Overview: ISO 27001 requirement 7.2 

1. Introduction
   
   
2. What is the clause 7.2 of ISO 27001?
   
   
3. What is covered under the clause 7.2?
   
   
4. How to demonstrate compliance to clause 7.2 of ISO 27001
   
   
5. Conclusion

Information security is essential for any organisation that wants to protect its assets, such as data, intellectual property, and financial information. The ISO 27001 standard is a widely recognised framework for managing information security.

One of the key requirements of ISO 27001 is that organisations must ensure that the people who work on the ISMS are competent. This means that they have the necessary knowledge, skills, and experience to perform their roles effectively.

Clause 7.2 of ISO 27001 deals with the competence of personnel. This clause requires organisations to determine the necessary competence levels for individuals who perform activities that affect the ISMS.

ISO 27001 Clause 7.2 Competence

The organisation shall:

• determine the necessary competence of person(s) doing work under its control that affects its information security performance;
  
  
• ensure that these persons are competent on the basis of appropriate education, training, or experience;
  
  
• where applicable, take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken; and
  
  
• retain appropriate documented information as evidence of competence.

What is the clause 7.2 of ISO 27001?

ISO 27001 clause 7.2 requires organisations to determine the necessary competence levels for individuals engaged in activities impacting the information security management system (ISMS). This clause highlights the need to make sure that the people in your organisation have the right knowledge, skills, and experience to actively contribute to keeping your information secure.

Keep in mind that creating and managing an ISMS typically involves a joint team effort. The key factor is grasping the organization's essence, its mission, objectives, culture, risk tolerance, and the stipulations outlined in clauses 4.1, 4.2, 4.3, 6.1, and 6.2.

What is covered under ISO 27001 Clause 7.2?

• The organisation will ensure that it has determined the competence of the people doing the work on the ISMS that could affect its performance.
  
  
• The people are deemed competent on the basis of the relevant education, training, or experience.
  
  
• Where required, the organisation will take action to acquire the necessary competence and evaluate the effectiveness of the actions.
  
  
• The organisation will retain evidence of the above for audit purposes.

How to demonstrate compliance to clause 7.2 of ISO 27001

• Conduct a skills audit to identify the knowledge, skills, and experience required for each role in the ISMS. This can be done by interviewing staff, reviewing job descriptions, or conducting a survey.
  
  
• Provide training and development opportunities to ensure that staff have the necessary skills and knowledge. This can be done through internal training, external courses, or online resources.
  
  
• Create a competency framework to document the skills and experience required for each role. This can be used to assess the competence of staff and to identify any gaps in their knowledge or skills.
  
  
• Monitor the performance of staff to ensure that they are meeting the required standards. This can be done through regular reviews, performance appraisals, or incident reports.
  
  
• Document the competence of staff and retain the evidence for audit purposes. This can be done through training records, competency assessments, or performance reviews.

It is important to note that the specific ways to demonstrate compliance to clause 7.2 will vary depending on the organisation and the roles involved. However, the above are some general tips that can be helpful.

Here are some additional points to keep in mind when demonstrating compliance to clause 7.2:

• The approach should be systematic and documented.
  
  
• It should be tailored to the specific needs of the organisation.
  
  
• It should be regularly reviewed and updated.
  
  
• It should be communicated to all staff.

By following these guidelines, organisations can demonstrate their commitment to information security and protect their assets from unauthorised access, use, disclosure, modification, or destruction.

What are the ISO 27001:2022 changes to clause 7.2?

There are no changes to ISO 27001 clause 7.2 in the 2022 update.

Conclusion

ISO 27001 clause 7.2 is an important requirement that ensures that organisations have the right people with the right skills and experience to manage information security effectively. By following the guidance in this clause, organisations can demonstrate their commitment to information security and protect their assets from unauthorised access, use, disclosure, modification, or destruction.