ISO 27001 Clause 7.2 Competence

ISO 27001 Clause 7.2 Competence

ISO 27001 Clause 7.2 is about making sure that people who work on your company’s information security are good at their jobs. This means they have the right skills and experience. The goal of this rule is to ensure that your security team has the knowledge and training they need to do their work well.

What is ISO 27001 Clause 7.2 Competence?

The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).

In the ISO/IEC 27001:2022 Standard the control is titled “Competence”.

What is the ISO 27001 Clause 7.2 control objective?

The formal definition and control objective in the standard is: “The organisation shall:
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.

What is the purpose of ISO 27001 Clause 7.2?

The purpose of ISO 27001 Clause 7.2 is “To make sure that the people you have working on the information security management system (ISMS) have the skills, knowledge and experience to do it.

Is ISO 27001 Clause 7.2 Mandatory?

ISO 27001 Clause 7.2 (Competence in the 2022 standard) is a mandatory clause in the main body of the standard.

Key Parts of the Rule

To follow this rule, you should have clear plans and policies. The following are key steps:

  1. Find Out What Skills You Need: You must figure out what skills are needed for each job that affects your company’s information security.
  2. Check Your Team’s Skills: Look at your employees’ education, training, and past work to see if they have the skills you need.
  3. Fill in the Gaps: If an employee needs more skills, you must find a way to help them. This could mean giving them more training.
  4. Keep Records: You must keep a record of your employees’ skills, training, and experience. This helps you show that you are following the rules.

What an Auditor Will Check

An auditor will want to see proof that you are following these rules. They will check:

  1. Are Roles Written Down and Given to People? First, you must write down all the jobs that are part of your information security system. Then, you must assign these jobs to people. The auditor will look for these written job descriptions. They will also want you to show them that people have been assigned to these jobs.
  2. Do People Have the Right Skills? The people you give these jobs to must have the skills to do them well. The auditor will look for proof that your staff is qualified. This is where a skills chart is helpful. If someone doesn’t have a certain skill, you should write this down. You should also show your plan for how they will learn that skill.

You can learn more about competence and ISO 27001 by watching this video: ISO 27001 Clause 7.2 Competence Explained.

Related Posts