ISO 27001 Information Security - Clause 7.2 Competence

7.2 Competence

The basic requirement is that anyone who may affect information security should be competent for their role. While this can apply to all workers, it is, of course, critical for people in your compliance and information technology teams. The ISO 27001 standard is not prescriptive about any specific qualifications or competences that should be in place. You should be guided by any applicable legal / regulatory requirements, and any contractual or other compliance obligations. You should also consider your own business imperatives. What levels of competence is desired to fulfill certain roles?

Internal Auditors

One area to consider is what level of competence is required for your internal auditors? ISO 27001 does not specify that they must be qualified auditors. The role is covered by the general requirement that they must be qualified. One solution is to train a group of your own people as internal auditors. Another option is to outsource the performance of internal audits to already qualified professionals. A combination of those approaches may also be used.

The requirements of ISO 27001 clause 7.2 Competence are summarised and explained as follows:

Determine the necessary competence

An organization needs to decide what levels of competency are necessary for various roles, and to communicate those requirements. There are various ways of doing this. For example: Skills, qualifications, and/or experience required for an individual job position may be specified as selection criteria in a 'Job Description'. These may include soft skills in addition to more technical competencies.

Ensure that people are competent

The next step is to ensure that people in those roles have the necessary competencies. There are many methods of assessing competence. They include checking claimed qualifications and experience prior to employment and promotion / change of role. By the way, pre-employment screening is one if the Annex A controls in ISO 27001 (A7.1.1 in the 2013 edition of the standard or A6.1 in the 2022 edition). So, we'll be discussing that further in a later blog. Other methods of assessing competence include skills tests, 180° or 360° assessments / surveys, and ongoing monitoring by managers which may form part of a individual development / performance programme.

Take action to achieve competence

Action must then be taken to address any gaps between the required competencies and those that are actually in place. Competency can be achieved by various means, such as:

• Training
• Recruitment
• Outsourcing

Subject to legal, regulatory and other business requirements, training may be formal or informal, in-house or external. Levels of competence, training requirements and the necessary budgets should be considered as internal factors in a situational analysis and periodic management reviews.

Keep records

Appropriate records of qualification, competence, or training should be kept as evidence of competence. These might include:

• Competency assessments
• Licences
• Qualifications
• Professional memberships or registrations
• Training undertaken before joining the organization
• Training undertaken during employment
• Further training programmed, or considered desirable

Qudos 3 software includes a complete Training module. That facilitates automated reminders, comprehensive records keeping and query / reporting options in a secure database.