ISO 27001 Competence
To run an information security management system you must have people with the competence to do so. This means having the skills and experience required.
Table of contents
- ISO 27001 Competence
- What is ISO 27001 Clause 7.2?
- How to implement ISO 27001 Clause 7.2
- The role of external employees
- ISO 27001 Clause 7.2 Implementation Checklist
- ISO 27001 Clause 7.2 Audit Checklist
- Watch the Tutorial
- ISO 27001 Competency Matrix Template
- ISO 27001 Accountability Template
- ISO 27001 Training Policy Template
- How to build your own competence matrix
- How to pass an audit of ISO 27001 Clause 7.2
- What the auditor will check
- Common ISO 27001 Clause 7.2
- ISO 27001 Clause 7.2 FAQ
What is ISO 27001 Clause 7.2?
ISO 27001 competence is ensuring you have the skills and experience to run the information security management system.
What is does it mean? It means you have people on the team when we’re running your information security management system (ISMS) that know how to run the management system.
You cannot have ISO 27001 and go for certification if nobody knows any anything about it, they’ve got no experience in it and they’ve got no knowledge in it.
ISO 27001 Clause 7.2 Competence is an ISO 27001 control that requires an organisation to have people that are competent to do the work for information security.
ISO 27001 Clause 7.2 Purpose
The purpose of ISO 27001 Clause 7.2 is to make sure that the people you have working on the information security management system (ISMS) have the skills, knowledge and experience to do it.
ISO 27001 Clause 7.2 Definition
The organisation shall:
ISO 27001:2022 Clause 7.2 Competence
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
ISO 27001 Clause 7.2 Requirement
How to implement ISO 27001 Clause 7.2
Time needed: 1 hour and 30 minutes
How to implement ISO 27001 Clause 7.2 Competence
- Engage with trained ISO 27001 resources
Whether you look to engage a professional such as a High Table ISO 27001 Consultant, hire someone full-time or train up internal staff on ISO 27001 lead auditor or ISO 27001 lead implementor courses you need to engage with trained and experienced resource for your ISO 27001 certification.
- Decide which resources to use when
To implement ISO 27001 Clause 7.2 Competence you want to choose the correct resource for the correct phase of your information security management system (ISMS) lifecycle. This will ensure you have the correct competence when you need it.
Our guide would be
ISO 27001 Establishment: use specialist resource
ISO 27001 Implementation: use specialist resource
ISO 27001 Certification: use specialist resource in combination with your own staff
ISO 27001 Maintenance: use your own staff with training and sense checking by specialist resource
ISO 27001 Continual Improvement: use your own staff with training and sense checking by specialist resource - Assign the ISO 27001 Roles and Responsibilities
There are required roles in the information security management system and people need assigning to those roles. Learn what roles you need and who to assign to them in ISO 27001 Clause 7.1 Resources.
- Complete the ISO 27001 Accountability Matrix
For each of the ISO 27001 clauses and the ISO 27001 Annex A controls you need to allocate and record who is responsible for that clause and control. Complete the ISO 27001 accountability matrix template.
- Identify the required Information Security Skills
It is up to you to decide what information security skills you need. There are some industry best practice for you to consider. The examples are included in the competency matrix and common qualifications are:
CISSP
CISA
CISM
PCI DSS
GDPR / data protection
ISO 27001 Lead Auditor
ISO 27001 Lead Implementer.
If I was going to do the bare minimum I would just have the 27001 Lead Auditor / ISO 27001 Lead Implementor column because that is specific but the other ones if you have them or they’re aspirational or they’re relevant to you then, then you would include them in there.
If there are other information security relevant skills that you either have in your company or that you aspire to, or you are working towards, then clearly you can list them in there as well. It is going to be very dependent on who you are. You might have network security skills, AWS security qualification or skills or experience. - Complete the ISO 27001 Competency Matrix
Competency will be record in a competency matrix. This is the record of the relevant skills and experience that people have. For each person involved in the operation of the Information Security Management System be sure to record them in them in the competency matrix. The competency matrix template allows you to identify and demonstrate that you have the required competencies to run the information security management system. It also identifies gaps that you can plan to address.
- Manage Competence
Competence is something that will evolve and will be managed.
You will have people that are
trained
experienced
qualified
training is planned for them
they have a gap in competence
You will evidence that you are managing your requirements for competence. - Evidence competence
For a belts and braces again I have seen this, it does say to record evidence of the competence.
It may well be that in conjunction with the HR that you keep copies of, courses, quizzes, references and certifications that you’ve done that can demonstrate that level of competence. - Determine Legal Competence
Depending on the size of the business it is unlikely you will have in house legal counsel. So how do you demonstrate that you have competence? Well you probably outsource your legal requirements to a third party law firm. As long as you have a contract and can evidence it then you can demonstrate your competence compliance by simply outsourcing the function. GDPR and Data Protection outside of your grasp for a full time employee? Of course it is. So outsource it and engage a third party company, have a contract in place and record that in your competency matrix.
- Implement ISO 27001 Training
ISO 27001 training can help you gain the skills and experience in house and is an option to consider. ISO 27001 lead auditor training, ISO 27001 lead implementor training and associated courses are readily available to choose from. For book knowledge to the standard these are an ideal starting point. It can be problematic when it comes to actually applying the learnings though as they tend to focus heavily on the semantics of the standard rather than real world implementation and they will not cover your particular implementation.
Will they tick the box when it comes to the ISO 27001 certification? If you haven’t got specialist outside help then yes, they most definitely will.
There is a wealth of training and guidance provided as part of the ISO 27001 Toolkit for free. There are also free resources on the Internet such as this excellent YouTube Channel dedicated to ISO 27001 and showing you how to do it yourself. If we were going to start anywhere we would start with this Essential Step By Step Guide to Implementing ISO 27001.
The role of external employees
It can be useful to rely on the competence of third parties. If you engage with third parties and consultants then this is a fast track to the evidence of competence for the areas that they cover.
ISO 27001 Clause 7.2 Implementation Checklist
Competence ISO 27001 Clause 7.2 Implementation Checklist
1. Identify Necessary Competencies
Determine the competencies needed for personnel performing activities that can impact information security.
Challenge
Difficulty in comprehensively identifying all necessary competencies, especially for specialised roles. Overlooking soft skills or business context.
Solution
Conduct a thorough job analysis for each role. Involve representatives from different departments. Consider both technical and non-technical skills. Regularly review and update competency requirements.
2. Define Competence Levels
Establish clear competence levels for each identified competency.
Challenge
Difficulty in defining objective and measurable competence levels.
Solution
Use a competency framework or skills matrix. Define specific knowledge, skills, and experience required for each level. Use examples of observable behaviours to illustrate competence levels.
3. Assess Current Competence
Evaluate the current competence of personnel against the defined competence levels.
Challenge
Difficulty in objectively assessing competence. Bias in performance reviews.
Solution
Use a variety of assessment methods, such as self-assessments, peer reviews, manager evaluations, and skills tests. Ensure assessors are trained and objective.
4. Address Competence Gaps
Develop plans to address any identified competence gaps.
Challenge
Difficulty in providing appropriate training. Budget constraints. Time constraints for employees.
Solution
Offer a range of training options, such as online courses, in-person workshops, on-the-job training, and mentoring. Prioritise training based on risk and business needs.
5. Provide Training and Development
Provide training and development opportunities to personnel to enhance their competence.
Challenge
Difficulty in keeping training materials up-to-date. Lack of employee engagement in training.
Solution
Regularly review and update training materials. Make training relevant and engaging. Use a variety of training methods.
6. Evaluate Training Effectiveness
Evaluate the effectiveness of training and development activities.
Challenge
Difficulty in measuring the impact of training on job performance.
Solution
Use a variety of evaluation methods, such as post-training quizzes, on-the-job observations, and performance reviews. Gather feedback from trainees and their managers.
7. Maintain Competence
Ensure that personnel maintain their competence over time.
Challenge
Difficulty in keeping skills current in a rapidly changing environment. Employee turnover.
Solution
Encourage continuous learning and professional development. Provide access to resources such as industry publications and conferences. Implement a knowledge management system.
8. Document Competence
Maintain records of personnel competence, training, and development activities.
Challenge
Difficulty in keeping records up-to-date. Lack of integration with other HR systems.
Solution
Use a centralised training management system. Regularly review and update competence records.
9. Regularly Review Competence Requirements
Regularly review competence requirements to ensure they remain aligned with the ISMS and business needs.
Challenge
Difficulty in anticipating future competence needs. Changes in the business environment.
Solution
Integrate competence reviews with other ISMS processes, such as management review and risk assessment. Conduct regular workforce planning exercises.
10. Promote a Culture of Learning
Foster a culture of continuous learning and development within the organization.
Challenge
Lack of employee motivation to learn. Resistance to change.
Solution
Communicate the importance of competence to employees. Recognise and reward employees who demonstrate a commitment to learning. Provide opportunities for career advancement.
ISO 27001 Clause 7.2 Audit Checklist
How to audit ISO 27001 Clause 7.2 Competence
1. Review Competency Requirements
Verify the organisation has identified the necessary competencies for ISMS-related roles.
Audit Techniques: Document review (job descriptions, role profiles, competency frameworks), interviews with management and HR personnel, analysis of ISMS activities and their required skills.
2. Assess Competence Levels
Ensure that competence levels are defined for each required competency.
- Document review (competency frameworks, skills matrices), interviews with subject matter experts, analysis of competence level descriptions for clarity and measurability.
3. Evaluate Competence Assessment Methods
Verify that appropriate methods are used to assess the current competence of personnel.
- Review of assessment procedures (self-assessments, peer reviews, manager evaluations, skills tests), interviews with HR and training personnel, observation of assessment activities.
4. Examine Training and Development Plans
Ensure that plans are in place to address identified competence gaps.
- Document review (training plans, development programs), interviews with training personnel and managers, analysis of training needs assessments.
5. Assess Training Effectiveness
Verify that the effectiveness of training and development activities is evaluated.
- Review of training evaluation methods (post-training quizzes, on-the-job observations, performance reviews), interviews with trainees and their managers, analysis of training feedback and performance data.
6. Evaluate Competence Maintenance
Ensure that personnel maintain their competence over time.
- Review of continuous learning and professional development programs, interviews with employees and their managers, examination of certification renewal and recertification records.
7. Examine Competence Records
Verify that records of personnel competence, training, and development activities are maintained.
- Document review (training records, competency assessments, performance reviews), interviews with HR personnel, inspection of training management systems and databases.
8. Assess Competence Review Process
Ensure that competence requirements are regularly reviewed.
- Review of competence review procedures, interviews with management and HR personnel, analysis of changes in ISMS requirements and their impact on competency needs.
9. Evaluate Training Resources
Verify that adequate resources are available to support training and development activities.
- Interviews with training personnel and budget holders, review of training budgets and resource allocation plans, examination of training facilities and equipment.
10. Assess Promotion of Learning Culture
Verify that the organization promotes a culture of continuous learning and development.
- Interviews with employees at different levels, review of communication materials related to training and development, analysis of employee engagement in learning activities, examination of reward and recognition programs related to skills development.
Watch the Tutorial
Watch the ISO 27001 tutorial How to implement ISO 27001 Clause 7.2 Competence
ISO 27001 Competency Matrix Template
ISO 27001 Accountability Template
ISO 27001 Training Policy Template
How to build your own competence matrix
How to pass an audit of ISO 27001 Clause 7.2
To pass an audit of ISO 27001 Clause 7.2 Competence you are going to
- Understand the requirements of ISO 27001 Competence
- Identify the roles you need
- Allocate people to roles
- Assess the competency of people to perform those roles
- Address competency gaps through training or bringing in specialist help
What the auditor will check
The audit is going to check a number of areas for compliance with Clause 7.2. Lets go through them
1. Roles are documented and assigned
The first step is to document the roles that make up the information security management system and to allocates those roles. The auditor is going to look for documented roles and for you to demonstrate that people are assigned to those roles.
2. That Competence of People is Documented
The roles are that are document and assigned must be assigned to people that are competent to perform the role so the auditor is going to look for documented evidence of competence. This is where the competency matrix comes in. If you do not have competence, documenting that and showing your plan to fill the competence gap is key.
Common ISO 27001 Clause 7.2
In my experience, the top 3 mistakes people make for ISO 27001 clause 7.2 are
1. You do not have anyone with experience in ISO 27001
The number 1 mistake is that you do not have anyone with any experience of ISO 27001. This is more common than you might imagine. To run and ISO 27001 Information Security Management System you are going to need training and / or experience of ISO 27001.
2. You did not document and assign roles
There are mandatory roles as part of your ISO 27001 implementation and the roles need documenting and assigning to people. A common mistake is not to document those roles or to formally assign them. We see this being given to someone in IT to manage without consideration for the wider roles that are required for an effective management system.
3. You have no training plans
As ISO 27001 is based on continual improvement we see that the auditor will look at the training plans and want to see evidence that competence is maintained. This is usually in the form at looking that the plans for the coming 12 months to see if any competence gaps or ongoing training requirements have been considered and documented.