In this ultimate guide to ISO 27001 Clause 7.2 Competence you will learn
- What is ISO 27001 Clause 7.2
- How to implement ISO 27001 Clause 7.2
- How to build a competency matrix
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.
Table of contents
- What is ISO 27001 Clause 7.2?
- How to Implement ISO 27001 Clause 7.2
- ISO 27001 Clause 7.2 YouTube Tutorial
- How do you demonstrate compliance to ISO 27001 clause 7.2?
- How to build your own competence matrix
- How to pass an audit of ISO 27001 Clause 7.2
- What the auditor will check
- Top 3 Mistakes People Make
- ISO 27001 Clause 7.2 FAQ
What is ISO 27001 Clause 7.2?
To run an information security management system you must have people with the competence to do so. This means having the skills and experience required.
ISO 27001 Clause 7.2 is an ISO 27001 control that requires an organisation to have people that are competent to do the work for information security.
ISO 27001 Clause 7.2 Purpose
The purpose of ISO 27001 Clause 7.2 is to make sure that the people you have working on the information security management system (ISMS) have the skills, knowledge and experience to do it.
ISO 27001 Clause 7.2 Definition
The organisation shall:
ISO 27001:2022 Clause 7.2 Competence
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
ISO 27001 Clause 7.2 Requirement
How to Implement ISO 27001 Clause 7.2
Engage with trained ISO 27001 resources
Whether you look to engage a professional such as a High Table ISO 27001 Consultant, hire someone full-time or train up internal staff on ISO 27001 lead auditor or ISO 27001 lead implementor courses you need to engage with trained and experienced resource for your ISO 27001 certification.
Decide which resources to use when
To implement ISO 27001 Clause 7.2 you want to choose the correct resource for the correct phase of your information security management system (ISMS) lifecycle. This will ensure you have the correct competence when you need it.
Complete an accountability matrix
For each of the ISO 27001 clauses AND the ISO 27001 Annex A / ISO 27002 clauses you need to allocate and record who is responsible for that clause and control.
Complete a competency matrix
For each person involved in the operation of the Information Security Management System be sure to record them in them in the competency matrix. The competency matrix allows you to identify and demonstrate that you have the required competencies to run the information security management system. It also identifies gaps that you can plan to address.
Train People
ISO 27001 Templates
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
ISO 27001 Clause 7.2 YouTube Tutorial
Watch the ISO 27001 Clause 7.2 YouTube tutorial How to implement ISO 27001 Clause 7.2 Competence
How do you demonstrate compliance to ISO 27001 clause 7.2?
How to build your own competence matrix
How to pass an audit of ISO 27001 Clause 7.2
To pass an audit of ISO 27001 Clause 7.2 you are going to
- Understand the requirements of ISO 27001 Clause 7.2
- Identify the roles you need
- Allocate people to roles
- Assess the competency of people to perform those roles
- Address competency gaps through training or bringing in specialist help
What the auditor will check
The audit is going to check a number of areas for compliance with Clause 7.2. Lets go through them
1. Roles are documented and assigned
The first step is to document the roles that make up the information security management system and to allocates those roles. The auditor is going to look for documented roles and for you to demonstrate that people are assigned to those roles.
2. That Competence of People is Documented
The roles are that are document and assigned must be assigned to people that are competent to perform the role so the auditor is going to look for documented evidence of competence. This is where the competency matrix comes in. If you do not have competence, documenting that and showing your plan to fill the competence gap is key.
Top 3 Mistakes People Make
In my experience, the top 3 mistakes people make for ISO 27001 clause 7.2 are
1. You do not have anyone with experience in ISO 27001
The number 1 mistake is that you do not have anyone with any experience of ISO 27001. This is more common than you might imagine. To run and ISO 27001 Information Security Management System you are going to need training and / or experience of ISO 27001.
2. You did not document and assign roles
There are mandatory roles as part of your ISO 27001 implementation and the roles need documenting and assigning to people. A common mistake is not to document those roles or to formally assign them. We see this being given to someone in IT to manage without consideration for the wider roles that are required for an effective management system.
3. You have no training plans
As ISO 27001 is based on continual improvement we see that the auditor will look at the training plans and want to see evidence that competence is maintained. This is usually in the form at looking that the plans for the coming 12 months to see if any competence gaps or ongoing training requirements have been considered and documented.