ISO 27001 Clause 7.2 Competence

Home / ISO 27001 Clauses / ISO 27001 Clause 7.2 Competence

ISO 27001 Competence

To run an information security management system you must have people with the competence to do so. This means having the skills and experience required.

What is ISO 27001 Clause 7.2?

ISO 27001 competence is about ensuring you have the skills and experience to run the information security management system.

What is does it mean? It means you have people on the team when we’re running your information security management system (ISMS) that know how to run the management system.

You cannot have ISO 27001 and go for certification if nobody knows any anything about it, they’ve got no experience in it and they’ve got no knowledge in it.

ISO 27001 Clause 7.2 Competence is an ISO 27001 control that requires an organisation to have people that are competent to do the work for information security.

This clause is all about people and their skills, experience and competency.

The ISO 27001 standard for ISO 27001 certification wants you to have the right people with the right skills for running ISO 27001.

Purpose

The purpose of ISO 27001 Clause 7.2 is to make sure that the people you have working on the information security management system (ISMS) have the skills, knowledge and experience to do it.

Definition

ISO 27001 defines ISO Clause 7.2 as:

The organisation shall:
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.

ISO 27001:2022 Clause 7.2 Competence

Requirement

The requirement for ISO 27001 Competence far out reaches just information security.

The organisation as a whole has departments that contribute to the success of the organisation that also play into an effective information security management system.

We can consider HR, legal and regulatory compliance, commercial, and Information Technology (IT) teams.

There are distinct phases in the process of ISO 27001 certification. Each of those phases potentially requires a different level of skill, knowledge and experience. It is possible that this is one person but the likelihood is you are going to get specialist help for the establishment and implementation phase. It can make sense to reduce the reliance on that specialist help when it comes to maintenance and continual improvement. Only using that knowledge and expertise for training and sense checking.

ISO 27001 Toolkit

Implementation Guide

Engage with trained ISO 27001 resources

Whether you look to engage a professional such as a High Table ISO 27001 Consultant, hire someone full-time or train up internal staff on ISO 27001 lead auditor or ISO 27001 lead implementor courses you need to engage with trained and experienced resource for your ISO 27001 certification.

Decide which resources to use when

To implement ISO 27001 Clause 7.2 Competence you want to choose the correct resource for the correct phase of your information security management system (ISMS) lifecycle. This will ensure you have the correct competence when you need it.

Our guide would be

ISO 27001 Establishment: use specialist resource

ISO 27001 Implementation: use specialist resource

ISO 27001 Certification: use specialist resource in combination with your own staff

ISO 27001 Maintenance: use your own staff with training and sense checking by specialist resource

ISO 27001 Continual Improvement: use your own staff with training and sense checking by specialist resource

ISO 27001 Roles and Responsibilities Assignement

There are required roles in the information security management system and people need assigning to those roles. Learn what roles you need and who to assign to them in ISO 27001 Clause 7.1 Resources.

ISO 27001 Accountability Matrix

For each of the ISO 27001 clauses and the ISO 27001 Annex A controls you need to allocate and record who is responsible for that clause and control. Complete the ISO 27001 accountability matrix template.

ISO-27001-RASCI-Matrix-Free-PDF-Example-1-1

Information Security Skills

It is up to you to decide what information security skills you need. There are some industry best practice for you to consider. The examples are included in the competency matrix and common qualifications are:

  • CISSP
  • CISA
  • CISM
  • PCI DSS
  • GDPR / data protection
  • ISO 27001 Lead Auditor
  • ISO 27001 Lead Implementer.

If I was going to do the bare minimum I would just have the 27001 Lead Auditor / ISO 27001 Lead Implementor column because that is specific but the other ones if you have them or they’re aspirational or they’re relevant to you then, then you would include them in there.

If there are other information security relevant skills that you either have in your company or that you aspire to, or you are working towards, then clearly you can list them in there as well. It is going to be very dependent on who you are. You might have network security skills, AWS security qualification or skills or experience.

ISO 27001 Competency Matrix

Competency will be record in a competency matrix. This is the record of the relevant skills and experience that people have.

For each person involved in the operation of the Information Security Management System be sure to record them in them in the competency matrix. The competency matrix template allows you to identify and demonstrate that you have the required competencies to run the information security management system. It also identifies gaps that you can plan to address.

ISO 27001 Competence Matrix Example

Competence and Training

ISO 27001 training can help you gain the skills and experience in house and is an option to consider.

ISO 27001 lead auditor training, ISO 27001 lead implementor training and associated courses are readily available to choose from. For book knowledge to the standard these are an ideal starting point. It can be problematic when it comes to actually applying the learnings though as they tend to focus heavily on the semantics of the standard rather than real world implementation and they will not cover your particular implementation.

Will they tick the box when it comes to the ISO 27001 certification? If you haven’t got specialist outside help then yes, they most definitely will.

There is a wealth of training and guidance provided as part of the ISO 27001 Toolkit for free. There are also free resources on the Internet such as this excellent YouTube Channel dedicated to ISO 27001 and showing you how to do it yourself. If we were going to start anywhere we would start with this Essential Step By Step Guide to Implementing ISO 27001.

Of course you can do ALL of it with the ISO 27001 Toolkit which includes all of the resources, step by step guides and video walkthroughs you will need with the ability to by specialist help by the hour.

Managing Competence

Competence is something that will evolve and will be managed.

You will have people that are

  • trained
  • experienced
  • qualified
  • training is planned for them
  • they have a gap in competence

You will evidence that you are managing your requirements for competence.

Evidence of Competence

For a belts and braces again I have seen this, it does say to record evidence of the competence.

It may well be that in conjunction with the HR that you keep copies of

  • courses
  • quizzes
  • references
  • certifications

that you’ve done that can demonstrate that level of competence.

External Employees

It can be useful to rely on the competence of third parties. If you engage with third parties and consultants then this is a fast track to the evidence of competence for the areas that they cover.

Depending on the size of the business it is unlikely you will have in house legal counsel. So how do you demonstrate that you have competence? Well you probably outsource your legal requirements to a third party law firm. As long as you have a contract and can evidence it then you can demonstrate your competence compliance by simply outsourcing the function. GDPR and Data Protection outside of your grasp for a full time employee? Of course it is. So outsource it and engage a third party company, have a contract in place and record that in your competency matrix.

Implementation Checklist

Competence ISO 27001 Clause 7.2 Implementation Checklist

Identify Necessary Competencies

Determine the competencies needed for personnel performing activities that can impact information security.

Challenge:

Difficulty in comprehensively identifying all necessary competencies, especially for specialised roles. Overlooking soft skills or business context.

Solution:

Conduct a thorough job analysis for each role. Involve representatives from different departments. Consider both technical and non-technical skills. Regularly review and update competency requirements.

Define Competence Levels

Establish clear competence levels for each identified competency.

Challenge:

Difficulty in defining objective and measurable competence levels.

Solution:

Use a competency framework or skills matrix. Define specific knowledge, skills, and experience required for each level. Use examples of observable behaviours to illustrate competence levels.

Assess Current Competence

Evaluate the current competence of personnel against the defined competence levels.

Challenge:

Difficulty in objectively assessing competence. Bias in performance reviews.

Solution:

Use a variety of assessment methods, such as self-assessments, peer reviews, manager evaluations, and skills tests. Ensure assessors are trained and objective.

Address Competence Gaps

Develop plans to address any identified competence gaps.

Challenge:

Difficulty in providing appropriate training. Budget constraints. Time constraints for employees.

Solution:

Offer a range of training options, such as online courses, in-person workshops, on-the-job training, and mentoring. Prioritise training based on risk and business needs.

Provide Training and Development

Provide training and development opportunities to personnel to enhance their competence.

Challenge:

Difficulty in keeping training materials up-to-date. Lack of employee engagement in training.

Solution:

Regularly review and update training materials. Make training relevant and engaging. Use a variety of training methods.

Evaluate Training Effectiveness

Evaluate the effectiveness of training and development activities.

Challenge:

Difficulty in measuring the impact of training on job performance.

Solution:

Use a variety of evaluation methods, such as post-training quizzes, on-the-job observations, and performance reviews. Gather feedback from trainees and their managers.

Maintain Competence

Ensure that personnel maintain their competence over time.

Challenge:

Difficulty in keeping skills current in a rapidly changing environment. Employee turnover.

Solution:

Encourage continuous learning and professional development. Provide access to resources such as industry publications and conferences. Implement a knowledge management system.

Document Competence

Maintain records of personnel competence, training, and development activities.

Challenge:

Difficulty in keeping records up-to-date. Lack of integration with other HR systems.

Solution:

Use a centralised training management system. Regularly review and update competence records.

Regularly Review Competence Requirements

Regularly review competence requirements to ensure they remain aligned with the ISMS and business needs.

Challenge:

Difficulty in anticipating future competence needs. Changes in the business environment.

Solution:

Integrate competence reviews with other ISMS processes, such as management review and risk assessment. Conduct regular workforce planning exercises.

Promote a Culture of Learning

Foster a culture of continuous learning and development within the organization.

Challenge:

Lack of employee motivation to learn. Resistance to change.

Solution:

Communicate the importance of competence to employees. Recognise and reward employees who demonstrate a commitment to learning. Provide opportunities for career advancement.

Audit Checklist

The following is a summary of the ISO 27001 Clause 7.2 Audit Checklist

Review Competency Requirements

Verify the organisation has identified the necessary competencies for ISMS-related roles.

Audit Techniques: Document review (job descriptions, role profiles, competency frameworks), interviews with management and HR personnel, analysis of ISMS activities and their required skills.

Assess Competence Levels

Ensure that competence levels are defined for each required competency.

Audit Techniques: Document review (competency frameworks, skills matrices), interviews with subject matter experts, analysis of competence level descriptions for clarity and measurability.

Evaluate Competence Assessment Methods

Verify that appropriate methods are used to assess the current competence of personnel.

Audit Techniques: Review of assessment procedures (self-assessments, peer reviews, manager evaluations, skills tests), interviews with HR and training personnel, observation of assessment activities.

Examine Training and Development Plans

Ensure that plans are in place to address identified competence gaps.

Audit Techniques: Document review (training plans, development programs), interviews with training personnel and managers, analysis of training needs assessments.

Assess Training Effectiveness

Verify that the effectiveness of training and development activities is evaluated.

Audit Techniques: Review of training evaluation methods (post-training quizzes, on-the-job observations, performance reviews), interviews with trainees and their managers, analysis of training feedback and performance data.

Evaluate Competence Maintenance

Ensure that personnel maintain their competence over time.

Audit Techniques: Review of continuous learning and professional development programs, interviews with employees and their managers, examination of certification renewal and recertification records.

Examine Competence Records

Verify that records of personnel competence, training, and development activities are maintained.

Audit Techniques: Document review (training records, competency assessments, performance reviews), interviews with HR personnel, inspection of training management systems and databases.

Assess Competence Review Process

Ensure that competence requirements are regularly reviewed.

Audit Techniques: Review of competence review procedures, interviews with management and HR personnel, analysis of changes in ISMS requirements and their impact on competency needs.

Evaluate Training Resources

Verify that adequate resources are available to support training and development activities.

Audit Techniques: Interviews with training personnel and budget holders, review of training budgets and resource allocation plans, examination of training facilities and equipment.

Assess Promotion of Learning Culture

Verify that the organization promotes a culture of continuous learning and development.

Audit Techniques: Interviews with employees at different levels, review of communication materials related to training and development, analysis of employee engagement in learning activities, examination of reward and recognition programs related to skills development.

Watch the Tutorial

Watch the ISO 27001 tutorial How to implement ISO 27001 Clause 7.2 Competence

ISO 27001 Templates

ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.

These individual templates help meet the specific requirements of ISO 27001 clause 7.2 Competence.

ISO 27001 Competency Matrix Template

ISO 27001 Competency Matrix Template

ISO 27001 Accountability Template

ISO 27001 ISMS Rasci Matrix Template

ISO 27001 Training Policy Template

ISO 27001 Training and Awareness Policy Template

How to build your own competence matrix

This particular video on How to Build a Competency Matrix has been viewed over 10,000 times and in it we show you how to build the competency matrix from scratch if you don’t want to download and use the ISO 27001 Competence Matrix Template.

How to pass the audit

To pass an audit of ISO 27001 Clause 7.2 Competence you are going to

  • Understand the requirements of ISO 27001 Competence
  • Identify the roles you need
  • Allocate people to roles
  • Assess the competency of people to perform those roles
  • Address competency gaps through training or bringing in specialist help

What the auditor will check

The audit is going to check a number of areas for compliance with Clause 7.2. Lets go through them

Roles are documented and assigned

The first step is to document the roles that make up the information security management system and to allocates those roles. The auditor is going to look for documented roles and for you to demonstrate that people are assigned to those roles.

That Competence of People is Documented

The roles are that are document and assigned must be assigned to people that are competent to perform the role so the auditor is going to look for documented evidence of competence. This is where the competency matrix comes in. If you do not have competence, documenting that and showing your plan to fill the competence gap is key.

Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001 clause 7.2 are

You do not have anyone with experience in ISO 27001

The number 1 mistake is that you do not have anyone with any experience of ISO 27001. This is more common than you might imagine. To run and ISO 27001 Information Security Management System you are going to need training and / or experience of ISO 27001.

You did not document and assign roles

There are mandatory roles as part of your ISO 27001 implementation and the roles need documenting and assigning to people. A common mistake is not to document those roles or to formally assign them. We see this being given to someone in IT to manage without consideration for the wider roles that are required for an effective management system.

You have no training plans

As ISO 27001 is based on continual improvement we see that the auditor will look at the training plans and want to see evidence that competence is maintained. This is usually in the form at looking that the plans for the coming 12 months to see if any competence gaps or ongoing training requirements have been considered and documented.

ISO 27001 Clause 7.2 FAQ

What is ISO 27001 Clause 7.2 Competence ?

The ISO 27001 standard requires an organisation to have people that are competent to do the work for information security. Simple.

What are the ISO27001:2022 Changes to Clause 7.2?

Great news. There are no changes to ISO 27001 Clause 7.2 in the 2022 update.

How do I evidence I meet the requirement of ISO 27001 Competence?

The best way is to record the skills of your resources in a Competency Matrix.

Can you show me how to build an ISO 27001 competence matrix?

Yes, in this video we show you step by step how to build your own ISO 27001 competence matrix from scratch in around 15 minutes.

Where can I download ISO 27001 Clause 7.2 Competence templates?

You can download ISO 27001 Clause 7.2 templates in the ISO 27001 Toolkit.

ISO 27001 Clause 7.2 Competence example?

An example of ISO 27001 Clause 7.2 can be found in the ISO 27001 Toolkit.

Can I use external resource for ISO 27001 Clause 7.2 Competence?

Yes. Many companies seek the help of qualified, experienced third party suppliers to help with ISO 27001

Can I train my staff to meet the requirements of ISO 27001 Clause 7.2 Competence?

Yes, there are many reputable training courses for ISO 27001 Lead Auditor and ISO 27001 Lead Implementor.

Further Reading

ISO 27001 Clause 7.2 Audit Checklist

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools

Share to...