Clause 7.2 is designed to ensure that those who have an impact on the organization’s information security have the appropriate and necessary skills to carry out their responsibilities properly.

Competence – Photo by Ahmed M Elpahwee on Unsplash

Specifically, clause 7.2 requires the organization :

  1. Determine role competencies: The organization needs to identify the competencies required for people who have an impact on the ISMS. This means, for example, having a job profile with the necessary skills.
  2. Ensuring that these people are competent: when hiring, or at the time of the annual appraisal, you need to compare the job profile, with the necessary skills, and those of the individual occupying the position, or wishing to occupy it, in terms ofeducation, training orexperience. This task intersects with HR-related security measures, such as background validation, which could include validation of training and diplomas.
  3. Retain evidence of competence: the organization must retain information and evidence of competence, e.g. diplomas, training certificates, job descriptions, performance appraisals, etc.

Example of a safety directive

As part of my mandates, I use this type of guideline to document and communicate an organization’s consistent skills management practice:

  1. Identification of skills required: All roles impacting on information security must be clearly defined, with the skills required for each role clearly identified. These may include technical skills, regulatory knowledge, project management skills, etc. (Have a job description!).
  2. Assessment of existing skills: For each role, an assessment of existing staff skills must be carried out. This should include an assessment of staff training, education and experience.(Evaluate skills either through a test or an interview at the time of hiring).
  3. Skills development plan: If skills gaps are identified, a skills development plan must be drawn up. This plan should describe the actions to be taken to fill the skills gaps, including training, mentoring, recruitment, etc.
  4. Information security training program: An information security training program must be in place for all employees, and must be regularly reviewed and updated to ensure it remains relevant and effective.
  5. Evaluating training effectiveness: The effectiveness of training and other actions to close skills gaps needs to be evaluated on a regular basis. This can include tests, performance evaluations, compliance audits, etc.
  6. Documentation of skills: Records must be kept to document staff skills. Employee files should include diplomas, skills assessments, qualifications, training certificates, other performance evaluations, etc.
  7. Regular reviews: Competency needs and the effectiveness of actions to meet these needs must be reviewed on a regular basis. This should include a review by management to ensure that skills requirements are adequately addressed within the framework of the information security management system.

Success criteria

In order to determine whether we have complied with clause 7.2 of ISO27001, here are a few questions an auditor might ask:

  1. Present the skills associated with the different roles in the organization?
  2. How were skills assessed on hiring?
  3. Can you show proof of your staff’s skills?
  4. How do you ensure that your staff’s skills remain up to date with changes in technology, working practices, regulations, etc.?

I invite you to click on “Follow” to continue learning more about the field of information security.