ISO 27001 Clauses

ISO 27001 Clause 4.1 – Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 – Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 – Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 – Information Security Management System

ISO 27001 Clause 5.1 – Leadership and Commitment

ISO 27001 Clause 5.3 – Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 – Planning General

ISO 27001 Clause 6.1.2 – Information Security Risk Assessment

ISO 27001 Clause 6.1.3 – Information Security Risk Treatment

ISO 27001 Clause 6.2 – Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 – Planning Of Changes

ISO 27001 Clause 7.1 – Resources

ISO 27001 Clause 7.2 – Competence

ISO 27001 Clause 7.3 – Awareness

ISO 27001 Clause 7.4 – Communication

ISO 27001 Clause 7.5.1 – Documented Information

ISO 27001 Clause 7.5.2 – Creating and Updating Documented Information

ISO 27001 Clause 8.3 – Information Security Risk Treatment

ISO 27001 Clause 9.1 – Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 – Internal Audit

ISO 27001 Clause 9.3 – Management Review

ISO 27001 Clause 10.1 – Continual Improvement

ISO 27001 Clause 10.2 – Nonconformity and Corrective Action

ISO 27001 Organisation Controls

ISO 27001 Annex A 5.1: Policies for information security

ISO 27001 Annex A 5.2: Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3: Segregation of duties

ISO 27001 Annex A 5.4: Management responsibilities

ISO 27001 Annex A 5.5: Contact with authorities

ISO 27001 Annex A 5.6: Contact with special interest groups

ISO 27001 Annex A 5.7: Threat intelligence

ISO 27001 Annex A 5.8: Information security in project management

ISO 27001 Annex A 5.9: Inventory of information and other associated assets

ISO 27001 Annex A 5.10: Acceptable use of information and other associated assets

ISO 27001 Annex A 5.11: Return of assets

ISO 27001 Annex A 5.12: Classification of information

ISO 27001 Annex A 5.13: Labelling of information

ISO 27001 Annex A 5.14: Information transfer

ISO 27001 Annex A 5.15: Access control

ISO 27001 Annex A 5.16: Identity management

ISO 27001 Annex A 5.17: Authentication information

ISO 27001 Annex A 5.18: Access rights

ISO 27001 Annex A 5.19: Information security in supplier relationships

ISO 27001 Annex A 5.20: Addressing information security within supplier agreements

ISO 27001 Annex A 5.21: Managing information security in the ICT supply chain

ISO 27001 Annex A 5.22: Monitoring, review and change management of supplier services

ISO 27001 Annex A 5.23: Information security for use of cloud services

ISO 27001 Annex A 5.24: Information security incident management planning and preparation

ISO 27001 Annex A 5.25: Assessment and decision on information security events

ISO 27001 Annex A 5.26: Response to information security incidents

ISO 27001 Annex A 5.27: Learning from information security incidents

ISO 27001 Annex A 5.28: Collection of evidence

ISO 27001 Annex A 5.29: Information security during disruption

ISO 27001 Annex A 5.30: ICT readiness for business continuity

ISO 27001 Annex A 5.31: Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32: Intellectual property rights

ISO 27001 Annex A 5.33: Protection of records

ISO 27001 Annex A 5.34: Privacy and protection of PII

ISO 27001 Annex A 5.35: Independent review of information security

ISO 27001 Annex A 5.36: Compliance with policies and standards for information security

ISO 27001 Annex A 5.37: Documented operating procedures

Home / ISO 27001 Templates / ISO 27001 Competency Matrix Explained + Template

ISO 27001 Competency Matrix Explained + Template

Last updated Sep 25, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

The ISO 27001 competency matrix is a structured register of employees mapping their information security roles and responsibilities to the required list of skills, knowledge and experience. It allows you to demonstrate and evidence that you have the adequate skills to operate the Information Security Management System and to identify, track and manage any training or resourcing needs.

What is it?

Think of an ISO 27001 Competency Matrix as a special chart or spreadsheet. Its main job is to help you see who on your team knows what when it comes to keeping information safe. It’s like a map that shows all the skills everyone has and how those skills match up with what you need for ISO 27001, which is a big standard for information security. You use this matrix to figure out if your team has the right skills, if they need more training, and if you’re ready to meet all the rules of the standard. It’s a key tool for managing your team’s knowledge about security.

Applicability to Small Businesses, Tech Startups, and AI Companies

  • Small Businesses: Even if you’re a small business, you can use this matrix. It helps you make sure your few employees know how to keep customer data safe, which is super important. It shows you who can handle security tasks.
  • Tech Startups: As a tech startup, you’re all about new ideas. This matrix helps you prove to investors and customers that you take security seriously from the very beginning. You can show that your team has the skills to protect your cool new products.
  • AI Companies: For AI companies, your data is everything. This matrix is a must-have. It helps you track who on your team understands the unique security risks of AI data, like how to protect all that information you use to train your AI models.

ISO 27001 Competency Matrix Template

The ISO 27001:2022 Competency Matrix Template is a simple and effective way to record and manage employee competency.

It is a record of the skills and training level of staff against information security and business technology.

ISO 27001 Competency Matrix Template

Why you need it

You need this matrix for several good reasons. First, it helps you spot any gaps in knowledge on your team. If nobody knows how to handle a specific security problem, this chart will show you that right away. Second, it’s a big part of meeting the rules of ISO 27001. The standard wants you to prove that your people are good at their jobs, and this matrix is a great way to do that. It also helps you plan for training and make sure your team is always getting better at security.

When you need it

You’ll need this matrix from the start of your ISO 27001 journey. It’s one of the first things you’ll create. You’ll also use it to keep track of things over time. When you hire new people, you’ll update the matrix. When someone learns a new skill, you’ll change their score. You’ll also look at it before any audits to make sure you’re ready to show off your team’s skills.

Who needs it?

The person in charge of security at your company, often called the CISO or Information Security Officer, is the main person who needs this. Your HR team also needs it to help with hiring and training. And anyone who is part of the ISO 27001 project team will use it.

Where you need it

You can keep this matrix as a simple document. A secure shared drive, a cloud service like Google Sheets, or a company wiki are all good places for it. The key is to keep it somewhere that the right people can easily get to it but is also safe from others.

How to write it

  1. List the skills: Start by listing all the skills your team needs. These should come from the ISO 27001 controls (we’ll talk about those later). Think about things like understanding policies, handling security incidents, or knowing about access control.
  2. Add your team: Put your team members’ names in a column.
  3. Rate their skills: Go through and rate each person’s skill level for each task. You can use a simple scale, like “1 (not skilled)” to “5 (expert),” or just “yes” or “no.”
  4. Find the gaps: Look at the results. Where are the empty spots? Where does nobody on your team have the skills you need? Those are your training gaps.
  5. Plan your training: Use what you learned to create a plan for training.

How to implement it

First, make sure everyone on your team knows what it is and why you’re using it. Talk to them about it! Then, use the information you gathered to create a real plan for training. This might mean sending people to special classes, having them take online courses, or just teaching each other. Finally, don’t forget to look at it often and update it. It’s a living document!

Examples of using it for small business

Let’s say you run a small online shop. Your matrix might have skills like “protecting credit card data,” “handling customer privacy questions,” and “knowing how to use a firewall.” You might find that only one person knows about credit card security. That’s your cue to send someone else to a training class so you’re not relying on just one person.

Examples of using it for tech startups

If you’re a startup making a new app, your matrix might include skills like “secure coding,” “managing cloud security,” and “understanding data encryption.” You might see that your new coder doesn’t know much about secure coding. You can then put a plan in place to get them some training right away before they start writing a lot of code.

Examples of using it for AI companies

For an AI company, your matrix would have skills like “protecting training data,” “securing AI models,” and “managing access to research data.” You might find that your data scientists are great at building models but don’t know much about keeping the data they use safe. This matrix helps you see that you need to train them on data security.

How the ISO 27001 toolkit can help

An ISO 27001 toolkit is a collection of documents and templates that make your life easier. It comes with a ready-made competency matrix template. This saves you a lot of time because you don’t have to start from scratch. The toolkit also has a list of the skills you need to check for, which is a huge help!

ISO 27001 Toolkit

Information security standards that need it

This competency matrix is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:

  • CCPA (California Consumer Privacy Act)
  • DORA (Digital Operational Resilience Act)
  • NIS2 (Network and Information Security (NIS) Directive) 
  • SOC 2 (Service Organisation Control 2)
  • NIST (National Institute of Standards and Technology) 
  • HIPAA (Health Insurance Portability and Accountability Act)
  • GDPR (General Data Protection Regulation)

List of relevant ISO 27001:2022 controls

The new ISO 27001:2022 has a bunch of rules you need to follow. The competency matrix helps you meet the rules in a few key areas, especially:

ISO 27001 Competency Matrix Example

This is an ISO 27001 Competency Matrix example and a great way to meet the requirement of the standard.

ISO 27001 Competence Matrix Example

ISO 27001 Competency Matrix FAQ

  1. What’s the best way to score skills? A simple “1 to 5” scale or even a “yes/no” works great!
  2. How often should I update the matrix? At least once a year, and every time someone new joins your team or learns a new skill.
  3. Do I need a fancy tool for this? Nope! A simple spreadsheet is all you need.
  4. Can I use it to check for skills outside of security? Yes, you can use the same idea for things like marketing or project management.
  5. Is this a required document for ISO 27001? While not named specifically, it’s the best way to prove you meet the “competence” rule.
  6. What if my team doesn’t have a lot of security skills? That’s okay! The matrix will help you see those gaps so you can plan for training.
  7. How do I prove the information is correct? You can show training certificates or notes from meetings.
  8. Can one person be skilled in everything? Probably not! The goal is to have a good mix of skills across the whole team.
  9. What if a team member leaves? You’ll need to update the matrix and figure out who will take over their security tasks.
  10. Does a consultant need to write this for me? No, you can write it yourself!
  11. How long does it take to create? It can be quick, maybe just a few hours to start.
  12. What if my company is too small for this? Even a two-person company can benefit from knowing who handles what.
  13. Can this help me find a new hire? Yes! It can show you what skills you’re missing so you know who to look for.
  14. Is it the same as a training plan? No, the matrix shows skills now, and the training plan is what you’ll do to fix the gaps.
  15. Does the matrix need to be very detailed? No, keep it simple so it’s easy to read and use.

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.