Clause 7.2 is all about having the right skills. To successfully set up and manage an ISMS that meets ISO 27001 standards, you need a range of skills and experiences. It’s not just about being good at things like physical security, cyber security, or computer security. There are other kinds of information security knowledge that are important too.
What is ISO 27001 Clause 7.2?
The organisation shall:
ISO 27001:2022 Clause 7.2 Competence
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
What does Clause 7.2 involve?
ISO IEC 27001 clause 7.2 basically says that your organisation needs to make sure it has:
- Figured out the skills needed by people working on the ISMS that could affect how well it works.
- People who are considered skilled enough based on their education, training, or experience.
- Taken steps to get the necessary skills if needed and checked if those steps worked.
- Kept proof of all of this for audits.
Based on these rules, you might easily think that the answer for 7.2 is to hire an information security expert – but that’s not always necessary!
You need a wide range of skills and experiences to successfully set up and manage an ISMS that meets ISO 27001 standards. This goes beyond just being an expert in physical security, cyber security, computer security, or other specific types of information security.
These skills include: business understanding, legal knowledge, HR skills, IT knowledge, as well as expertise in the products and services your organisation deals with.
Building and running an ISMS is usually something a team does together. The most important thing is to understand your organisation, its purpose and goals, its culture, how much risk it’s willing to take, and the requirements mentioned in clauses 4.1, 4.2, 4.3, 6.1, and 6.2.
Showing that you meet clause 7.2
Along with the clauses on awareness (7.3) and communication (7.4), you can show you meet 7.2 by making a general statement about the team involved and why they are credible.
It’s also helpful to have a simple table showing the people involved, their role, and notes about their relevant experience, training, or education. Some auditors like to see this detail. It doesn’t need to be a full CV, just show why they are involved. For example:
Brian Pedant – implementation leader, also works as the IT manager. Has thirteen years of experience and relevant training or education, like online cyber security courses and a master’s degree in computer software development.
This can be very straightforward. It’s not a detailed plan for information security training or HR development (though you might want those too, depending on your organisation).
All the external auditor will want to know is that the team involved is competent. It’s likely that some or all of the team will be part of the audit anyway, and the auditor will form their own opinion then.
Remember, good information security that’s led by business needs is about making the business better, not just putting in security measures for no reason. So, it’s unlikely you’ll have big gaps in the basic skills and understanding of your organisation – otherwise, it probably wouldn’t be running!
However, if there are gaps in the skills and experience needed to set up and run an information security management system to meet this clause, you can address them in a few ways:
- Sending staff on ISO 27001 lead auditor, lead implementer, and implementation training courses, or other information security courses. However, this can be expensive in terms of both cost and time away from work, especially for a whole team. It could also cause problems if the training is too general, outdated, or doesn’t understand your organisation’s culture and ways of working.
- Using the many free resources online, like this website, sites like the National Cyber Security Centre (NCSC) with its guides and checklists, and reading the ISO 27001 and ISO 27002 standards will also show the auditor a level of competence. This fits with Annex A 6.1.4 about staying aware of and involved in specialist information security groups and professional organisations.
- Hiring specialist help to build competence – there are more and more virtual CISOs (Chief Information Security Officers) and their teams available. This can definitely be a good idea, and we recommend it for specific tasks alongside your internal experts when your organisation has time, skill, and budget issues.