In this ultimate how to implement guide to ISO 27001 Clause 7.2 Competence, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
You cannot achieve ISO 27001 certification if your team lacks the necessary expertise. It is that simple. ISO 27001 Clause 7.2, the “Competence” clause, is a mandatory requirement ensuring the people managing your information security possess the right skills, knowledge, and experience. This isn’t just about ticking a box; it’s about building a team capable of protecting your organisation.
To succeed, you must “play the auditor, not the standard.” This means focusing on the practical evidence an auditor needs to see. This guide provides a step-by-step roadmap to demystify Clause 7.2, create required evidence, and build a resilient security culture.
Key Takeaways for ISO 27001 Competence
- Mandatory Requirement: Clause 7.2 is non-negotiable for anyone seeking ISO 27001 certification.
- Core Implementation: You must formally assign security roles, identify necessary skills, and document everything in a competency matrix.
- Auditor Focus: External auditors demand tangible proof, including documented roles and clear plans to address skill gaps.
- Common Pitfalls: Avoid the mistake of having no ISO 27001 experience on your team or failing to maintain a forward-looking training plan.
Understanding the ISO 27001:2022 Clause 7.2 Requirements
According to the official ISO 27001:2022 standard, the organisation shall:
- Determine the necessary competence of person(s) doing work under its control that affects its information security performance.
- Ensure that these persons are competent on the basis of appropriate education, training, or experience.
- Where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken.
- Retain appropriate documented information as evidence of competence.
What This Means in Plain English:
- Part (a): Identify the specific skills and experience needed for every role impacting information security.
- Part (b): Confirm that people in these roles meet your defined criteria through education, training, or hands-on experience.
- Part (c): If a “skill gap” exists, you must fix it (via training or hiring) and then verify that the fix actually worked.
- Part (d): Keep records. If it isn’t documented, an auditor will assume it never happened.
Step-by-Step Guide to Implementing Clause 7.2
1. Secure the Right Expertise
You must have access to proven ISO 27001 experience. You can engage a consultant, hire a full-time expert, or invest in ISO 27001 Lead Implementer or Lead Auditor certifications for your internal staff.
2. Assign Roles and Responsibilities
Formally document ISMS roles. This links directly to Clause 7.1 (Resources). Create an accountability matrix defining who is responsible for each part of the ISMS and Annex A controls.
3. Identify Required Security Skills
Document the specific skills your organisation needs. Common industry benchmarks include:
- ISO 27001 Lead Auditor / Lead Implementer (The most direct evidence)
- CISSP (Certified Information Systems Security Professional)
- CISM (Certified Information Security Manager)
- GDPR / Data Protection expertise
- Technical qualifications (e.g., AWS Security, Network Security)
4. Document Everything in a Competency Matrix
The competency matrix is your central piece of evidence. This spreadsheet records your personnel, their roles, their current skills, and any identified gaps.
