Competence for ISO 27001 Information Security

ISO 27001 Clause 7.2

This sub-clause requires the organisation to determine and provide the competence of people whose work affects information security performance, with documented evidence retained.

ISO 27001 Clause 7.2 - Competence

Clause 7.2 applies to anyone whose work affects information security performance. That is broader than just the IT and information security teams. It includes anyone with access to systems or data, anyone who handles personal information, anyone responsible for parts of the management system, and anyone whose actions could create or reduce information security risk.

What ISO 27001 Clause 7.2 Requires

The organisation must determine the necessary competence of people doing work under its control that affects the performance of the ISMS, make sure those people are competent on the basis of appropriate education, training or experience, take action where necessary to acquire the competence and evaluate the effectiveness of those actions, and retain appropriate documented information as evidence of competence.

The clause applies regardless of whether the people involved are employees, contractors or temporary workers. If they are doing work that affects information security and they are under the organisation's control, they need to be competent for what they are doing.

Working Out What Competence Is Needed

Competence for information security splits into general and specific. General competence is the baseline expected of everyone whose work touches the ISMS - knowing what the policy says, knowing how to use systems safely, knowing how to spot and report a security incident. Specific competence is the deeper skill needed for particular roles - the person who runs the firewall, the person who manages access controls, the person who carries out internal audits.

Most organisations capture these requirements in role descriptions, training matrices or competence requirements lists. The depth of the documentation depends on the size and complexity of the organisation. A small business might capture it in a simple spreadsheet. A larger one might link it into the HR system.

Demonstrating Competence

The standard accepts education, training or experience as evidence of competence. None of these has to be formal qualifications. A person can be competent in user access management because they have done it for ten years. They can be competent in awareness training because they have completed an internal e-learning module. They can be competent in internal auditing because they have been on a training course. The evidence has to be appropriate to the role and recorded.

The training matrix or competence register is the most common evidence document. It records each role, the competence requirements, the people in those roles and the basis on which their competence is being relied on. It is updated when people change roles, when training is completed and when new competence requirements emerge.

Competence under Clause 7.2 is broader than IT staff. Anyone in a role that touches the management system - data protection officer, internal auditor, information security manager, asset owners, even the person who handles the visitor sign-in - has competence requirements that need to be evidenced. The training matrix is the simplest way to show that thinking has been applied.

I sample the training matrix at audit. I pick two or three people and check that what the matrix says about their competence matches what they tell me about their training and experience. I also check that the person doing the internal audit is competent to audit information security, not just generically trained on the standard.

Practical Compliance Guidance

Competence for information security is most often captured in a training matrix that records each role, the competence required and the evidence that it is being met. The alphaZ ISO 27001 Awareness Training Course provides a baseline of awareness training for all staff that contributes to general competence under this clause.

The documents below support the determination, demonstration and recording of competence for information security.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including the training matrix and awareness training course.
ER2 Staff Training Competency Matrix	Matrix that records each role, the competence required and the training or experience evidencing competence.
ISO 27001:2022 Awareness Training Course	Awareness training course covering the information security basics needed by all staff inside the ISMS scope.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does ISO 27001 require formal qualifications?

No. The standard accepts education, training or experience. Formal qualifications are one form of evidence but not the only one. What matters is that the competence is appropriate to the role and that the evidence is documented.

Does Clause 7.2 apply to contractors?

Yes, where contractors are doing work under the organisation's control that affects the ISMS. The competence evidence might come from the contractor's own organisation rather than direct training records, but the organisation has to be satisfied that the competence is in place.

What is the difference between Clause 7.2 Competence and Clause 7.3 Awareness?

Competence is about being able to do the job - the right skills, knowledge and experience. Awareness is about understanding the policy, contributing to the ISMS, and knowing the consequences of not following the rules. Awareness is a subset of competence, focused on the baseline understanding that everyone in scope needs.

UK Legislation

No specific UK legislation prescribes competence for information security roles. However, UK GDPR creates implicit competence expectations through its requirement that personal data is processed by people with appropriate knowledge, and the data protection officer role under UK GDPR has specific competence requirements.

Further Resources