For a fast-moving tech startup, the world of ISO 27001:2022 can feel like a mountain of complex requirements. It is easy to view it as just another compliance hurdle to clear before you can close that next big enterprise deal. However, Clause 7.2 on “Competence” is different. This isn’t just about paperwork; it’s about building the human foundation of your security program.
Getting Clause 7.2 right is about proving to your enterprise clients that the agile team they’re betting on is also a secure and competent one. It’s the bedrock of a resilient security culture that protects your innovation and builds the customer trust you need to scale. In this guide, we’ll break down ISO 27001:2022 Clause 7.2 for tech startups into actionable steps that fit your lean operating model.
Table of contents
What You Absolutely Need to Know About Clause 7.2
- Mandatory Requirement: This clause ensures that everyone working on your Information Security Management System (ISMS) actually knows what they are doing.
- Implementation: Startups must define roles, identify necessary security skills, and engage with trained ISO 27001 resources.
- Auditor’s Focus: Auditors will look for a “Competency Matrix,” documented roles, and evidence that you are closing any skill gaps with training.
- Common Mistakes: The biggest pitfalls for startups are having zero ISO 27001 experience on the team and failing to document training plans.
Now, let’s demystify what Clause 7.2 actually means in plain English and how you can implement it effectively, even with a small team.
What is Clause 7.2 Competence? (The Plain English Version)
Before diving into checklists, it’s crucial to grasp the strategic intent. At its core, Clause 7.2 is a simple business principle: ensure the right people, with the right skills, are in charge of protecting your most valuable asset—your data. You wouldn’t let an untrained intern manage your capital raises, and the same logic applies to your information security.
The Simple Definition: ISO 27001 Competence is the requirement that people working on your ISMS have the relevant skills and experience to do so effectively.
The official ISO 27001:2022 standard requires your organisation to:
- Determine the necessary competence for people affecting security performance.
- Ensure they are competent based on education, training, or experience.
- Take action to acquire competence where it’s lacking (and check if that training actually worked).
- Keep documented evidence of this competence.
Crucially, this isn’t just for the “IT crowd.” An effective ISMS involves HR managing employee vetting, legal handling contracts, and developers writing secure code. You cannot achieve certification if nobody on your team has any knowledge of ISO 27001.
Your Step-by-Step Implementation Playbook
For a startup, the best way to tackle Clause 7.2 is with a lean, phased approach. You don’t need a 50-person security department; you need a smart strategy.
1. Engage the Right Expertise
You have three primary options to get the ball rolling:
- Hire a consultant: A specialist can guide you through the setup. This is often the fastest route for startups.
- Hire a full-time lead: If you’re scaling fast, a dedicated InfoSec Manager is a great long-term asset.
- Train internal staff: Send a key team member on an ISO 27001 Lead Auditor or Lead Implementer course.
2. Strategically Allocate Resources
Your needs will change as you grow. Most startups follow this lifecycle:
| ISMS Phase | Recommended Resource Strategy |
|---|---|
| Establishment & Implementation | Use a specialist consultant to build the framework. |
| Certification | Consultant support combined with internal “owners.” |
| Maintenance & Improvement | Internal staff take the lead, with occasional specialist “sense-checks.” |
3. Assign and Document Roles
You must formally document who is responsible for what. This turns an informal “Dave handles the servers” into a structured, auditable role. This links directly to Clause 7.1 (Resources).
4. Identify Necessary Security Skills
What skills does your specific tech stack require? Beyond basic security, consider:
- Certifications: CISSP, CISM, or ISO 27001 Lead Implementer.
- Technical Skills: AWS/Azure security configurations, secure coding (OWASP), or GDPR compliance.
5. Build Your Competency Matrix
This is your “golden ticket” for the audit. A Competency Matrix is usually a simple spreadsheet that maps your team members against the skills they need. It highlights where you are strong and where you have gaps. Pro Tip: If you use a consultant, put their name on the matrix! Their expertise counts toward your company’s competence.
6. Retain Evidence
If it isn’t documented, it didn’t happen. Work with HR to store copies of:
- Training certificates and exam results.
- CVs or LinkedIn profiles proving past experience.
- Records of internal knowledge-sharing sessions.
DO IT YOURSELF
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
Passing Your Audit: What the Auditor Really Looks For
As a Lead Auditor, I’m not looking for perfection; I’m looking for governance. When I audit Clause 7.2, I verify two things:
- Are roles assigned? I want to see a document that says who is responsible for the ISMS.
- Is competence proven? If “Sarah” is the Lead Implementer, I want to see her training certificate or a CV showing she has done this before.
The “Gap” Rule: If your matrix shows a skill gap, that’s fine! What isn’t fine is not having a plan to fix it. An auditor wants to see that you’ve scheduled training to bridge that gap.
Avoiding Common Pitfalls for Startups
- Mistake 1: The “DIY” Trap. Trying to implement ISO 27001 without any trained staff or consultants. The Fix: Get at least one person through a Lead Implementer course.
- Mistake 2: Missing Training Plans. Thinking competence is a “one and done” task. The Fix: Document a simple 12-month training calendar.
- Mistake 3: Ignoring Outsourced Partners. Forgetting that your outsourced DPO or legal counsel counts toward your competence. The Fix: Include them in your records.
ISO 27001 Clause 7.2 FAQ
What is the difference between “competence” and “awareness”? Competence (7.2) is about having the skills to do a specific job. Awareness (7.3) is about everyone in the company knowing that security matters.
Does on-the-job experience count? Yes! The standard explicitly mentions “experience.” You just need to document it (e.g., in a CV or performance review).
Do we need a “Competency Matrix”? While the standard doesn’t use that exact phrase, it is the industry-standard way to show compliance. It makes the auditor’s life easy, which makes your life easy.
Achieving ISO 27001 Clause 7.2 compliance is an investment in your team. For a tech startup, it’s a manageable goal that builds a foundation for secure innovation. Ready to build your matrix?
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
