Clause 7.2 (Competence)

ISO 27001 does not prescribe a format to document evidence of required competencies, so organizations can adopt the format that best fit their needs (e.g., certificates, attendance lists, references from previous employers, etc.).

As for what to document, the evidence of competence must be related to experience, knowledge or skills required to perform activities that can impact the ISMS (e.g., secure development competencies for the development and maintenance of information systems included in the ISMS scope, audit techniques for internal auditors, etc.).

You need to evidence competency of anyone who has an impact on the performance of the ISMS, i.e., those who put together and manage the ISMS (e.g., managers and technical staff), and also of those who have to follow the policies and procedures (e.g., all employees included in the ISMS scope).

These articles will provide you a further explanation about competence evidence for ISO 27001:

- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

For an example of document that can be used as evidence, please take a look at this template: Training and Awareness Plan https://advisera.com/27001academy/documentation/training-and-awareness-plan/

Great, thanks. I have a training and awareness plan policy already so I guess this should cover it.