Competence
Plain English Translation
Clause 7.2 ensures that anyone performing work that affects information security is actually qualified to do so. The organization must define what skills, education, or experience are necessary for each security role (e.g., in a job description or competency matrix). If a person lacks these required skills, the organization must provide training or mentorship to close the gap and then verify that the training was effective. Finally, you must keep records, such as certificates or resumes, to prove to auditors that your team is competent.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Include security skill requirements in job descriptions for key roles
- Retain resumes and certifications for the security lead/CTO
- Conduct basic onboarding training and log attendance
Required Actions (scaleup)
- Develop a formal Skills & Competency Matrix for all technical teams
- Implement specific security training (e.g., secure coding) for developers
- Conduct annual performance reviews including security competence checks
Required Actions (enterprise)
- Integrate competency tracking with HRIS and Learning Management Systems (LMS)
- Define career paths with specific security certification requirements
- Regularly audit competence records against the matrix for gaps
Clause 7.2 requires organizations to determine the skills and experience needed for security roles, ensure staff possess them, fix any gaps through training, and keep evidence of this competence.
Competence requirements are determined by analyzing the specific tasks within the ISMS (e.g., risk assessment, auditing, system administration) and defining what education, training, or experience is needed to perform them effectively.
Required evidence includes CVs/resumes, degree certificates, industry certifications (e.g., CISSP, CISA), training attendance records, and results of competency evaluations.
A competency matrix is a document that lists key roles (rows) against required skills (columns), marking the required level of proficiency and the individual's current level, helping to identify gaps.
Document competence by maintaining up-to-date personnel files containing job descriptions, resumes, copies of certifications, training logs, and completed competency assessments. Tools like WatchDog Security's Compliance Center can centralize these competence artifacts by role, attach them to Clause 7.2 evidence tasks, and flag missing or expired records before an audit.
Auditors typically want more than a statement that 'people were trained'—they look for role-appropriate training, proof of completion, and some indication the learning was effective. A training platform helps by assigning required content by role, tracking completion, and keeping records that are easy to retrieve during an audit. For example, WatchDog Security's Security Awareness Training can assign role-based modules, track completion, and retain training records that support competence evidence for staff performing security-relevant work.
Contractor competence is often hard to evidence because documentation lives in email threads or vendor folders and gets outdated as people rotate on and off projects. A practical approach is to centralize contractor onboarding requirements, verify competence artifacts before access is granted, and retain an audit trail of what was checked and when. For example, WatchDog Security's Vendor Risk Management can maintain a vendor and contractor catalog, track required due-diligence items (including relevant qualifications), and keep status and evidence organized for audit review.
Competence (7.2) is about having the skill and ability to do a specific job (e.g., configuring a firewall). Awareness (7.3) is about knowing why security matters and what the general policies are (e.g., knowing not to share passwords).
Effectiveness is measured by evaluating if the person can perform the task correctly after training. This can be done via testing, observation by a supervisor, or reviewing the quality of their work output.
While general security awareness is required for all, specific competence training depends on the role. For example, developers may need secure coding training, while auditors need training on audit techniques.
"The organization shall determine the necessary competence of person(s) doing work under its control that affects its information security performance; ensure that these persons are competent on the basis of appropriate education, training, or experience; where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and retain appropriate documented information as evidence of competence."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2025-05-27 | WatchDog Security GRC Team | Initial publication |
