ISO 27001:2022 Clause 7.2 Competence

ISO 27001:2022 14 Minutes

The organization shall:
a) determine the necessary competence of persons doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or
experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the re- assignment of current employees; or the hiring or contracting of competent persons.

The organization shall determine the necessary competence of persons doing work under its control that affects its information security performance

Determining the necessary competence of employees that affects an organization’s information security performance involves assessing the skills, knowledge, and capabilities required for individuals to perform their roles effectively within the Information Security Management System (ISMS). Here are steps the organization can take to ensure the competence of its employees:

  1. Define Roles and Responsibilities: Clearly define roles and responsibilities within the ISMS. Identify the key information security functions and the individuals responsible for each.
  2. Identify Competency Requirements: Identify the knowledge, skills, and competencies required for each role. Consider the specific requirements of ISO 27001 and other relevant standards, as well as the organization’s information security policies and procedures.
  3. Conduct Competency Assessments: Regularly assess the current competencies of employees against the identified requirements. Use methods such as skills assessments, certifications, training records, and performance evaluations.
  4. Training and Development: Develop a training and development program based on the identified competency gaps. Provide relevant training to employees to enhance their knowledge and skills in information security. Encourage employees to pursue relevant certifications.
  5. Awareness Programs: Implement awareness programs to ensure that all employees understand the importance of information security. Communicate the organization’s information security policies and best practices.
  6. Documentation and Records: Maintain documentation that outlines the competencies required for each role.Keep records of training, certifications, and competency assessments.
  7. Performance Reviews:Include information security competencies as part of regular performance reviews. Recognize and reward employees who demonstrate a high level of competency in information security.
  8. Internal and External Resources: Leverage internal resources, such as experienced employees, to mentor and train others. Consider external resources, such as consultants or training providers, to supplement internal training efforts.
  9. Cross-Functional Training: Encourage cross-functional training to ensure that employees have a broad understanding of information security across different areas of the organization.
  10. Feedback Mechanism: Establish a feedback mechanism for employees to provide input on the effectiveness of training programs and to express their ongoing learning needs.
  11. Continuous Improvement:Continuously assess and adjust competency requirements based on changes in technology, regulations, and the organization’s risk landscape.Incorporate lessons learned from incidents or audits into training programs.
  12. Management Support:Ensure that top management actively supports and promotes a culture of continuous learning and improvement in information security.
  13. Integration with HR Processes:Integrate competency assessments and training programs into the organization’s human resources processes, including hiring, onboarding, and career development.
  14. Communication: Clearly communicate competency expectations to employees.Provide regular updates on changes to information security requirements and the corresponding competencies needed.
  15. Third-Party Expertise:Consider engaging third-party experts or consultants for specialized training and guidance in areas where internal expertise may be limited.

By implementing these steps, the organization can systematically assess, develop, and maintain the necessary competencies among its employees, ensuring a strong foundation for effective information security performance within the ISMS. Regular monitoring and adjustment of competency programs are essential to keep pace with evolving information security challenges.

The organization shall ensure that these persons are competent on the basis of appropriate education, training, or experience

Ensuring that personnel are competent based on appropriate education, training, or experience is a fundamental aspect of information security management. Here are specific steps an organization can take to fulfill this requirement:

  1. Identify Competency Requirements: Define the specific knowledge, skills, and competencies required for each role within the Information Security Management System (ISMS). Base these requirements on the needs of the organization, relevant standards (such as ISO 27001), and the nature of information security risks.
  2. Establish Educational Criteria: Specify educational requirements for individuals in information security roles. Consider relevant degrees, certifications, and qualifications.
  3. Training Programs: Develop and implement targeted training programs to address specific competency requirements. Use both internal and external training resources to cover a broad range of topics, including information security policies, procedures, and technology.
  4. Certifications: Encourage or require relevant certifications for specific roles. Examples include Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and others based on job roles.
  5. Experience Criteria: Establish experience criteria for personnel in information security roles. Consider the level of experience needed to effectively perform job responsibilities.
  6. Competency Assessments: Regularly assess the competencies of personnel to ensure they meet the established criteria. Use assessments, exams, or practical evaluations to measure knowledge and skills.
  7. Documentation of Competencies: Maintain records documenting the competencies of each individual.Include details such as completed training, certifications earned, and relevant work experience.
  8. Continuous Learning:Promote a culture of continuous learning and professional development.Encourage employees to stay informed about the latest developments in information security through ongoing education and training.
  9. Performance Reviews:Incorporate competency assessments into regular performance reviews.Provide feedback on strengths and areas for improvement.
  10. Mentorship Programs: Implement mentorship programs where experienced individuals mentor those who are newer to information security roles.Facilitate knowledge transfer and skill development through mentorship.
  11. Cross-Functional Training:Encourage cross-functional training to enhance the understanding of information security across different departments.Foster a collaborative environment for sharing knowledge.
  12. Awareness Programs:Conduct regular awareness programs to ensure that all employees, regardless of their roles, have a basic understanding of information security principles.
  13. Periodic Reviews: Periodically review and update competency requirements based on changes in technology, regulations, and organizational needs.Ensure that the competencies required align with the evolving threat landscape.
  14. Recognition and Rewards:Recognize and reward individuals who actively contribute to the enhancement of information security competencies.Use positive reinforcement to motivate continued learning.
  15. Management Support:Obtain commitment and support from top management for initiatives related to competency development. Ensure that there is a budget and resources allocated for training and development.
  16. Feedback Mechanism: Establish a mechanism for employees to provide feedback on the effectiveness of educational programs and training materials.Use feedback to continuously improve training initiatives.

By implementing these steps, the organization can create a structured approach to ensure that individuals in information security roles are competent based on appropriate education, training, or experience. Regular monitoring, assessment, and adjustment of competency programs are crucial to maintaining a skilled and knowledgeable workforce capable of addressing evolving information security challenges.

The organization shall where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken

The organization’s commitment to acquiring necessary competence and evaluating the effectiveness of those actions is crucial for ensuring that its personnel are adequately equipped to manage information security effectively. Here’s a step-by-step guide on how the organization can fulfill this requirement:

  1. Identify Competence Gaps:Regularly assess the competencies of personnel against established criteria. Identify gaps in knowledge, skills, or experience that may exist within the organization.
  2. Develop a Competence Acquisition Plan: Based on the identified gaps, develop a plan to acquire the necessary competence. Consider a combination of training programs, educational initiatives, certifications, and practical experience.
  3. Training and Development Programs: Implement targeted training programs to address specific competence gaps.Utilize both internal and external training resources to cover a range of information security topics.
  4. Certification Programs:Encourage or require relevant certifications for personnel in information security roles.Support employees in obtaining certifications that align with their responsibilities.
  5. Educational Opportunities: Facilitate educational opportunities such as workshops, seminars, and conferences. Encourage participation in educational programs relevant to information security.
  6. On-the-Job Training: Provide on-the-job training opportunities, allowing personnel to apply new knowledge and skills in real-world scenarios.
  7. Mentorship and Coaching Establish mentorship programs where experienced individuals guide and coach those seeking to acquire specific competencies. Foster a culture of knowledge-sharing within the organization.
  8. Evaluate Training Effectiveness: Periodically assess the effectiveness of training programs. Use feedback from participants and key performance indicators to measure the impact of training initiatives.
  9. Feedback Mechanism:Establish a feedback mechanism for employees to provide input on the relevance and effectiveness of training programs.Use feedback to make continuous improvements.
  10. Evaluation of Competence Acquisition: Regularly evaluate whether the actions taken to acquire competence have been successful.Assess whether employees have gained the required knowledge, skills, and experience.
  11. Performance Reviews:Incorporate competence assessments into regular performance reviews. Use performance reviews to discuss competence development goals and achievements.
  12. Document Competence Acquisition:Maintain records documenting the actions taken to acquire competence. Include details such as completed training programs, certifications earned, and on-the-job learning experiences.
  13. Continuous Improvement:Use insights from competence evaluations to continually improve the organization’s approach to acquiring and managing competence. Adapt strategies based on changing business needs and information security requirements.
  14. Management Support:Secure commitment and support from top management for the competence acquisition initiatives.Ensure that there is a clear understanding of the importance of competence in information security management.
  15. Resource Allocation:Allocate resources, including budget and time, to support competence acquisition initiatives.Ensure that employees have the necessary resources to participate in training and development programs.
  16. Recognition and Rewards:Recognize and reward individuals who successfully acquire and apply new competencies.Create incentives to encourage a proactive approach to competence development.

By systematically taking these actions, the organization can ensure that it acquires the necessary competence to effectively manage information security. Regular evaluation and adaptation of these actions are essential to maintaining a skilled and knowledgeable workforce capable of addressing evolving information security challenges.

The organization shall retain appropriate documented information as evidence of competence.

Retaining appropriate documented information as evidence of competence is essential for demonstrating that the organization’s personnel possess the necessary skills, knowledge, and qualifications to effectively manage information security. Here are steps to fulfill this requirement:

  1. Document Competence Criteria:Clearly define and document the criteria for competence for each role within the organization, considering factors such as education, training, experience, and certifications.
  2. Competence Records:Create and maintain records for each employee detailing their competence. Include information such as education credentials, training records, certifications, and relevant work experience.
  3. Training and Development Records:Document information related to training and development programs attended by employees.Include details such as the name of the training program, date, duration, and topics covered.
  4. Certification Records:Keep records of certifications obtained by employees, including certification names, issuing organizations, and expiration dates.Regularly update these records to reflect the current status of certifications.
  5. Performance Evaluation Records:Include competence assessments as part of regular performance evaluations. Document the results of these assessments, highlighting areas of strength and areas for improvement.
  6. Evidence of On-the-Job Training:If on-the-job training is part of competence development, document instances of practical experience gained by employees.Include details about the tasks performed and skills acquired during these experiences.
  7. Competence Review Meetings:Conduct periodic competence review meetings where the documented information is reviewed and updated as needed.Ensure that records accurately reflect the current competence of each employee.
  8. Documented Competence Plans:Develop documented competence plans for employees outlining the steps they need to take to acquire and maintain required competencies.Include timelines and milestones in these plans.
  9. Feedback Mechanism Records:Document feedback received from employees regarding the effectiveness and relevance of training programs.Use feedback to make improvements to competence development initiatives.
  10. Evidence of Continuous Improvement: Retain records that demonstrate the organization’s commitment to continuous improvement in competence development.Document changes made to competence criteria based on lessons learned and evolving requirements.
  11. Compliance Records:If there are specific regulatory or industry requirements related to competence, maintain records demonstrating compliance with these requirements.This may include records of compliance audits or certifications.
  12. Retention Policies:Establish and adhere to retention policies for competence-related documentation.Ensure that records are retained for the necessary duration to meet legal, regulatory, or organizational requirements.
  13. Accessibility and Security:Store competence-related documentation in a secure and accessible manner.Implement controls to protect the confidentiality and integrity of these records.
  14. Audit Trail:Implement an audit trail system to track changes made to competence-related records.This can enhance transparency and accountability.
  15. Integration with HR Systems:Integrate competence-related documentation with human resources systems for seamless record-keeping.Ensure that updates to competence records are reflected in broader HR records.
  16. Management Review:Include competence records as part of management review processes.Use these records to assess the effectiveness of competence development initiatives.
  17. External Certification Records:If employees hold external certifications, maintain records of these certifications and any associated requirements for renewal.

By following these steps, the organization can establish a robust system for retaining documented information as evidence of competence. This documentation not only serves as proof of compliance but also supports effective management and development of the organization’s workforce in the field of information security.


Applicable actions can include, for example: the provision of training to, the mentoring of, or the re- assignment of current employees; or the hiring or contracting of competent persons.

the organization can take various actions to ensure and enhance the competence of its personnel in information security. The actions may include the provision of training, mentoring, reassignment of current employees, hiring, or contracting competent individuals. Here’s an elaboration on each of these actions:

1. Training Programs:

  • Description: Provide targeted training programs to address specific competency gaps.
  • Implementation: Identify relevant training courses, workshops, and seminars. Implement a training schedule that aligns with the competence development plan.

2. Mentoring Programs:

  • Description: Establish mentoring programs where experienced individuals guide and support less experienced personnel.
  • Implementation: Pair less experienced employees with seasoned professionals. Facilitate regular mentoring sessions to share knowledge and insights.

3. Re-assignment of Current Employees:

  • Description: Consider re-assigning current employees to roles that better match their skills and strengths.
  • Implementation: Assess the competencies of current employees and identify opportunities for re-assignment to roles where they can contribute effectively.

4. Hiring Competent Individuals:

  • Description: Recruit new employees with the required skills and competencies.
  • Implementation: Clearly define the competency requirements for open positions. Conduct thorough recruitment processes to identify and hire individuals who meet those requirements.

5. Contracting Competent Individuals:

  • Description: Engage external contractors or consultants with the necessary expertise.
  • Implementation: Assess the specific competence needs and hire external professionals on a temporary or project basis to address those needs.

6. Cross-Functional Training:

  • Description: Encourage cross-functional training to enhance the understanding of information security across different departments.
  • Implementation: Facilitate knowledge-sharing sessions or cross-departmental training programs to promote a holistic understanding of information security.

7. On-the-Job Training:

  • Description: Provide on-the-job training opportunities, allowing personnel to apply new knowledge and skills in real-world scenarios.
  • Implementation: Assign individuals to projects or tasks that align with their development goals, providing them with practical experience.

8. Performance Evaluation Feedback:

  • Description: Use performance evaluations as a feedback mechanism to identify areas for improvement and discuss competence development goals.
  • Implementation: Conduct regular performance reviews that include discussions on competence development, acknowledging achievements and identifying areas for growth.

9. Internal Competency Assessments:

  • Description: Implement internal assessments to measure the current competencies of employees.
  • Implementation: Develop and administer assessments that evaluate knowledge, skills, and capabilities. Use the results to inform further development initiatives.

10. Feedback Mechanism:

  • Description: Establish a mechanism for employees to provide input on the effectiveness and relevance of training programs.
  • Implementation: Encourage employees to provide feedback on their training experiences, allowing the organization to make continuous improvements.

11. Succession Planning:

  • Description: Develop succession plans to ensure a pipeline of skilled individuals for critical roles.
  • Implementation: Identify key positions, assess the competencies required, and create plans for developing and promoting internal talent.

12. Recognition and Rewards:

  • Description: Recognize and reward individuals who actively contribute to the enhancement of information security competencies.
  • Implementation: Implement a recognition program that acknowledges employees for their efforts in developing and applying information security competencies.

13. Adjusting Job Roles:

  • Description: Adjust job roles to better align with changing business needs and evolving information security requirements.
  • Implementation: Regularly review and update job descriptions to reflect the current demands of information security roles.

14. Investing in Learning Platforms:

  • Description: Invest in learning platforms and resources that enable employees to pursue continuous learning.
  • Implementation: Provide access to online courses, certifications, and other educational resources that support information security competence development.

15. Collaboration with Professional Organizations:

  • Description:Foster collaboration with professional organizations and associations in the field of information security.
  • Implementation: Encourage employees to participate in industry events, conferences, and forums to stay abreast of the latest developments.

16. Alignment with Career Development:

  • Description:Align competence development initiatives with employees’ long-term career goals.
  • Implementation:Work with employees to create personalized competence development plans that align with their career aspirations.

These actions should be part of a comprehensive competence development strategy, and the organization should regularly assess and adjust its approach based on the evolving needs of the information security landscape. Continuous improvement in competence development is key to ensuring that the organization is well-equipped to address emerging challenges.

Example of procedure of Competence

Objective: To establish a systematic approach for ensuring competence in information security within the organization.

1. Identification of Competencies:

  • Identify the key roles and responsibilities related to information security within the organization.
  • Define the specific competencies required for each role, considering industry standards, regulatory requirements, and organizational needs.

2. Competency Framework:

  • Develop a competency framework that outlines the knowledge, skills, and behaviors required for each identified competency.
  • Ensure alignment with relevant industry standards (e.g., ISO 27001) and legal/regulatory requirements.

3. Training and Development:

  • Identify training needs based on the competency framework.
  • Develop a training plan that includes both general information security awareness training and role-specific training.
  • Utilize a variety of training methods, such as e-learning, workshops, and on-the-job training.

4. Certification and Qualifications:

  • Encourage relevant certifications and qualifications for key roles in information security.
  • Maintain a record of certifications and qualifications achieved by employees.

5. Continuous Learning:

  • Establish a process for continuous learning and skill development.
  • Encourage employees to attend conferences, seminars, and workshops related to information security.
  • Provide access to online resources and industry publications.

6. Skill Assessment:

  • Conduct periodic skill assessments to evaluate the proficiency of employees in key information security competencies.
  • Use the results of assessments to identify areas for improvement and tailor training programs accordingly.

7. Mentoring and Knowledge Transfer:

  • Implement a mentoring program where experienced employees can guide and transfer knowledge to less experienced team members.
  • Facilitate knowledge-sharing sessions and encourage collaboration among team members.

8. Performance Evaluation:

  • Integrate information security competencies into the regular performance evaluation process.
  • Link competence in information security to performance goals and career development plans.

9. Monitoring and Review:

  • Regularly review and update the competency framework to reflect changes in technology, regulations, and organizational needs.
  • Monitor the effectiveness of the competence assurance program through feedback, performance metrics, and incident reports.

10. Documentation and Recordkeeping:

  • Maintain records of training, certifications, competency assessments, and other relevant information.
  • Ensure that documentation is accessible for internal audits and compliance purposes.

11. Communication:

  • Communicate the importance of information security competence throughout the organization.
  • Foster a culture that values continuous improvement in information security practices.

12. Remedial Actions:

  • Implement remedial actions for employees who do not meet the required information security competencies.
  • Provide additional training and support to address identified deficiencies.

13. Reporting:

  • Generate regular reports on the status of information security competence within the organization.
  • Share insights with leadership to inform decision-making and resource allocation.

14. External Collaboration:

  • Engage with external partners, industry forums, and professional associations to stay updated on best practices and emerging trends in information security.

Review and Approval: This procedure shall be reviewed periodically and updated as necessary to ensure its effectiveness. Approval by [appropriate authority] is required for any significant changes.

Example of Competence Matrix – Information Security

Competency AreaSecurity AnalystNetwork Security EngineerSecurity ArchitectSecurity Compliance OfficerIncident Responder
1. Security PoliciesBasic understandingProficient knowledgeAdvanced knowledgeExpert knowledgeProficient knowledge
2. Risk ManagementBasic understandingProficient knowledgeAdvanced knowledgeProficient knowledgeProficient knowledge
3. Network SecurityProficient knowledgeExpert knowledgeAdvanced knowledgeBasic understandingExpert knowledge
4. EncryptionProficient knowledgeProficient knowledgeExpert knowledgeBasic understandingProficient knowledge
5. Vulnerability ManagementProficient knowledgeExpert knowledgeProficient knowledgeBasic understandingProficient knowledge
6. Identity and Access Management (IAM)Basic understandingProficient knowledgeAdvanced knowledgeBasic understandingProficient knowledge
7. Security Awareness and TrainingProficient knowledgeProficient knowledgeAdvanced knowledgeProficient knowledgeProficient knowledge
8. Security Incident ResponseBasic understandingBasic understandingProficient knowledgeProficient knowledgeExpert knowledge
9. Compliance and RegulationsProficient knowledgeProficient knowledgeAdvanced knowledgeExpert knowledgeProficient knowledge
10. Security AuditingBasic understandingProficient knowledgeAdvanced knowledgeProficient knowledgeBasic understanding
11. Cloud SecurityBasic understandingProficient knowledgeAdvanced knowledgeProficient knowledgeBasic understanding

Competency Levels:

  1. Basic Understanding: Awareness level, foundational knowledge.
  2. Proficient Knowledge: Working knowledge and ability to apply concepts.
  3. Advanced Knowledge: In-depth understanding and ability to analyze and design.
  4. Expert Knowledge: Mastery, ability to lead and innovate in the competency area.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply