Auditing ISO 27001 Clause 7.2 Competence is the rigorous verification that personnel influencing information security performance are adequately skilled. This process validates the Primary Implementation Requirement of defining role-specific competency levels, ensuring organizations move beyond simple attendance records to demonstrable proficiency. The Business Benefit minimizes operational risk by ensuring human resource capabilities directly align with ISMS security objectives to prevent data breaches.
This checklist provides a rigorous verification framework for ISO 27001 Clause 7.2 (Competence), ensuring that personnel influencing information security performance are adequately skilled and qualified. Use this checklist to validate compliance with ISO 27001 Clause 7.2 by moving beyond simple training attendance to verify demonstrable competence and evidence-based role mapping.
1. ISMS Role-Specific Competency Defined
Verification Criteria: The organisation must have formally identified and documented the specific skills, education, and experience required for each role that affects information security performance (not just IT roles).
Required Evidence: Job descriptions or Role Profiles explicitly listing information security competency requirements (e.g., “Must hold CISSP” or “Proficient in secure coding”).
Pass/Fail Test: If security competency requirements are missing from job descriptions or are generic (e.g., “Must be secure”), mark as Non-Compliant.
2. Competence Levels Matrix Established
Verification Criteria: A structured mechanism (Skills Matrix) exists to differentiate between proficiency levels (e.g., Beginner, Competent, Expert) rather than a binary “Trained/Not Trained” status.
Required Evidence: A current Competency Matrix (Excel or GRC View) showing employees mapped against specific skill levels relevant to their ISMS role.
Pass/Fail Test: If the matrix only tracks “Attendance” without defining the level of competence required/achieved, mark as Non-Compliant.
3. Competency Gaps formally Identified
Verification Criteria: There is a documented process for comparing current employee skills against the required competency levels to identify specific gaps.
Required Evidence: Gap Analysis reports or “Training Needs Analysis” records derived from the Competency Matrix reviews.
Pass/Fail Test: If there is no record of identified skill gaps despite changes in personnel or technology, mark as Non-Compliant.
4. Targeted Training Plans Implemented
Verification Criteria: Specific actions (training, mentoring, hiring) are planned and executed to address the identified competency gaps.
Required Evidence: A forward-looking Training Calendar or Personal Development Plans (PDPs) linked directly to the identified gaps.
Pass/Fail Test: If training is ad-hoc or not linked to specific identified competency needs, mark as Non-Compliant.
5. Training Effectiveness Verified
Verification Criteria: The organisation evaluates whether the training provided actually resulted in the acquisition of competence, not just that it was attended.
Required Evidence: Post-training quiz results, manager competence sign-offs, or evidence of practical application (e.g., successful phishing simulation results after training).
Pass/Fail Test: If files only contain “Course Completion Certificates” with no evaluation of learning (effectiveness), mark as Non-Compliant.
6. Professional Development (CPD) Evidenced
Verification Criteria: Key security personnel maintain their competence over time through continuous learning relevant to the evolving threat landscape.
Required Evidence: CPE/CPD logs for certified staff (e.g., CISSP/CISM maintenance records) or conference attendance records.
Pass/Fail Test: If security staff have no evidence of upskilling in the last 12 months, mark as Non-Compliant.
7. Documented Evidence of Qualifications Retained
Verification Criteria: The organisation retains verifiable proof of the education, training, and experience claimed by staff performing ISMS tasks.
Required Evidence: Copies of degrees, professional certifications, CVs/Resumes on file, and induction records.
Pass/Fail Test: If HR files are missing copies of the actual certificates or verified CVs for ISMS roles, mark as Non-Compliant.
8. Periodic Competency Re-evaluation Conducted
Verification Criteria: Competency requirements are not static; they are reviewed and updated periodically or when significant changes occur (e.g., cloud migration).
Required Evidence: Meeting minutes or version history of the Competency Matrix showing annual review and updates to requirements.
Pass/Fail Test: If the “Required Skills” list has not been reviewed or updated in >12 months, mark as Non-Compliant.
9. Contractor and Third-Party Competence Verified
Verification Criteria: External contractors performing security functions are subject to the same competency verification as internal staff.
Required Evidence: Service contracts specifying competency requirements or vetting records for contractor qualifications.
Pass/Fail Test: If contractors have administrative access but no evidence of competency verification exists, mark as Non-Compliant.
10. Resource Allocation for Training Confirmed
Verification Criteria: Management has allocated sufficient resources (budget and time) to support the necessary training and development actions.
Required Evidence: Approved training budget, invoices for training providers, or allocated study leave in timesheets.
Pass/Fail Test: If a training plan exists but has zero budget or zero execution evidence due to “lack of time,” mark as Non-Compliant.
| Control Requirement | The “Checkbox Compliance” Trap | The Reality Check |
|---|---|---|
| Determine Necessary Competence | GRC tool links every user to a generic “Employee” profile. | Manual audit of high-risk roles (Admins, Devs) to ensure specific technical skills are defined. |
| Evidence of Training | Platform stores a PDF of a “Policy Read” receipt as “Training”. | Verify actual course completion content and test scores, not just policy acknowledgments. |
| Evaluate Effectiveness | System marks item as “Complete” once the video ends. | Request post-training assessment data or interview records confirming knowledge retention. |
| Retain Documented Information | Tool has a placeholder for “Certs” that is empty for 90% of staff. | Sample check 5 personnel files for actual copies of claimed certificates/degrees. |
| Review Competence | Set-and-forget logic: “Competent” status never expires. | Check for recurring validation cycles (e.g., annual recertification or skill gap reviews). |
| Address Competency Gaps | Platform alerts on “missing documents” but not “missing skills”. | Look for a Training Needs Analysis document that specifically targets skill deficiencies. |
| Contractor Competence | External users excluded from the LMS/GRC scope. | Audit contract clauses and onboarding records for third-party admins/developers. |
About the author
