Regarding clause 7.2 from ISO 27001, what is expected for this? Are we expected to assess the competency of everyone in the organisation? If so is a CBT general security course sufficient to achieve this? I appreciate that as the Head of IS and given my qualifications I have a certain level of competence but what would be expected or "applicable" to all our users?
We are intending on delivering face to face awareness training on the specific policies being deployed, this will be both general awareness and targeted to those groups of people that specific policies relate to, would a general CBT be enough to back this up?
Answer: You have to assess the competency only of those included in the scope of your ISMS. Regarding competence evidences, besides a CBT general security course an face to face training for awareness of all people included in the scope, maybe you also should consider specific courses for technical and management personnel, like IT team and top management, since they required more specific knowledge to fulfil their informat ion security related tasks. Additionally, for evidence of competence the standard also accepts evidences of experience and education, and where you can provide those evidences the CBT and face to face training may be optional.
Question: Does this mean the competency only needs to be assessed of
Those who put together and manage the ISMS ? I.e. Me as head of Infosec and those who write or approve any policy? Or do we need to assess the competency of anyone who has to follow the policy?
Answer: You need to assess the competency of anyone who has an impact in the performance of the ISMS, i.e. those who put together and manage the ISMS and also of those who have to follow the policies.