ISO 27001 Clause 7.2 Competence

ISO 27001 Clause 7.2 Competence

ISO 27001 Clause 7.2 is about making sure that people who work on your company’s information security are good at their jobs. This means they have the right skills and experience. The goal of this rule is to ensure that your security team has the knowledge and training they need to do their work well.

What to Do

  1. Find Out What Skills You Need: You must figure out what skills are needed for each job that affects your company’s information security.
  2. Check Your Team’s Skills: Look at your employees’ education, training, and past work to see if they have the skills you need.
  3. Fill in the Gaps: If an employee needs more skills, you must find a way to help them. This could mean giving them more training.
  4. Keep Records: You must keep a record of your employees’ skills, training, and experience. This helps you show that you are following the rules.

What an Auditor Will Check

An auditor will check several things to make sure your organization follows the rules in Clause 7.2. Let’s look at what they’ll review.

  1. Are Roles Written Down and Given to People? First, you must write down all the jobs that are part of your information security system. Then, you must assign these jobs to people. The auditor will look for these written job descriptions. They will also want you to show them that people have been assigned to these jobs.
  2. Do People Have the Right Skills? The people you give these jobs to must have the skills to do them well. The auditor will look for proof that your staff is qualified. This is where a skills chart is helpful. If someone doesn’t have a certain skill, you should write this down. You should also show your plan for how they will learn that skill.

Three Common Mistakes for ISO 27001 Clause 7.2

  1. Lacking ISO 27001 Experience: A frequent error is having no one with experience in ISO 27001. You need training or prior experience to run an effective Information Security Management System (ISMS).
  2. Failing to Assign Roles: ISO 27001 requires specific roles for its implementation. A mistake is not documenting or formally assigning these roles. Often, a person in IT is tasked with this without considering the full range of roles needed for a strong management system.
  3. Having No Training Plans: Since ISO 27001 is about continuous improvement, an auditor will want to see that competence is maintained. They’ll look at your training plans for the next year to see if you have considered and documented any competence gaps or ongoing training needs.

Frequently Asked Questions

What does an auditor check?

An auditor will check if you have records that show your employees are good at their jobs. They will look for a list of skills needed for each role. They may also ask your employees questions to see if they know what they are doing.

Are there changes to this clause?

The main idea of this rule is the same. The new version just makes it more clear about what you need to do.

Do I need a special chart for this?

Many companies use a “competency matrix.” This is a chart that lists people on one side and skills on the other. It helps you keep track of everyone’s skills and find any gaps.

This video helps to explain how to put ISO 27001 Clause 7.2 into practice.