The basics
ISO 27001 sub-clause 7.2 is called “Competence” — it requires that companies define which knowledge and skills are needed for people to perform activities defined by the ISMS. When existing competence is not enough, training must be defined and delivered, as well as measured to ensure that the required level of competence is achieved.
Documentation
ISO 27001 clause 7.2 Competence requires the following records:
- Evidence of security competencies of people within the ISMS
The following document is not mandatory, and companies can decide whether to write it:
Implementation
To implement ISO 27001 clause 7.2 Competence, you need to follow these steps:
- Identify Required Competencies: Determine the necessary knowledge and skills for each role involved in the Information Security Management System (ISMS).
- Assess Current Competencies: Evaluate the existing competencies of personnel to identify any gaps.
- Plan Training and Development: Develop a training plan to address identified gaps and enhance competencies. This may include formal training, workshops, or on-the-job training.
- Conduct Training: Implement the training plan and ensure that personnel receive the necessary training.
- Evaluate Training Effectiveness: Assess the effectiveness of the training to ensure that the required competencies have been achieved.
- Maintain Records: Keep records of training activities and competency assessments to demonstrate compliance with the standard.
Audit evidence
The auditor will look for the following regarding ISO 27001 clause 7.2 Competence:
- If the required competencies are defined for particular job roles.
- If the relevant people are trained for the required competencies, i.e., if they know how to perform their security-related work.
