ISO 27001 Clause 7.2 SME Guide: Competence

In this guide, I will show you exactly how small businesses and SMEs can implement ISO 27001:2022 Clause 7.2 Competence without the enterprise-level complexity. You will get a complete walkthrough of the control tailored for organizations with limited resources, along with practical examples and access to ISO 27001 templates that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience auditing businesses of all sizes. I will cut through the jargon to show you exactly what changed in the 2022 update and provide the plain-English advice you need to get your small business certified.

Key Takeaways: ISO 27001 Clause 7.2 Competence (SME Edition)

For Small and Medium-sized Enterprises (SMEs), ISO 27001 Clause 7.2 is often confused with awareness (Clause 7.3). Competence is about ability: ensuring the people running your security actually have the skills to do the job. It is not enough to just give someone the title of “Security Manager”; you must prove they are qualified for the role. This clause forces you to move security from an informal task to a professional function, ensuring your team is capable of protecting the business.

Core requirements for compliance include:

Define Requirements: You must decide what skills are needed for each security role. For example, does your IT lead need a specific cloud certification? Does your Data Protection Officer need GDPR training?
Verify Competence: You must check that your staff actually possess these skills. This is done by reviewing education, training, or experience (e.g. CVs, certificates, or years on the job).
Fill the Gaps: If a staff member lacks a required skill, you must take action. This could mean sending them on a training course, hiring a mentor, or outsourcing the function to a consultant.
Retain Evidence: You must keep documented proof. An auditor will not just take your word for it; they will ask to see the training certificates or the CV that proves the person is competent.
Experience Counts: The standard explicitly allows “experience” as a valid form of competence. You do not always need expensive degrees; a proven track record is often sufficient for SMEs.

Audit Focus: Auditors will look for “The Evidence Trail”:

The Job Description: “Show me the role description for your Security Officer. What qualifications does it say they need?”
The CV Check: “You said this role requires 5 years of experience. Show me the CV or LinkedIn profile that proves this person has it.”
The Gap Analysis: “You identified a gap in GDPR knowledge last year. Show me the training record that proves this gap was closed.”

SME Competence Matrix (Audit Prep):

Role	Required Competence	Evidence of Competence
Security Lead	ISO 27001 Lead Implementer	Training Certificate / 5 Years Experience.
IT Manager	Firewall Administration	Vendor Certification (e.g. Cisco/AWS).
HR Manager	Screening Procedures	Professional HR Qualification (e.g. CIPD).
All Staff	Basic Data Protection	Annual Training Log / Quiz Results.

What is ISO 27001 Clause 7.2 for SMEs?
How to implement ISO 27001 Clause 7.2 for SMEs
The Smart SME Strategy: Using External Consultants
Passing Your Audit: What the Auditor Wants to See
Top 3 Mistakes to Avoid
Fast Track ISO 27001 Clause 7.2 Compliance for SMEs with the ISO 27001 Toolkit
ISO 27001 Clause 7.2 FAQS for SMEs

What is ISO 27001 Clause 7.2 for SMEs?

Before diving into the “how,” it is essential to understand the “what” and the “why.” This isn’t just about ticking a box for an auditor; it is a strategic requirement that ensures you build a capable team. For an SME, getting this right lays the foundation for a resilient Information Security Management System (ISMS).

A Simple Definition of Competence

In straightforward terms, ISO 27001 competence means ensuring the people responsible for your information security have the right skills, training, and experience to do their jobs effectively. It ensures your ISMS is managed by individuals who know what they are doing, based on their education, professional training, or hands-on experience.

The Official Requirement

The ISO 27001:2022 standard outlines specific requirements in Clause 7.2. The organisation shall:

Determine the necessary competence of person(s) doing work under its control that affects its information security performance.
Ensure these persons are competent on the basis of appropriate education, training, or experience.
Where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of those actions.
Retain appropriate documented information as evidence of competence.

The Strategic Importance for Small Businesses

For an SME, this clause is vital. You cannot achieve ISO 27001 certification if nobody on your team, internally or externally, understands the standard. This clause forces a crucial business decision: investing in the right people to protect your assets. It moves security from an “informal IT task” to a formally recognised, competent function.

How to implement ISO 27001 Clause 7.2 for SMEs

Implementing Clause 7.2 does not have to be daunting. You can break it down into a series of logical steps to build a solid foundation without unnecessary complexity.

Step 1: Identify Your Key People and Roles

Your first action is to formally assign and document essential roles within your ISMS. A great way to do this is with an Accountability Matrix. This links specific individuals to each ISO 27001 clause and Annex A control they manage, creating a clear record for the auditor.

Step 2: Define the Competencies You Actually Need

Once roles are assigned, decide what skills are necessary. Common competencies include:

ISO 27001 Certifications: Lead Auditor or Lead Implementer.
General Security: CISSP, CISA, or CISM.
Data Protection: Expertise in UK GDPR or relevant regulations.
Technical Skills: Network security or cloud qualifications (e.g., AWS/Azure).

Step 3: Build and Use a Competency Matrix

The Competency Matrix is the central piece of evidence for Clause 7.2. While not explicitly named in the standard, it is what auditors expect to see. Use a spreadsheet to map your people to required skills, marking them as:

Trained / Qualified
Experienced
Training Planned / Gap Exists

Step 4: Address the Gaps

When your matrix reveals a gap, you must take action. SMEs can:

Train: Enrol staff in ISO 27001 courses.
Mentor: Use experienced staff to upskill others.
Outsource: Engage an external consultant to provide the necessary expertise immediately.

Step 5: Retain Your Evidence

An auditor will ask for “documented information.” Keep records of:

The completed Competency Matrix.
Training certificates and quiz results.
CVs or resumes highlighting professional experience.
Contracts with third-party specialist firms.

The Smart SME Strategy: Using External Consultants

For many SMEs, building all security competence in-house is impractical. Engaging external experts is a strategic way to meet Clause 7.2 requirements quickly. The contract you have with a competent third party serves as powerful evidence. As the standard allows competence to be based on “experience,” a consultant’s track record is a perfectly valid way to satisfy the auditor while you focus on your core business.

Passing Your Audit: What the Auditor Wants to See

The auditor wants to verify you have a structured process. They will focus on:

Documented Roles: A clear link between a security function and a responsible person.
Evidence: Your Competency Matrix and proof of skills (certificates/CVs). If gaps exist, they want to see a documented plan to fix them.

Top 3 Mistakes to Avoid

No ISO 27001 Experience: Attempting to run an ISMS without anyone (internal or external) who understands the standard. Fix: Hire a consultant or train a lead implementer.
Informal Roles: Handing security to “the IT guy” without documenting specific responsibilities. Fix: Use an Accountability Matrix.
No Training Plans: Failing to show how competence will improve over time. Fix: Document a simple annual training budget or schedule.

Fast Track ISO 27001 Clause 7.2 Compliance for SMEs with the ISO 27001 Toolkit

For Small Businesses and SMEs, ISO 27001 Clause 7.2 (Competence) is about ensuring that the people responsible for your information security have the right skills, training, and experience to do their jobs effectively. It moves security from an “informal IT task” to a formally recognised, competent function. You cannot achieve certification if nobody on your team, internally or externally, understands the standard.

While SaaS compliance platforms often try to sell you “automated competence tracking” or complex “training modules”, they cannot actually determine the specific competencies your unique business needs or verify that an external consultant is qualified. Those are human governance and strategic leadership tasks. The High Table ISO 27001 Toolkit is the logical choice for SMEs because it provides the competence framework you need without a recurring subscription fee.

1. Ownership: You Own Your Competency Evidence Forever

SaaS platforms act as a middleman for your compliance evidence. If you define your roles and store your competency matrix inside their proprietary system, you are essentially renting your own professional history.

The Toolkit Advantage: You receive the Accountability Matrix and Competency Matrix templates in fully editable Word and Excel formats. These files are yours forever. You maintain permanent ownership of your records, such as your specific history of training evaluations, ensuring you are always ready for an audit without an ongoing “rental” fee.

2. Simplicity: Governance for Real-World Capable Teams

Clause 7.2 is about building a solid foundation. You do not need a complex new software interface to manage what a well-structured spreadsheet already does perfectly for a small team.

The Toolkit Advantage: SMEs need to be pragmatic and focus on essential roles. What they need is the governance layer to prove to an auditor that specific people are responsible for security. The Toolkit provides pre-written “Accountability Matrices” and “Training Plans” that formalise your existing leadership into an auditor-ready framework, without forcing your team to learn a new software platform just to log a training certificate.

3. Cost: A One-Off Fee vs. The “User Seat” Tax

Many compliance SaaS platforms charge more based on the number of “users”, “admin seats”, or “training records” you track. For an SME, these monthly costs can scale aggressively for very little added value.

The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you manage 5 key roles or 50, the cost of your Competence Documentation remains the same. You save your budget for actual professional training rather than an expensive compliance dashboard.

4. Freedom: No Vendor Lock-In for Your People Strategy

SaaS tools often mandate specific ways to report on and monitor “staff competence”. If their system does not match your unique business model or specialised industry requirements, such as using external consultants for key roles, the tool becomes a bottleneck to efficiency.

The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Competence Procedures to match exactly how you operate, whether you use in-house lead implementers or experienced external specialists. You maintain total freedom to evolve your people strategy without being constrained by the technical limitations of a rented SaaS platform.

Summary: For SMEs, the auditor wants to see a clear link between security functions and responsible persons (e.g. a Competency Matrix) and proof of skills like training certificates or CVs. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Clause 7.2 FAQS for SMEs

What are the ISO 27001:2022 changes to Clause 7.2?
There are no changes to the requirements of Clause 7.2 in the 2022 update.

What is the difference between “competence” (7.2) and “awareness” (7.3)?
Competence is role-specific (having the skills to do the job). Awareness is universal (everyone understanding the security policy and its importance).

Does experience count as competence?
Yes! The standard explicitly allows competence to be based on “appropriate education, training, or experience.”

How often should competence be assessed?
Regularly. Ideally during annual performance reviews, internal audits, or when roles and technologies change.

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Clause 7.2 Competence for SMEs

Table of contents