Table of contents
ISO 27001 Competence
To run an information security management system you must have people with the competence to do so. This means having the skills and experience required.
What is ISO 27001 Clause 7.2?
ISO 27001 competence is about ensuring you have the skills and experience to run the information security management system.
What is does it mean? It means you have people on the team when we’re running your information security management system (ISMS) that know how to run the management system.
You cannot have ISO 27001 and go for certification if nobody knows any anything about it, they’ve got no experience in it and they’ve got no knowledge in it.
ISO 27001 Clause 7.2 Competence is an ISO 27001 control that requires an organisation to have people that are competent to do the work for information security.
Purpose
The purpose of ISO 27001 Clause 7.2 is to make sure that the people you have working on the information security management system (ISMS) have the skills, knowledge and experience to do it.
Definition
The organisation shall:
ISO 27001:2022 Clause 7.2 Competence
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
Requirement

Implementation Guide
Engage with trained ISO 27001 resources
Whether you look to engage a professional such as a High Table ISO 27001 Consultant, hire someone full-time or train up internal staff on ISO 27001 lead auditor or ISO 27001 lead implementor courses you need to engage with trained and experienced resource for your ISO 27001 certification.
Decide which resources to use when
To implement ISO 27001 Clause 7.2 Competence you want to choose the correct resource for the correct phase of your information security management system (ISMS) lifecycle. This will ensure you have the correct competence when you need it.
ISO 27001 Roles and Responsibilities Assignement
There are required roles in the information security management system and people need assigning to those roles. Learn what roles you need and who to assign to them in ISO 27001 Clause 7.1 Resources.
ISO 27001 Accountability Matrix
For each of the ISO 27001 clauses and the ISO 27001 Annex A controls you need to allocate and record who is responsible for that clause and control. Complete the ISO 27001 accountability matrix template.

Information Security Skills
It is up to you to decide what information security skills you need. There are some industry best practice for you to consider. The examples are included in the competency matrix and common qualifications are:
- CISSP
- CISA
- CISM
- PCI DSS
- GDPR / data protection
- ISO 27001 Lead Auditor
- ISO 27001 Lead Implementer.
If I was going to do the bare minimum I would just have the 27001 Lead Auditor / ISO 27001 Lead Implementor column because that is specific but the other ones if you have them or they’re aspirational or they’re relevant to you then, then you would include them in there.
If there are other information security relevant skills that you either have in your company or that you aspire to, or you are working towards, then clearly you can list them in there as well. It is going to be very dependent on who you are. You might have network security skills, AWS security qualification or skills or experience.
ISO 27001 Competency Matrix
Competency will be record in a competency matrix. This is the record of the relevant skills and experience that people have.
For each person involved in the operation of the Information Security Management System be sure to record them in them in the competency matrix. The competency matrix template allows you to identify and demonstrate that you have the required competencies to run the information security management system. It also identifies gaps that you can plan to address.

Competence and Training
Managing Competence
Competence is something that will evolve and will be managed.
You will have people that are
- trained
- experienced
- qualified
- training is planned for them
- they have a gap in competence
You will evidence that you are managing your requirements for competence.
Evidence of Competence
For a belts and braces again I have seen this, it does say to record evidence of the competence.
It may well be that in conjunction with the HR that you keep copies of
- courses
- quizzes
- references
- certifications
that you’ve done that can demonstrate that level of competence.
External Employees
It can be useful to rely on the competence of third parties. If you engage with third parties and consultants then this is a fast track to the evidence of competence for the areas that they cover.
Legal Competence
Implementation Checklist
Competence ISO 27001 Clause 7.2 Implementation Checklist
Identify Necessary Competencies
Determine the competencies needed for personnel performing activities that can impact information security.
Challenge:
Difficulty in comprehensively identifying all necessary competencies, especially for specialised roles. Overlooking soft skills or business context.
Solution:
Conduct a thorough job analysis for each role. Involve representatives from different departments. Consider both technical and non-technical skills. Regularly review and update competency requirements.
Define Competence Levels
Establish clear competence levels for each identified competency.
Challenge:
Difficulty in defining objective and measurable competence levels.
Solution:
Use a competency framework or skills matrix. Define specific knowledge, skills, and experience required for each level. Use examples of observable behaviours to illustrate competence levels.
Assess Current Competence
Evaluate the current competence of personnel against the defined competence levels.
Challenge:
Difficulty in objectively assessing competence. Bias in performance reviews.
Solution:
Use a variety of assessment methods, such as self-assessments, peer reviews, manager evaluations, and skills tests. Ensure assessors are trained and objective.
Address Competence Gaps
Develop plans to address any identified competence gaps.
Challenge:
Difficulty in providing appropriate training. Budget constraints. Time constraints for employees.
Solution:
Offer a range of training options, such as online courses, in-person workshops, on-the-job training, and mentoring. Prioritise training based on risk and business needs.
Provide Training and Development
Provide training and development opportunities to personnel to enhance their competence.
Challenge:
Difficulty in keeping training materials up-to-date. Lack of employee engagement in training.
Solution:
Regularly review and update training materials. Make training relevant and engaging. Use a variety of training methods.
Evaluate Training Effectiveness
Evaluate the effectiveness of training and development activities.
Challenge:
Difficulty in measuring the impact of training on job performance.
Solution:
Use a variety of evaluation methods, such as post-training quizzes, on-the-job observations, and performance reviews. Gather feedback from trainees and their managers.
Maintain Competence
Ensure that personnel maintain their competence over time.
Challenge:
Difficulty in keeping skills current in a rapidly changing environment. Employee turnover.
Solution:
Encourage continuous learning and professional development. Provide access to resources such as industry publications and conferences. Implement a knowledge management system.
Document Competence
Maintain records of personnel competence, training, and development activities.
Challenge:
Difficulty in keeping records up-to-date. Lack of integration with other HR systems.
Solution:
Use a centralised training management system. Regularly review and update competence records.
Regularly Review Competence Requirements
Regularly review competence requirements to ensure they remain aligned with the ISMS and business needs.
Challenge:
Difficulty in anticipating future competence needs. Changes in the business environment.
Solution:
Integrate competence reviews with other ISMS processes, such as management review and risk assessment. Conduct regular workforce planning exercises.
Promote a Culture of Learning
Foster a culture of continuous learning and development within the organization.
Challenge:
Lack of employee motivation to learn. Resistance to change.
Solution:
Communicate the importance of competence to employees. Recognise and reward employees who demonstrate a commitment to learning. Provide opportunities for career advancement.
Audit Checklist
The following is a summary of the ISO 27001 Clause 7.2 Audit Checklist
Review Competency Requirements
Verify the organisation has identified the necessary competencies for ISMS-related roles.
Audit Techniques: Document review (job descriptions, role profiles, competency frameworks), interviews with management and HR personnel, analysis of ISMS activities and their required skills.
Assess Competence Levels
Ensure that competence levels are defined for each required competency.
Audit Techniques: Document review (competency frameworks, skills matrices), interviews with subject matter experts, analysis of competence level descriptions for clarity and measurability.
Evaluate Competence Assessment Methods
Verify that appropriate methods are used to assess the current competence of personnel.
Audit Techniques: Review of assessment procedures (self-assessments, peer reviews, manager evaluations, skills tests), interviews with HR and training personnel, observation of assessment activities.
Examine Training and Development Plans
Ensure that plans are in place to address identified competence gaps.
Audit Techniques: Document review (training plans, development programs), interviews with training personnel and managers, analysis of training needs assessments.
Assess Training Effectiveness
Verify that the effectiveness of training and development activities is evaluated.
Audit Techniques: Review of training evaluation methods (post-training quizzes, on-the-job observations, performance reviews), interviews with trainees and their managers, analysis of training feedback and performance data.
Evaluate Competence Maintenance
Ensure that personnel maintain their competence over time.
Audit Techniques: Review of continuous learning and professional development programs, interviews with employees and their managers, examination of certification renewal and recertification records.
Examine Competence Records
Verify that records of personnel competence, training, and development activities are maintained.
Audit Techniques: Document review (training records, competency assessments, performance reviews), interviews with HR personnel, inspection of training management systems and databases.
Assess Competence Review Process
Ensure that competence requirements are regularly reviewed.
Audit Techniques: Review of competence review procedures, interviews with management and HR personnel, analysis of changes in ISMS requirements and their impact on competency needs.
Evaluate Training Resources
Verify that adequate resources are available to support training and development activities.
Audit Techniques: Interviews with training personnel and budget holders, review of training budgets and resource allocation plans, examination of training facilities and equipment.
Assess Promotion of Learning Culture
Verify that the organization promotes a culture of continuous learning and development.
Audit Techniques: Interviews with employees at different levels, review of communication materials related to training and development, analysis of employee engagement in learning activities, examination of reward and recognition programs related to skills development.
Watch the Tutorial
Watch the ISO 27001 tutorial How to implement ISO 27001 Clause 7.2 Competence
ISO 27001 Templates
ISO 27001 Competency Matrix Template

ISO 27001 Accountability Template

ISO 27001 Training Policy Template

How to build your own competence matrix
How to pass the audit
To pass an audit of ISO 27001 Clause 7.2 Competence you are going to
- Understand the requirements of ISO 27001 Competence
- Identify the roles you need
- Allocate people to roles
- Assess the competency of people to perform those roles
- Address competency gaps through training or bringing in specialist help
What the auditor will check
The audit is going to check a number of areas for compliance with Clause 7.2. Lets go through them
Roles are documented and assigned
The first step is to document the roles that make up the information security management system and to allocates those roles. The auditor is going to look for documented roles and for you to demonstrate that people are assigned to those roles.
That Competence of People is Documented
The roles are that are document and assigned must be assigned to people that are competent to perform the role so the auditor is going to look for documented evidence of competence. This is where the competency matrix comes in. If you do not have competence, documenting that and showing your plan to fill the competence gap is key.
Mistakes People Make
In my experience, the top 3 mistakes people make for ISO 27001 clause 7.2 are
You do not have anyone with experience in ISO 27001
The number 1 mistake is that you do not have anyone with any experience of ISO 27001. This is more common than you might imagine. To run and ISO 27001 Information Security Management System you are going to need training and / or experience of ISO 27001.
You did not document and assign roles
There are mandatory roles as part of your ISO 27001 implementation and the roles need documenting and assigning to people. A common mistake is not to document those roles or to formally assign them. We see this being given to someone in IT to manage without consideration for the wider roles that are required for an effective management system.
You have no training plans
As ISO 27001 is based on continual improvement we see that the auditor will look at the training plans and want to see evidence that competence is maintained. This is usually in the form at looking that the plans for the coming 12 months to see if any competence gaps or ongoing training requirements have been considered and documented.