ISO 27001 Information Security - Clause 7.2 Competence

ISO 27001 Clause 7.2 Competence

5 ,July 2022 - ISO 27001 Information Security in plain English - Blog post #11.

ISO 27001 - Clause 7.2 Competence. Determine the required levels of competence for the ISMS, verify that they are in place, obtain any required competences , and retain records.


ISO 27001 Information Security in plain English

Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard.  However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.

7.2 Competence

The basic requirement is that anyone who may affect information security should be competent for their role. While this can apply to all workers, it is, of course, critical for people in your compliance and information technology teams. The ISO 27001 standard is not prescriptive about any specific qualifications or competences that should be in place. You should be guided by any applicable legal / regulatory requirements, and any contractual or other compliance obligations. You should also consider your own business imperatives. What levels of competence is desired to fulfill certain roles?

Internal Auditors

One area to consider is what level of competence is required for your internal auditors? ISO 27001 does not specify that they must be qualified auditors. The role is covered by the general requirement that they must be qualified. One solution is to train a group of your own people as internal auditors. Another option is to outsource the performance of internal audits to already qualified professionals. A combination of those approaches may also be used.

The requirements of ISO 27001 clause 7.2 Competence are summarised and explained as follows:

Determine the necessary competence

An organization needs to decide what levels of competency are necessary for various roles, and to communicate those requirements. There are various ways of doing this. For example: Skills, qualifications, and/or experience required for an individual job position may be specified as selection criteria in a 'Job Description'. These may include soft skills in addition to more technical competencies.

Ensure that people are competent

The next step is to ensure that people in those roles have the necessary competencies. There are many methods of assessing competence. They include checking claimed qualifications and experience prior to employment and promotion / change of role. By the way, pre-employment screening is one if the Annex A controls in ISO 27001 (A7.1.1 in the 2013 edition of the standard or A6.1 in the 2022 edition). So, we'll be discussing that further in a later blog. Other methods of assessing competence include skills tests, 180° or 360° assessments / surveys, and ongoing monitoring by managers which may form part of a individual development / performance programme.

Take action to achieve competence

Action must then be taken to address any gaps between the required competencies and those that are actually in place. Competency can be achieved by various means, such as:

  • Training
  • Recruitment
  • Outsourcing

Subject to legal, regulatory and other business requirements, training may be formal or informal, in-house or external. Levels of competence, training requirements and the necessary budgets should be considered as internal factors in a situational analysis and periodic management reviews.

Keep records

Appropriate records of qualification, competence, or training should be kept as evidence of competence. These might include:

  • Competency assessments
  • Licences
  • Qualifications
  • Professional memberships or registrations
  • Training undertaken before joining the organization
  • Training undertaken during employment
  • Further training programmed, or considered desirable

Qudos 3 software includes a complete Training module. That facilitates automated reminders, comprehensive records keeping and query / reporting options in a secure database.

About the series 'ISO 27001 Information Security in plain English'

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Click the LinkedIn Follow button below to receive notifications.

There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.

Ready to start your journey to ISO 27001?

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!

Photo by Austin Distel on Unsplash