Competency Matrix Template

How to create and use an ISO 27001 Competency Matrix

In this tutorial video I show you how to create a competency matrix for skills in around 5 minutes.

A competency matrix shows the skills you have, the skills you need and the training requirements and is a part of  of data security and many industry certifications including ISO 27001, PCI DSS, SOC and a host of others.

We cover how the it fits into the information security management system in the ISO 27001 Templates Documents Ultimate Guide.

The competency matrix doesn’t have to be hard and it really is easy to create a basic functioning competency matrix from scratch.

ISO 27001 Competency Matrix Example

This is an ISO 27001 Competency Matrix example and a great way to meet the requirement of the standard.

ISO 27001 Competence Matrix Example


Where can I download an ISO 27001 Competency Matrix Template?

A trusted ISO 27001 competency matrix template can be downloaded from High Table: The ISO 27001 Company.

What is an ISO 27001 Competency Matrix?

A competency matrix is a way to measure the skills and experience of staff against the business skill requirements.

What is a competency matrix in HR?

A competency matrix is a way to measure the skills of employees against the requirements of the business. In HR they will use the matrix to align the training needs of staff for the business and allocate the training resources. They will use it to identify skills risks and skills gaps and then plan to reduce those risks.

How do you build an ISO 27001 competency matrix?

It is easy to build a competency matrix. In a spreadsheet list your employees down the left hand side in a column. Across the top in a row list the skills that you are interested in measuring. For each employee then mark the level of skill that they have against each skill required. You can use the a simple key of Gap, Trained, Experienced. A tutorial video on how to do it can be found here on YouTube: How To Build a Competency Matrix.

Do I need a competency matrix for ISO 27001?

Yes. It is the easiest, simplest way to understand what skills you need verses what skills you have.

Do I need an information security competency matrix?

Yes. Information security skills are wide and varied. Once you understand what skills you need it is important to understand what skills you have so you can address the gaps.