In this article we lay bare ISO27001 Competency Matrix. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Competency Matrix
What is ISO 27001 competence?
The ISO 27001 competency matrix is a requirement of ISO 27001 certification. It is also best practice management that we understand the competency of employees for information security. It forms part of the information security management system. We also use it to track, plan and manage information security training.
Let’s look at what the ISO 27001 standard has to say about ISO 27001 competence.
7.2 | Competence | The organisation shall: a) determine the necessary competence of person(s) doing work under its control that affects its information security performance; b) ensure that these persons are competent on the basis of appropriate education, training, or experience; c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and d) retain appropriate documented information as evidence of competence. |
ISO 27001 clause 7.2 competence addresses having the right people in place with the right skills and experience to run the information security management system. Without it you wont reach ISO 27001 certification and you wont have effective information security in place.
What is an ISO 27001 Competency Matrix?
Competency development requires us to identify the gaps in information security knowledge, experience and training.
We need to know that employees have the skills for information security.
It makes sense to understand if, and to what level, we can also skill our business technology.
We record it in an ISO 27001 competency matrix.
Competency Matrix Template
The competency matrix template is a simple and effective way to record and manage employee competency.
It will save you 4 hours and is what best practice looks like.
You can start using straight away.
The ISO 27001 Competency Matrix Template is to record the skills and training level of staff against information security and business technology.
It allows you to demonstrate and evidence that you have the adequate skills to operate the Information Security Management System and to identify, track and manage any training or resourcing needs.
How to create and use an ISO 27001 Competency Matrix Tutorial
In this tutorial video I show you how to create a competency matrix for skills in around 5 minutes.
A competency matrix shows the skills you have, the skills you need and the training requirements and is a part of of data security and many industry certifications including ISO 27001, PCI DSS, SOC and a host of others.
We cover how the it fits into the information security management system in the ISO 27001 Templates Documents Ultimate Guide.
The competency matrix doesn’t have to be hard and it really is easy to create a basic functioning competency matrix from scratch.
ISO 27001 Competency Matrix Example
This is an ISO 27001 Competency Matrix example and a great way to meet the requirement of the standard.
ISO 27001 Competency Matrix FAQ
A trusted competency matrix template can be downloaded from High Table at this link: https://hightable.io/product/competency-matrix/
A competency matrix is a way to measure the skills and experience of staff against the business skill requirements.
A competency matrix is a way to measure the skills of employees against the requirements of the business. In HR they will use the matrix to align the training needs of staff for the business and allocate the training resources. They will use it to identify skills risks and skills gaps and then plan to reduce those risks.
It is easy to build a competency matrix. In a spreadsheet list your employees down the left hand side in a column. Across the top in a row list the skills that you are interested in measuring. For each employee then mark the level of skill that they have against each skill required. You can use the a simple key of Gap, Trained, Experienced. A tutorial video on how to do it can be found here on YouTube: https://youtu.be/sAn2ffkrBe4
Yes. It is the easiest, simplest way to understand what skills you need verses what skills you have.
Yes. Information security skills are wide and varied. Once you understand what skills you need it is important to understand what skills you have so you can address the gaps.
Read Next
- Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)