ISO 27001:2022 Clause 7.2 Competence for Tech Startups

ISO 27001 Clause 7.2 is a security control that mandates organizations to ensure the Competence of all personnel affecting information security performance. It requires defining necessary skills, providing training, and retaining documented evidence, delivering the Business Benefit of a qualified workforce that minimizes human error and strengthens the overall security posture.

For a fast-moving tech startup, the world of ISO 27001 can feel like a mountain of complex requirements. It is easy to view it as just another compliance hurdle to clear before you can close that next big enterprise deal. However, Clause 7.2 on “Competence” is different. This isn’t just about paperwork; it is about building the human foundation of your security program.

Getting Clause 7.2 right is about proving to your enterprise clients that the agile team they are betting on is also a secure and competent one. It is the bedrock of a resilient security culture that protects your innovation and builds the customer trust you need to scale. In this guide, we will break down ISO 27001 Clause 7.2 for tech startups into actionable steps that fit your lean operating model.

The Business Case: Why This Actually Matters

If you treat Clause 7.2 as a checkbox, you are hiring liabilities, not assets. In the startup world, incompetence is the fastest route to a data breach. This clause forces you to verify that the people holding the keys to the kingdom actually know how to use them.

• Sales Angle: In Enterprise Vendor Assessments, you will be asked: “Do you perform background checks and skills verification for staff with access to customer data?” Clause 7.2 is your “Yes.” Without it, you look like a cowboy operation, and the deal dies in procurement.
• Risk Angle: The “Intern with Root Access” Nightmare. A junior dev deletes the production database because they didn’t understand the replication settings. Clause 7.2 prevents this by forcing you to define the competence required before granting that access.

The “No-BS” Translation: Decoding the Requirement

The Auditor’s View: “The organisation shall ensure that persons doing work under its control are competent on the basis of appropriate education, training, or experience.”

The Startup’s View: Don’t let people do stuff they aren’t qualified to do. If you hire a React developer, don’t let them configure your AWS firewall unless you train them first.

For a DevOps engineer, this translates to:

• Education: “I have a Computer Science degree.” (Good, but not enough).
• Training: “I completed the AWS Certified Security – Specialty course.” (Better).
• Experience: “I have managed production Kubernetes clusters for 3 years without a breach.” (Best).

DORA, NIS2, and AI Laws

Clause 7.2 is your legal shield against negligence claims.

• DORA (Fintech): Explicitly mandates “ICT security training” for all staff and management. Clause 7.2 is the framework you use to prove you met this requirement during a regulatory audit.
• NIS2: Holds management personally liable. If a breach happens and you cannot prove your security team was competent, you (the founder) can be fined personally. Clause 7.2 provides the evidence of due diligence.
• AI Act: Requires “Human Oversight” by competent individuals. You must prove the person reviewing your AI’s decisions actually understands AI. Clause 7.2 requires you to document this specific “AI Literacy” as a competence requirement.

Why the ISO 27001 Toolkit Trumps SaaS Platforms

SaaS platforms try to automate competence. You cannot automate a skill.

Feature	ISO 27001 Toolkit (High Table)	Online SaaS GRC Platform
Flexibility	Excel-based Competency Matrix. Adaptable to any role or tech stack.	Rigid “Training Modules” that often don’t match your actual tech stack.
Ownership	You own the records. They live in your secure HR folder.	If you cancel the sub, you lose your training logs.
Cost	One-off fee.	Charges per user. You pay a “competence tax” for every new hire.
Reality	Allows you to capture “Experience” (e.g., CVs) effectively.	Focuses heavily on “watching videos” which doesn’t prove real-world skill.

Top 3 Non-Conformities When Using SaaS Platforms

1. The “Video watcher” Fallacy: The SaaS tool says everyone is “Competent” because they watched a 5-minute video. The auditor asks a developer about OWASP Top 10, and they know nothing. Major Non-Conformity for ineffective training.
2. The “Admin Gap”: The SaaS platform tracks general staff but ignores the admins. The person configuring the SaaS tool itself has no documented competence in ISO 27001. Fail.
3. The “Ghost Records”: You migrate from one HR tool to another, and the API link to the SaaS platform breaks. You lose 6 months of training records and have nothing to show the auditor.

What You Absolutely Need to Know About Clause 7.2

• Mandatory Requirement: This clause ensures that everyone working on your Information Security Management System (ISMS) actually knows what they are doing.
• Implementation: Startups must define roles, identify necessary security skills, and engage with trained ISO 27001 resources.
• Auditor’s Focus: Auditors will look for a “Competency Matrix,” documented roles, and evidence that you are closing any skill gaps with training.

Your Step-by-Step Implementation Playbook

For a startup, the best way to tackle Clause 7.2 is with a lean, phased approach.

1. Engage the Right Expertise

• Hire a consultant: A specialist can guide you through the setup.
• Train internal staff: Send a key team member on an ISO 27001 Lead Implementer course. This is often cheaper than a consultant in the long run.

2. Build Your Competency Matrix

This is your “golden ticket” for the audit. A Competency Matrix is a simple spreadsheet that maps your team members against the skills they need.

Role	Required Skill	Evidence
CTO	Cloud Security (AWS)	AWS Security Specialty Cert
Lead Dev	Secure Coding	OWASP Training Log
HR Manager	Screening & Vetting	Internal HR Policy Training

The Evidence Locker: What the Auditor Needs to See

To pass a Stage 2 audit for Clause 7.2, have these artifacts ready:

• Competency Matrix: The spreadsheet mentioned above, fully populated.
• Job Descriptions: Signed JDs that include security responsibilities (e.g., “Responsible for code reviews”).
• Training Logs: A simple list: “Who, What, When.” (e.g., “Alice, Phishing Awareness, 12/05/2025”).
• CVs/Resumes: For key roles (like the CISO), keep a copy of their CV to prove experience.

Common Pitfalls and Auditor Traps

• The “Implicit Knowledge” Trap: “Bob knows security, he’s been here for years.” If Bob doesn’t have a record of training or experience, the auditor cannot verify his competence.
• The “One-Size-Fits-All” Error: Giving the Receptionist the same security training as the Lead Architect. Competence must be relevant to the role.
• The “Forgotten Certificate”: Claiming someone is certified but being unable to find the PDF certificate during the audit. Keep them central!

Handling Exceptions: The Break Glass Protocol

What happens if your only competent security person quits?

• The Emergency: The CISO resigns.
• The Action: Engage a Virtual CISO (vCISO) or contractor immediately to fill the competence gap.
• The Paper Trail: Document the contract and their CV in the Competency Matrix.
• Time Limit: Recruit a permanent replacement within 3-6 months.

The Process Layer: Standard Operating Procedure (SOP)

Tools: Excel (Matrix), BambooHR (Records).

1. Hiring: HR checks the Job Description against the Competency Matrix. “Does this role need security skills?”
2. Onboarding: New hire completes mandatory training (e.g., Data Protection) within week 1.
3. Recording: HR updates the Training Log.
4. Annual Review: During performance reviews, ask: “Do you need a security refresher?” Update the matrix.

Frequently Asked Questions (FAQ)

About the author