In information security, a robust management system is built on more than just technology and policies; it is built on the people who operate it. ISO 27001 Clause 7.2 (Competence) is the bedrock of this human element. It ensures your team possesses the necessary skills, knowledge, and experience to protect your organisation’s valuable information assets.
This guide provides a practical, 10-point checklist to help you master the requirements of Clause 7.2 and confidently navigate your certification audit.
Table of contents
- Key Insights for ISO 27001 Clause 7.2
- Decoding Clause 7.2: What is Competence?
- The 10-Point ISO 27001 Competence Audit Checklist
- 1. Review Competency Requirements
- 2. Define Competence Levels
- 3. Standardise Assessment Methods
- 4. Build Training and Development Plans
- 5. Measure Training Effectiveness
- 6. Evidence Competence Maintenance
- 7. Maintain the Competency Matrix
- 8. Establish a Competence Review Process
- 9. Allocate Sufficient Training Resources
- 10. Promote a Security-First Learning Culture
- Top 3 Mistakes in ISO 27001 Clause 7.2 Compliance
- ISO 27001 Clause 7.2 FAQ
- Conclusion: Competence as a Continuous Practice
Key Insights for ISO 27001 Clause 7.2
- Mandatory Requirement: You must prove that personnel affecting ISMS performance are qualified.
- Implementation: Organisations must assign clear roles and identify specific security skill sets.
- Auditor’s Focus: Expect scrutiny of your competency matrix, documented roles, and evidence of training.
- Common Pitfalls: Frequent failures include lack of ISO 27001-specific expertise and missing training plans.
Decoding Clause 7.2: What is Competence?
Clause 7.2 ensures the “right people with the right skills” manage your Information Security Management System (ISMS). Without human capability, even the best technical controls will fail. In the 2022 update of the standard, these requirements remain a fundamental pillar for certification.
The Official ISO 27001:2022 Definition
The organisation shall:
- Determine the necessary competence of person(s) doing work under its control.
- Ensure these persons are competent based on education, training, or experience.
- Take actions (where applicable) to acquire competence and evaluate the effectiveness of those actions.
- Retain documented information as evidence.
The 10-Point ISO 27001 Competence Audit Checklist
1. Review Competency Requirements
Auditors look for a formal identification of skills for every role impacting the ISMS. Vague job descriptions are a major red flag.
- Action: Map ISMS activities to specific roles and list the required skills in job profiles.
2. Define Competence Levels
Don’t just use “yes/no” for skills. Define maturity levels such as beginner, intermediate, or expert.
- Action: Use a skills matrix to differentiate between required proficiency levels based on role risk.
3. Standardise Assessment Methods
You need a consistent way to measure current skills against your requirements.
- Action: Implement formal self-assessments, peer reviews, or manager evaluations.
4. Build Training and Development Plans
If a gap exists between current skills and requirements, you must have a plan to close it.
- Action: Create a proactive training calendar that links directly to identified competency gaps.
5. Measure Training Effectiveness
Attending a course isn’t enough; you must prove the employee actually learned the material.
- Action: Use post-training quizzes, performance reviews, or on-the-job observations to “close the loop.”
6. Evidence Competence Maintenance
Security is an evolving discipline. Prove your team stays current with modern threats.
- Action: Keep records of Continuous Professional Development (CPD) and certification renewals.
7. Maintain the Competency Matrix
This is your “Single Source of Truth” during an audit.
- Action: Ensure your matrix is up-to-date and backed by certificates and CVs.
8. Establish a Competence Review Process
As your ISMS evolves (e.g., moving to the cloud), your skill requirements must change too.
- Action: Schedule annual reviews of your competency requirements to reflect the current threat landscape.
9. Allocate Sufficient Training Resources
A training plan without a budget is just a wish list.
- Action: Document management’s commitment to funding certifications, workshops, and learning materials.
10. Promote a Security-First Learning Culture
Auditors look for “soft” evidence that security is embedded in the company culture.
- Action: Share security newsletters and recognise employees who achieve new certifications.
Top 3 Mistakes in ISO 27001 Clause 7.2 Compliance
1. Relying Solely on IT Staff
The Error: Assuming IT technicians automatically understand ISO 27001 management principles. The Fix: Invest in ISO 27001 Lead Implementer or Lead Auditor training for key staff or hire external specialists.
2. Failing to Document ISMS Roles
The Error: Informal assignment of security tasks without official role descriptions. The Fix: Use a RACI matrix (Responsible, Accountable, Consulted, Informed) to define ISMS roles clearly.
3. No Forward-Looking Training Plan
The Error: Only documenting past training without planning for future needs. The Fix: Create a 12-month training roadmap to demonstrate a commitment to continual improvement.
ISO 27001 Clause 7.2 FAQ
What is the difference between “Competence” and “Awareness”?
Competence (Clause 7.2) is role-specific (e.g., a firewall admin needs technical skill). Awareness (Clause 7.3) is universal (e.g., every employee must know the password policy).
Does experience count as competence?
Yes. The standard explicitly accepts a mix of education, training, and experience. Documented work history and performance reviews are valid evidence.
How often should we assess competence?
While the standard doesn’t set a timeframe, annual assessments during performance reviews or internal audits are considered best practice.
Conclusion: Competence as a Continuous Practice
ISO 27001 Clause 7.2 is more than a compliance hurdle; it is a strategy for building a resilient security culture. By moving from a “one-time event” mindset to a continuous cycle of assessment and development, you transform your team into your organisation’s greatest security asset.
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
