ISO 27001:2022 Clause 7.2: Competence

ISO27001-2022 Clause 7.2 Competence

The Definitive Governance Requirement.

Clause 7.2 mandates that you determine the necessary competence of persons doing work under your control that affects information security. It demands proof, not assumptions. You must ensure these persons are competent on the basis of appropriate education, training, or experience.

The Mandate

The standard does not ask if your staff are “smart.” It asks if they are competent for the specific security role they hold. There is a legal distinction.

You must:

  1. Define Competence: What specific skills are required to manage the firewall? What specific knowledge is required to Chair the Risk Committee?
  2. Verify It: You cannot assume competence based on a job title. You need evidence.
  3. Bridge the Gap: If the person lacks the competence, you must take action (training, mentoring, hiring) to acquire it.
  4. Evaluate Effectiveness: You must prove the action worked. Sending someone on a course is activity; passing the exam is competence.

The Verdict: If you hire a generic IT Manager and assign them the role of “ISMS Manager” without proving they understand ISO 27001, you are negligent.

The Implementation Strategy

Do not rely on HR’s standard onboarding. You need a targeted Competence Framework.

  1. The Matrix: Create a Competence Matrix. List every role in the ISMS (e.g., Risk Owner, Internal Auditor, System Admin). List the required skills for each.
  2. The Assessment: Map your current staff against the Matrix. Where are the gaps?
  3. The Intervention: Execute the training. This can be formal (external course), internal (mentoring), or experiential.
  4. The Feedback Loop: After the training, verify the result. Did they pass the test? Has their error rate dropped? Document the outcome.

The Auditor’s Trap

[The Auditor’s View] The most common Major Non-Conformance here is “The CV Fallacy.” Organizations often present a resume (CV) as proof of competence. A CV is a marketing document, not a verified record. Just because a developer lists “Secure Coding” on their LinkedIn does not prove they meet your organization’s standard. You need a record of verification.

Required Evidence

An auditor wants to see the journey from “Requirement” to “Verification.”

  • Competence Matrix: The foundational document mapping roles to skills.
  • Job Descriptions: Updated to include specific ISMS responsibilities and required qualifications.
  • Training Records: Dates, providers, and course content.
  • Evidence of Effectiveness: Certificates, test results, or a signed sign-off by a manager confirming the skill has been demonstrated.

Strategic Acceleration

Tracking competence across a scaling organization using spreadsheets is inefficient and prone to error.

The Hightable™ Competence & Training Matrix is pre-configured with the standard roles required for ISO 27001. It allows you to drag-and-drop staff into roles and immediately visualize the competence gaps.

The Next Move: Deploy the Competence Matrix