In this ultimate how to audit guide to ISO 27001 Clause 7.2 Competence, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. ISMS Role-Specific Competency Defined
- 2. Competence Levels Matrix Established
- 3. Competency Gaps formally Identified
- 4. Targeted Training Plans Implemented
- 5. Training Effectiveness Verified
- 6. Professional Development (CPD) Evidenced
- 7. Documented Evidence of Qualifications Retained
- 8. Periodic Competency Re-evaluation Conducted
- 9. Contractor and Third-Party Competence Verified
- 10. Resource Allocation for Training Confirmed
Auditing ISO 27001 Clause 7.2 Competence is the rigorous verification that personnel influencing information security performance are adequately skilled. This process validates the Primary Implementation Requirement of defining role-specific competency levels, ensuring organizations move beyond simple attendance records to demonstrable proficiency. The Business Benefit minimizes operational risk by ensuring human resource capabilities directly align with ISMS security objectives to prevent data breaches.
This checklist provides a rigorous verification framework for ISO 27001 Clause 7.2 (Competence), ensuring that personnel influencing information security performance are adequately skilled and qualified. Use this checklist to validate compliance with ISO 27001 Clause 7.2 by moving beyond simple training attendance to verify demonstrable competence and evidence-based role mapping.
1. ISMS Role-Specific Competency Defined
Verification Criteria: The organisation must have formally identified and documented the specific skills, education, and experience required for each role that affects information security performance (not just IT roles).
Required Evidence: Job descriptions or Role Profiles explicitly listing information security competency requirements (e.g., “Must hold CISSP” or “Proficient in secure coding”).
Pass/Fail Test: If security competency requirements are missing from job descriptions or are generic (e.g., “Must be secure”), mark as Non-Compliant.
2. Competence Levels Matrix Established
Verification Criteria: A structured mechanism (Skills Matrix) exists to differentiate between proficiency levels (e.g., Beginner, Competent, Expert) rather than a binary “Trained/Not Trained” status.
Required Evidence: A current Competency Matrix (Excel or GRC View) showing employees mapped against specific skill levels relevant to their ISMS role.
Pass/Fail Test: If the matrix only tracks “Attendance” without defining the level of competence required/achieved, mark as Non-Compliant.
3. Competency Gaps formally Identified
Verification Criteria: There is a documented process for comparing current employee skills against the required competency levels to identify specific gaps.
Required Evidence: Gap Analysis reports or “Training Needs Analysis” records derived from the Competency Matrix reviews.
Pass/Fail Test: If there is no record of identified skill gaps despite changes in personnel or technology, mark as Non-Compliant.
