ISO 27001:2022

ISO 27001 Clauses

Home / ISO 27001 Clauses / The Ultimate Guide to ISO 27001:2022 Clause 7.2: Competence

The Ultimate Guide to ISO 27001:2022 Clause 7.2: Competence

Last updated Sep 17, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Competence

ISO 27001 Competence is the requirement that the people working on the information security management systems have the relevant skills and experience to do so effectively.

In ISO 27001 this is known as ISO27001:2022 Clause 7.2 Competence. It is one of the mandatory ISO 27001 clauses.

To run an information security management system you must have people with the competence to do so. This means having the skills and experience required.

Key Takeaways

Mandatory Requirement: The clause is a mandatory requirement that ensures personnel working on the information security management system (ISMS) have the necessary skills and experience.
Implementation: Organisations must engage with trained ISO 27001 resources, assign roles and responsibilities, and identify the required information security skills.
Auditor’s Focus: Auditors will verify compliance by checking for documented roles, evidence of competence (e.g., a competency matrix), and training plans to address any gaps.
Common Mistakes: The most frequent errors include not having anyone with ISO 27001 experience, failing to document roles, and neglecting to create training plans to maintain competence.

ISO 27001 Competence
Key Takeaways
What is ISO 27001 Clause 7.2 and Why is it Important?
ISO 27001 Clause 7.2 Explained: A Complete Guide
How to implement ISO 27001 Clause 7.2: Step-By-Step
How to audit ISO 27001 clause 7.2
How to pass the ISO 27001 Clause 7.2 audit
Top 3 ISO 27001 Clause 7.2 Mistakes and How to Fix Them
ISO 27001 Clause 7.2: Competence FAQ
Related ISO 27001 Controls
Further Reading

What is ISO 27001 Clause 7.2 and Why is it Important?

ISO 27001 competence is ensuring you have the skills and experience to run the information security management system.

What is does it mean? It means you have people on the team when we’re running your information security management system (ISMS) that know how to run the management system.

This clause is all about people and their skills, experience and competency.

You cannot have ISO 27001 and go for certification if nobody knows any anything about ISO 27001, they’ve got no experience in ISO 27001 and they’ve got no knowledge in ISO 27001.

Purpose and Definition

The purpose of ISO 27001 Clause 7.2 Competence is to make sure that the people you have working on the information security management system (ISMS) have the skills, knowledge and experience to do it.

The ISO 27001 standard defines ISO Clause 7.2 Competence as:

The organisation shall:
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
ISO 27001:2022 Clause 7.2 Competence

ISO 27001 Clause 7.2 Requirement

The requirement for ISO 27001 Competence far out reaches just information security.

The organisation as a whole has departments that contribute to the success of the organisation that also play into an effective information security management system.

We can consider HR, legal and regulatory compliance, commercial, and Information Technology (IT) teams.

There are distinct phases in the process of ISO 27001 certification. Each of those phases potentially requires a different level of skill, knowledge and experience. It is possible that this is one person but the likelihood is you are going to get specialist help for the establishment and implementation phase. It can make sense to reduce the reliance on that specialist help when it comes to maintenance and continual improvement. Only using that knowledge and expertise for training and sense checking.

Get the Small Business ISO 27001 Toolkit >

ISO 27001 Clause 7.2 Explained: A Complete Guide

In the ISO 27001 tutorial How to implement ISO 27001 Clause 7.2 Competence I show you how to implement it and how to pass the audit.

How to implement ISO 27001 Clause 7.2: Step-By-Step

ISO 27001 Clause 7.2 is a crucial part of an Information Security Management System (ISMS), focusing on the competence of people working under the organisation’s control. While Clause 7.1 deals with resources, Clause 7.2 specifically addresses the skills, knowledge, and experience needed to protect information assets. Implementing this clause is not just a box-ticking exercise; it’s about building a robust and knowledgeable security culture. This step-by-step guide will walk you through the essential actions to ensure all personnel are competent to perform their duties and contribute effectively to the ISMS.

Time needed: 1 hour and 30 minutes

How to implement ISO 27001 Clause 7.2 Competence

Engage with trained ISO 27001 resources
Whether you look to engage a professional such as a High Table ISO 27001 Consultant, hire someone full-time or train up internal staff on ISO 27001 lead auditor or ISO 27001 lead implementor courses you need to engage with trained and experienced resource for your ISO 27001 certification.
Decide which resources to use when
To implement ISO 27001 Clause 7.2 Competence you want to choose the correct resource for the correct phase of your information security management system (ISMS) lifecycle. This will ensure you have the correct competence when you need it.
Our guide would be
ISO 27001 Establishment: use specialist resource
ISO 27001 Implementation: use specialist resource
ISO 27001 Certification: use specialist resource in combination with your own staff
ISO 27001 Maintenance: use your own staff with training and sense checking by specialist resource
ISO 27001 Continual Improvement: use your own staff with training and sense checking by specialist resource
Assign the ISO 27001 Roles and Responsibilities
There are required roles in the information security management system and people need assigning to those roles. Learn what roles you need and who to assign to them in ISO 27001 Clause 7.1 Resources.
Complete the ISO 27001 Accountability Matrix
For each of the ISO 27001 clauses and the ISO 27001 Annex A controls you need to allocate and record who is responsible for that clause and control. Complete the ISO 27001 accountability matrix template.
Identify the required Information Security Skills
It is up to you to decide what information security skills you need. There are some industry best practice for you to consider. The examples are included in the competency matrix and common qualifications are:
CISSP
CISA
CISM
PCI DSS
GDPR / data protection
ISO 27001 Lead Auditor
ISO 27001 Lead Implementer.

If I was going to do the bare minimum I would just have the 27001 Lead Auditor / ISO 27001 Lead Implementor column because that is specific but the other ones if you have them or they’re aspirational or they’re relevant to you then, then you would include them in there.
If there are other information security relevant skills that you either have in your company or that you aspire to, or you are working towards, then clearly you can list them in there as well. It is going to be very dependent on who you are. You might have network security skills, AWS security qualification or skills or experience.
Complete the ISO 27001 Competency Matrix
Competency will be record in a competency matrix. This is the record of the relevant skills and experience that people have. For each person involved in the operation of the Information Security Management System be sure to record them in them in the competency matrix. The competency matrix template allows you to identify and demonstrate that you have the required competencies to run the information security management system. It also identifies gaps that you can plan to address.
Manage Competence
Competence is something that will evolve and will be managed.
You will have people that are
trained
experienced
qualified
training is planned for them
they have a gap in competence
You will evidence that you are managing your requirements for competence.
Evidence competence
For a belts and braces again I have seen this, it does say to record evidence of the competence.
It may well be that in conjunction with the HR that you keep copies of, courses, quizzes, references and certifications that you’ve done that can demonstrate that level of competence.
Determine Legal Competence
Depending on the size of the business it is unlikely you will have in house legal counsel. So how do you demonstrate that you have competence? Well you probably outsource your legal requirements to a third party law firm. As long as you have a contract and can evidence it then you can demonstrate your competence compliance by simply outsourcing the function. GDPR and Data Protection outside of your grasp for a full time employee? Of course it is. So outsource it and engage a third party company, have a contract in place and record that in your competency matrix.
Implement ISO 27001 Training
ISO 27001 training can help you gain the skills and experience in house and is an option to consider. ISO 27001 lead auditor training, ISO 27001 lead implementor training and associated courses are readily available to choose from. For book knowledge to the standard these are an ideal starting point. It can be problematic when it comes to actually applying the learnings though as they tend to focus heavily on the semantics of the standard rather than real world implementation and they will not cover your particular implementation.
Will they tick the box when it comes to the ISO 27001 certification? If you haven’t got specialist outside help then yes, they most definitely will.
There is a wealth of training and guidance provided as part of the ISO 27001 Toolkit for free. There are also free resources on the Internet such as this excellent YouTube Channel dedicated to ISO 27001 and showing you how to do it yourself. If we were going to start anywhere we would start with this Essential Step By Step Guide to Implementing ISO 27001.

How can an ISO 27001 Toolkit help with ISO 27001 Clause 7.3?

For ISO 27001 Clause 7.2 Competence the entire ISO 27001 toolkit is relevant but in particular the following templates directly support this ISO 27001 clause:

ISO 27001 Competency Matrix Template

The ISO 27001 competency matrix template is used to record the employees and the skills that they have, the skills they require and any training needs. It is directly supports clause 7.2 and is a key document to meeting it.

ISO 27001 Accountability Template

The ISO 27001 accountability template records which employees are accountable and responsible for the information security management system and all of the ISO 27001 Annex A controls. It is a key document in identifying and recording who is doing what and is used along with the competency matrix to record the skills and experience they have for the areas that they have been assigned.

ISO 27001 Training Policy Template

The ISO 27001 training policy template is a supporting document that sets out the organisations approach to training and commitment to ensuring employees have the skills and experience that they need to perform the roles that they have been assigned to.

ISO 27001 Training and Awareness Policy Template

The Role of External Consultants and Outsourcing

It can be useful to rely on the competence of third parties. If you engage with third parties and consultants then this is a fast track to the evidence of competence for the areas that they cover.

How to build your own competence matrix

This particular video on How to Build a Competency Matrix has been viewed over 24,000 times and in it we show you how to build the competency matrix from scratch if you don’t want to download and use the ISO 27001 Competence Matrix Template.

How to audit ISO 27001 clause 7.2

This audit checklist is a guide on how to conduct an internal audit of ISO 27001clause 7.2 competence based on what the ISO 27001 certification auditor will audit. It gives practical audit tips including what to audit and how.

1. Review Competency Requirements

Verify the organisation has identified the necessary competencies for ISMS-related roles.

Audit Techniques: Document review (job descriptions, role profiles, competency frameworks), interviews with management and HR personnel, analysis of ISMS activities and their required skills.

2. Assess Competence Levels

Ensure that competence levels are defined for each required competency.

Document review (competency frameworks, skills matrices), interviews with subject matter experts, analysis of competence level descriptions for clarity and measurability.

3. Evaluate Competence Assessment Methods

Verify that appropriate methods are used to assess the current competence of personnel.

Review of assessment procedures (self-assessments, peer reviews, manager evaluations, skills tests), interviews with HR and training personnel, observation of assessment activities.

4. Examine Training and Development Plans

Ensure that plans are in place to address identified competence gaps.

Document review (training plans, development programs), interviews with training personnel and managers, analysis of training needs assessments.

5. Assess Training Effectiveness

Verify that the effectiveness of training and development activities is evaluated.

Review of training evaluation methods (post-training quizzes, on-the-job observations, performance reviews), interviews with trainees and their managers, analysis of training feedback and performance data.

6. Evaluate Competence Maintenance

Ensure that personnel maintain their competence over time.

Review of continuous learning and professional development programs, interviews with employees and their managers, examination of certification renewal and recertification records.

7. Examine Competence Records

Verify that records of personnel competence, training, and development activities are maintained.

Document review (training records, competency assessments, performance reviews), interviews with HR personnel, inspection of training management systems and databases.

8. Assess Competence Review Process

Ensure that competence requirements are regularly reviewed.

Review of competence review procedures, interviews with management and HR personnel, analysis of changes in ISMS requirements and their impact on competency needs.

9. Evaluate Training Resources

Verify that adequate resources are available to support training and development activities.

Interviews with training personnel and budget holders, review of training budgets and resource allocation plans, examination of training facilities and equipment.

10. Assess Promotion of Learning Culture

Verify that the organization promotes a culture of continuous learning and development.

Interviews with employees at different levels, review of communication materials related to training and development, analysis of employee engagement in learning activities, examination of reward and recognition programs related to skills development.

How to pass the ISO 27001 Clause 7.2 audit

To pass an audit of ISO 27001 Clause 7.2 Competence you are going to

Understand the requirements of ISO 27001 Competence
Identify the roles you need
Allocate people to roles
Assess the competency of people to perform those roles
Address competency gaps through training or bringing in specialist help

What an auditor looks for

The audit is going to check a number of areas for compliance with ISO 27001 Clause 7.2 Competence. Lets go through them

1. Roles are documented and assigned

The first step is to document the roles that make up the information security management system and to allocates those roles. The auditor is going to look for documented roles and for you to demonstrate that people are assigned to those roles.

2. That Competence of People is Documented

The roles are that are document and assigned must be assigned to people that are competent to perform the role so the auditor is going to look for documented evidence of competence. This is where the competency matrix comes in. If you do not have competence, documenting that and showing your plan to fill the competence gap is key.

Top 3 ISO 27001 Clause 7.2 Mistakes and How to Fix Them

In my experience, the top 3 mistakes people make for ISO 27001 clause 7.2 are

1. You do not have anyone with experience in ISO 27001

The number 1 mistake is that you do not have anyone with any experience of ISO 27001. This is more common than you might imagine. To run and ISO 27001 Information Security Management System you are going to need training and / or experience of ISO 27001.

2. You did not document and assign roles

There are mandatory roles as part of your ISO 27001 implementation and the roles need documenting and assigning to people. A common mistake is not to document those roles or to formally assign them. We see this being given to someone in IT to manage without consideration for the wider roles that are required for an effective management system.

3. You have no training plans

As ISO 27001 is based on continual improvement we see that the auditor will look at the training plans and want to see evidence that competence is maintained. This is usually in the form at looking that the plans for the coming 12 months to see if any competence gaps or ongoing training requirements have been considered and documented.

ISO 27001 Clause 7.2: Competence FAQ

What is ISO 27001 Clause 7.2 Competence ?

ISO 27001 Clause 7.2, also known as the competence clause, requires organizations to determine the necessary competence of people doing work under their control that affects information security performance. This means the organization must identify the skills, knowledge, and experience needed for each role that impacts the Information Security Management System (ISMS), ensure that people in those roles possess them, and keep documented evidence of their competence.

What are the ISO27001:2022 Changes to Clause 7.2?

Great news. There are no changes to ISO 27001 Clause 7.2 in the 2022 update.

What’s the difference between “competence” and “awareness” in ISO 27001?

Competence (Clause 7.2) is about having the specific knowledge, skills, and experience to perform a job effectively, especially as it relates to information security. It’s a role-specific requirement. Awareness (Clause 7.3) is about ensuring all people under the organization’s control are aware of the information security policy, their contribution to the ISMS, and the implications of not conforming. Awareness is a universal requirement for all personnel, while competence is targeted to specific roles.

How do I evidence I meet the requirement of ISO 27001 Competence?

The best way is to record the skills of your resources in a Competency Matrix.

How do you demonstrate competence to an auditor?

You can demonstrate competence by providing documented evidence such as:
1. Job descriptions that outline required skills.
2. Resumes or CVs showing relevant experience.
3. Training records, certificates, or qualifications.
4. Records of on-the-job training or mentoring programs.
5.Performance reviews that assess security-related tasks.
Auditors may also conduct interviews to verify that personnel understand their responsibilities.

Can you show me how to build an ISO 27001 competence matrix?

Yes, in this video we show you step by step how to build your own ISO 27001 competence matrix from scratch in around 15 minutes.

What is a competency matrix and is it required?

A competency matrix is a tool, usually a spreadsheet, that maps personnel roles and responsibilities to the required skills, knowledge, and experience for information security. While it’s not explicitly required by the standard, it’s considered best practice because it provides a clear, documented way to demonstrate compliance with Clause 7.2, identify skill gaps, and manage training needs.

What actions are needed to ensure competence?

If an organization identifies a competence gap, Clause 7.2 requires them to take action. This may include:
1. Providing training, such as workshops, e-learning courses, or seminars.
2. Offering mentoring or on-the-job guidance from experienced staff.
3. Encouraging professional development and obtaining certifications.
4. Reassigning roles or hiring new, competent personnel.
The organization must also evaluate the effectiveness of these actions.

Do all employees need to be information security experts?

No, the standard does not require everyone to be an information security expert. It only requires that personnel are competent for the work they do that affects the ISMS. For example, an IT administrator needs technical security skills, while a call centre agent needs training on how to handle customer data securely and validate identities.

How often should competence be assessed?

ISO 27001 doesn’t specify a frequency, but competence should be reviewed regularly to ensure it remains current with evolving threats and changes in roles or technologies. This can be done as part of annual performance reviews, during internal audits, or when new security risks are identified.

What happens if an auditor finds a non-conformity in Clause 7.2?

A non-conformity in Clause 7.2 means the organization hasn’t sufficiently demonstrated that its personnel are competent to manage information security risks. This could be due to a lack of documented evidence, skill gaps, or ineffective training. The organization would then be required to implement corrective actions to address the issue and show evidence of improvement to the auditor.

Does experience count as competence?

Yes, absolutely. The standard explicitly states that competence can be based on appropriate “education, training, or experience.” Experience is a crucial component, and organizations should document it through job descriptions, performance reviews, or other records that highlight the individual’s history and accomplishments related to information security.

Can I use external resource for ISO 27001 Clause 7.2 Competence?

Yes. Many companies seek the help of qualified, experienced third party suppliers to help with ISO 27001

Can I train my staff to meet the requirements of ISO 27001 Clause 7.2 Competence?

Yes, there are many reputable training courses for ISO 27001 Lead Auditor and ISO 27001 Lead Implementor.

How can we make competence-building cost-effective?

To build competence without breaking the bank, consider these strategies:
1. Internal training: Have experienced employees mentor or train their colleagues.
2. Knowledge sharing: Create forums or sessions for team members to share insights on emerging threats and best practices.
3. Free resources: Encourage self-study using free online resources, articles, and government-provided security guides.
4. Cross-training: Allow employees to work on different security projects to broaden their experience.

ISO 27001 Annex A 8.32: Change Management

ISO 27001 Annex A 5.4: Management Responsibilities

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.