Mastering ISO 27001:2022 Clause 7.2 for AI Companies: A Guide to Team Competence

In the fast-paced world of Artificial Intelligence, your team is likely laser-focused on training groundbreaking models and shipping innovative products. When you’re moving at the speed of AI, compliance standards like ISO 27001 can sometimes feel like a bureaucratic speed bump. But here’s the truth: ISO 27001 Clause 7.2 (Competence) isn’t just a hurdle—it’s the secret sauce for protecting your intellectual property and building the trust your clients demand.

For an AI startup or scale-up, your data and algorithms are your crown jewels. Ensuring your team has the right security skills is critical to keeping those assets safe. This guide breaks down Clause 7.2 into actionable steps, showing you how to turn a “checkbox” requirement into a strategic advantage for your AI business.

What Does ‘Competence’ Actually Mean in Clause 7.2?

Before we dive into implementation, let’s look at the “spec.” In the context of an Information Security Management System (ISMS), Competence means ensuring that the people who impact your security performance actually know what they’re doing. It’s about putting the right people in the right roles with the right skills.

The ISO 27001:2022 standard breaks Clause 7.2 down into four main requirements. Your organisation must:

• Determine the necessary competence for anyone doing work that affects information security.
• Ensure these people are competent (based on education, training, or experience).
• Take action to fill any skill gaps (like training or hiring) and check if those actions worked.
• Keep records as documented evidence that your team is up to the task.

In short: identify what you need, check what you have, fix the gaps, and keep the receipts.

Why Clause 7.2 is Critical for AI Innovation

For AI companies, value is tied to proprietary code and massive datasets. Clause 7.2 is a core component of risk management. Think of it this way: you can’t achieve ISO 27001 certification if no one in the building understands the standard. A competent team is your best line of defence against data breaches and model poisoning.

Competence isn’t just for your “Security Person.” It touches every part of an AI business:

• HR: Managing the onboarding and training records.
• Engineering: Ensuring developers understand secure coding and data privacy.
• Legal/Compliance: Navigating AI regulations and data protection laws.
• Commercial: Knowing how to discuss security with enterprise clients.

As your AI company grows, your needs will evolve. You might start with external consultants to establish the framework, but as you mature, your internal staff will need the skills to maintain and improve the ISMS themselves.

How to Implement Clause 7.2: An Action Plan for AI Teams

Implementing this clause is a structured process. Here is your playbook for getting it done:

1. Access Expert Resources

You don’t need to be an expert on day one, but you need access to one. You can hire an external consultant, bring in a full-time CISO, or put your internal team through ISO 27001 Lead Auditor or Lead Implementer courses.

2. Assign Roles Clearly

An ISMS doesn’t run itself. Use an Accountability Matrix to assign specific ISO 27001 clauses and controls to individuals. This ensures everyone knows exactly what they are responsible for.

3. Identify Necessary Skills

What skills does an AI company need? Beyond general AWS or Azure security, consider industry-standard certifications like:

• CISSP (Security Professional)
• CISM (Security Manager)
• GDPR / Data Protection (Crucial for AI training data)
• ISO 27001 Lead Implementer (The “gold standard” for this clause)

4. Use a Competency Matrix

This is your primary tool. It’s usually a spreadsheet that tracks your team’s skills. You’ll want to label individuals as “Trained,” “Experienced,” or “Gap Identified.”

5. Keep Your Evidence

During an audit, “if it isn’t written down, it didn’t happen.” Work with HR to store training certificates, diplomas, and even internal quiz results. These are your proof of competence.

The Competency Matrix: Your Secret Audit Weapon

The Competency Matrix is the central document an auditor will want to see. It maps roles to the specific knowledge required to keep your AI infrastructure secure.

Who goes on the matrix? It shouldn’t be every single employee. Focus on those who have a role in the ISMS, those assigned to Annex A controls (like access control or encryption), and those listed in your roles and responsibilities documents.

A good matrix shows an auditor that you aren’t just guessing—you have a visual map of your security strengths and the areas where you are actively improving.

---

---

What to Expect During an ISO 27001 Audit

Auditors are methodical. They aren’t looking to “catch you out”; they are looking for a system. For Clause 7.2, they will check:

• Assigned Roles: Do you have people officially in charge of security?
• Proven Skills: Can you prove those people have the background to do the job?
• Continuous Improvement: If there’s a skill gap, do you have a plan to fix it?

They might review job descriptions, interview staff to check their understanding, and look at your training budget to ensure you’re actually supporting professional development.

3 Common Pitfalls for AI Startups

1. Zero In-House ISO Experience: Many AI startups have brilliant engineers but no one who understands the ISO framework. The Fix: Get at least one person certified as a Lead Implementer.
2. “Ghost” Roles: Assigning security responsibilities to a developer who doesn’t know they’ve been assigned. The Fix: Formally document and communicate roles.
3. No Forward Planning: Having no training plan for the next 12 months. The Fix: Create a simple calendar of upcoming training sessions or certifications.

Frequently Asked Questions

Is a Competency Matrix mandatory? Technically, the standard doesn’t use the words “Competency Matrix,” but it’s the best-practice way to meet the requirement for “documented information.”

Does experience count? Yes! ISO 27001 explicitly states competence can come from “education, training, or experience.” If your lead dev has 10 years of experience in secure architecture, that counts.

Can we use consultants? Absolutely. Outsourcing is a valid way to “acquire competence,” especially while you are still building your internal team.

Conclusion: Building a Culture of Competence

For an AI company, Clause 7.2 is about more than just a certificate. It’s about building a resilient culture where everyone knows how to protect the data that powers your models. By investing in your team’s skills, you aren’t just satisfying an auditor—you’re building a foundation of trust that will help you scale faster and more securely.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.