ISO 27001 Competency Matrix Explained

A trusted ISO 27001 competency matrix template can be downloaded from High Table: The ISO 27001 Company.

A competency matrix is a way to measure the skills and experience of staff against the business skill requirements.

A competency matrix is a way to measure the skills of employees against the requirements of the business. In HR they will use the matrix to align the training needs of staff for the business and allocate the training resources. They will use it to identify skills risks and skills gaps and then plan to reduce those risks.

It is easy to build a competency matrix. In a spreadsheet list your employees down the left hand side in a column. Across the top in a row list the skills that you are interested in measuring. For each employee then mark the level of skill that they have against each skill required. You can use the a simple key of Gap, Trained, Experienced. A tutorial video on how to do it can be found here on YouTube: How To Build a Competency Matrix.

Yes. It is the easiest, simplest way to understand what skills you need verses what skills you have.

Yes. Information security skills are wide and varied. Once you understand what skills you need it is important to understand what skills you have so you can address the gaps.

After any significant change that affects personnel or the roles and responsibilities of the management system and at least annually.

Other than your ISO 27001 certification requiring it, the following are benefits of having the ISO 27001 Competency Matrix:
Improved security: You will have the skills and experience to run an effective information security management system.
Reduced risk: Ensuring that you have the skills and experience needed will lead to a reduction in risk to your organisation and ensure the information security goals are met and the management system runs as intended.
Improved compliance: Standards and regulations require that you have competence for information security.
Reputation Protection: In the event of a breach having trained, experienced and competence personnel will reduce the potential for fines and reduce the PR impact of an event

This will depend on the structure and make up of your organisation. It is usually the information security manager that takes responsibility for this working alongside the HR manager. It is also possible to be just the HR manager.

The implementation is a combination of the information security manager, HR and the resources that are involved in the ISMS.

The approaches to monitoring the effectives of competence include:
Internal audit of the skills and training process
External audit of the skills and training process
Review of training records and checks on employment history

ISO 27001 clause 7.2 competence addresses having the right people in place with the right skills and experience to run the information security management system. Without it you wont reach ISO 27001 certification and you wont have effective information security in place.
The standard defines competence as:
The organisation shall:
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
ISo 27001 Clause 7.2 competence