1- Hi, we have included all our employees in the scope for ISO 27001. Do we have to a competency matrix for all of them as per Clause 7.2 ? Or only for the ones with the Information Security role who have been assigned the responsibilty for ISMS ? Please clarify for who all the competency matrix is to be done ?
Answer: ISO 27001 only requires the definition of necessary competencies for persons that affect its information security performance. Considering that, only the persons that handles the information you want protect must be included in the competency matrix. For example, if you want to protect only the research and development information, most probably the HR and financial personnel won't be included in your competency matrix.
2- And what type of competencies need to be included – do they have to be related to information security only ?
Answer: The competencies to be included will depend on which roles you have in your matrix, but broadly speaking they are related to information technology, physical security, HR management and legal.
As you can notice, they are not limited to information security. In fact information security competencies will drive which specific competencies in these areas must be developed.
For example, for protecting confidentiality, competencies related to physical and logical access control must be developed, as well as security practices in systems development will need to protect confidentiality of information stored and processed by information systems.
These articles will provide you further explanation about managing competencies: