ISO 27001 Clause 7.2 Competence is a management control that requires organisations to determine the necessary competency of persons doing work under its control. It ensures staff possess the right education, training, or experience to protect information assets and satisfy the requirements of the management system effectively.
ISO 27001:2022 Attributes Table
| Attribute | Value |
|---|---|
| Control Type | Administrative / Management |
| Information Security Properties | Confidentiality, Integrity, Availability |
| Cybersecurity Concepts | Protect, Support |
| Operational Capabilities | Human Resource Security, Governance |
Implementation Difficulty & Cost
| Metric | Rating | Details |
|---|---|---|
| Difficulty | 3/5 | Requires cross-departmental coordination with HR. |
| Resource Cost | Medium | Includes training budgets and software for record-keeping. |
| Primary Owner | HR Manager / CISO | Joint ownership of staff records and security skills. |
| Accountability | Board Level | The Board must approve the overall training strategy. |
ISO 27002 Control Guidance
Competence is not merely about attending a single annual presentation. In my experience, it requires a structured approach to identifying the specific skills needed for every role. You must assess the baseline skills of your current staff against these requirements. This process helps you identify where technical or procedural knowledge is lacking across the business.
I often find that organisations ignore their third-party contractors in this clause. ISO 27002 makes it clear that anyone performing work under your control must be competent. This includes temporary staff and outsourced IT providers. You must verify their certifications and experience before granting them access to sensitive systems or data.
The behavioral aspect of competence involves ensuring staff understand the “why” behind security rules. It is not enough to follow a checklist. Employees must be able to make informed security decisions during their daily tasks. I look for evidence that staff can identify social engineering attempts or reporting security weaknesses.
The Auditor’s Eye: Expert Insight
In my twenty years of auditing, Clause 7.2 is where many firms trip up. I do not just look at a training log. I perform random staff interviews to verify if the training actually “stuck.” If your HR manager cannot explain their role in the ISMS, you have an NC. I also conduct Log Reviews to see if privileged users are performing tasks they are not trained for. Always keep certificates in a central SharePoint library to avoid a frantic search during your Stage 2 audit.
10 Steps to Implement Clause 7.2 Competence
-
Define Role-Based Competency Requirements
Identify every role within the ISMS scope. List the specific security skills, certifications, and experience required for each position. I suggest using a Confluence page to host this competency matrix. This ensures the requirements are visible to both HR and department heads during the hiring process.
-
Perform a Skills Gap Analysis
Compare the current skills of your employees against the defined requirements. Document where gaps exist for both technical and non-technical staff. Use a SharePoint list to track these gaps. This record proves to an auditor that you are actively managing your human risk profile.
-
Develop a Targeted Training Plan
Create a training schedule that addresses the gaps found in step two. This should include external certifications for IT staff and general awareness for others. I look for a signed budget for these activities. It demonstrates that senior management supports the growth of security expertise.
-
Integrate Competence into Onboarding
Ensure that every new hire undergoes a competency check. Verify their previous experience and provide mandatory security training before they access live data. I check Jira onboarding tickets to confirm these steps occur. This prevents untrained staff from introducing immediate risks to the environment.
-
Maintain a Central Evidence Repository
Store all training records, certificates, and diplomas in a secure, central location. Use SharePoint with strict access controls to manage these sensitive HR records. Auditors hate hunting through separate email threads for proof of training. A clean repository makes the audit process much faster.
-
Evaluate Training Effectiveness
Do not just tick a box. Use quizzes or follow-up surveys to ensure staff understood the training. I often look for LMS (Learning Management System) reports that show pass rates and time spent on modules. If everyone fails the quiz, the training material itself is likely the problem.
-
Review Competence During Appraisals
Make security competence a permanent item in annual performance reviews. This keeps security at the forefront of the employee’s mind. It also provides a formal record of continuous professional development. I look for these discussion points in sampled appraisal records during my site visits.
-
Verify External Contractor Skills
Demand proof of competence from your vendors and contractors. If an MSP manages your firewalls, you must see their engineers’ certifications. Include these requirements in your procurement contracts. I verify these during vendor risk reviews to ensure third parties do not weaken your security posture.
-
Update Competence as Threats Evolve
The security world changes rapidly. Review your competency requirements whenever you introduce new technology or face new threats. If you move to the cloud, ensure your IT team receives specific Azure or AWS security training. Static skills lead to system vulnerabilities that hackers will eventually exploit.
-
Document All Management Decisions
If you decide an employee is competent based on “experience” rather than a certificate, document that rationale. Write a short memo and save it to their HR file. This “justification of competence” is vital for an auditor. It shows you made a conscious, risk-based decision rather than just ignoring a requirement.
Requirements by Environment
- Office Environment: Focus on physical security competence. Staff must know how to handle visitors and secure their desks. Evidence includes attendance lists from physical security walkthroughs.
- Home Working: Requires competence in secure remote access and home network security. Staff must demonstrate they can use VPNs and MFA correctly. I look for “Work from Home” guides and signed user agreements.
- Cloud Environment: High focus on technical competence for administrators. They must understand shared responsibility models and identity management. I expect to see specific cloud security certifications or vendor-led training records.
The “Checkbox Compliance” Trap
| Requirement | SaaS Tool Trap | Auditor Reality |
|---|---|---|
| Competency Mapping | Using a generic tool template. | I look for roles specific to your business. |
| Training Evidence | Only showing a “Read” receipt. | I interview staff to see if they remember the content. |
| Gap Closure | Claiming “Ongoing” without a deadline. | I look for Jira tasks with clear completion dates. |
10 Steps to Audit Clause 7.2 (Internal Audit Guide)
- Review the Competency Matrix: Confirm that every role in the ISMS scope is listed with clear requirements.
- Sample New Hires: Pick three people hired in the last six months and check their onboarding records.
- Verify Certificates: Check that the certificates in SharePoint are still valid and have not expired.
- Conduct Staff Interviews: Ask random employees how they report a security incident. Their answer proves their competence.
- Inspect Training Budgets: Verify that money was actually spent on the training activities listed in the plan.
- Check IT Admin Skills: Ask for proof of training for anyone with “Domain Admin” or “Global Admin” rights.
- Examine Appraisal Records: Ensure that security performance was discussed during recent employee reviews.
- Review Contractor Files: Check that your most critical vendors have provided proof of their staff’s expertise.
- Assess Quiz Results: Look for low pass rates in your LMS as a sign of ineffective training materials.
- Cross-Reference with Incidents: Check if recent security incidents were caused by a lack of staff competence or training.
Clause 7.2 Audit Evidence Checklist
| Evidence Item | Pass/Fail Criteria | Owner |
|---|---|---|
| Competency Matrix | Must cover all ISMS roles and specific skills. | HR / CISO |
| Training Log | Must show dates, names, and topics covered. | HR | Must be authentic and current for technical staff. | Individual |
| Skills Gap Analysis | Must show a comparison of current vs needed skills. | CISO |
Required Policy Content: A Lead Auditor’s Checklist
- Responsibility Clause: Clearly define who is responsible for maintaining the competency matrix (usually HR).
- Recruitment Standards: Describe how security competence is evaluated during the hiring process for new candidates.
- Mandatory Training Requirements: List the specific training modules that every employee must complete annually.
- Record Retention: Define how long training and competence records are kept after an employee leaves.
- Competency Review Cycle: State how often the organisation reviews role requirements to stay current with new threats.
What to Teach Employees
- Data Handling: How to use your classification levels to protect sensitive documents.
- Incident Reporting: The exact steps to take if they suspect a data breach or lose a device.
- Device Security: How to secure their laptops and mobiles when working in public spaces.
- Social Engineering: How to spot phishing emails and fraudulent phone calls from “IT Support.”
Enforcement and Consequences
Competence is a mandatory requirement. Failure to provide evidence of staff capability will result in a Major Non-Conformity. We follow a strict disciplinary path for staff who refuse to engage with training: Verbal Warning for first missed deadline, Written Warning for continued negligence, and Termination for high-risk roles where competence cannot be proven.
Common Implementation Challenges
| Challenge | Root Cause | Solution |
|---|---|---|
| HR Disengagement | HR sees ISO 27001 as “an IT problem.” | Include the HR Manager in the ISMS steering committee. |
| Lack of Time | Staff are too busy to attend training. | Use bite-sized, online modules that take ten minutes each. |
| Outdated Skills | Training is only done once at onboarding. | Implement a mandatory annual refresher for all staff. |
Sample Statement of Applicability (SoA) Entry
“Clause 7.2 Competence is Applicable. The organisation ensures all personnel are competent based on education, training, and experience. We maintain a competency matrix in Confluence and store certificates in SharePoint. Effectiveness is verified through annual appraisals and LMS testing. This control is managed jointly by HR and the CISO.”
Changes from ISO 27001:2013
| ISO 27001:2013 | ISO 27001:2022 |
|---|---|
| Clause 7.2 Competence | Clause 7.2 Competence (Minor wording updates) |
| Focus on staff training. | Stronger emphasis on proving effectiveness of actions taken. |
How to Measure Effectiveness (KPIs)
- Training Completion Rate: Percentage of staff who finished mandatory training by the deadline. Target: 100%.
- Average Quiz Scores: The mean score of staff on security awareness tests. Target: >85%.
- Competency Gap Closure: Number of identified skills gaps resolved through training or hiring each quarter.
Related ISO 27001 Controls
- ISO 27001 Annex A 5.1 Policies for Information Security: Competence requirements must be supported by high-level management policies to be enforceable.
- ISO 27001 Annex A 8.1 User Endpoint Device Security: Staff must be competent in managing their own devices to prevent common security breaches.
- ISO 27001 Annex A 5.12 Classification of Information: Proper data classification relies entirely on the competence of the staff handling the information.
ISO 27001 Clause 7.2 FAQ
Do we need to hire a trainer for Clause 7.2?
No. You can use internal experts, online platforms, or external consultants. The key is that the training must be relevant to the role and the records must be kept.
Is “on-the-job” training acceptable for auditors?
Yes, provided it is documented. I look for a signed record showing what was taught, who taught it, and how the learner demonstrated their new skill.
What if an employee refuses to do security training?
This is a disciplinary matter. If they perform work within the ISMS scope, they must be competent. Allowing them to continue without training is a risk to your certification.
Do I need to keep copies of university degrees?
Only if the degree is the primary evidence of their competence for that role. For most security roles, specific certifications like CISSP or CISM are more relevant.
How often should we update our competency matrix?
I recommend reviewing it at least once a year or whenever there is a major change to your technology stack or business processes.