Answer: ISO 27001 only requires the definition of necessary competencies for persons that affect its information security performance. Considering that, only the persons that handles the information you want protect must be included in the competency matrix. For example, if you want to protect only the research and development information, most probably the HR and financial personnel won't be included in your competency matrix.
2- And what type of competencies need to be included – do they have to be related to information security only ?
Answer: The competencies to be included will depend on which roles you have in your matrix, but broadly speaking they are related to information technology, physical security, HR management and legal.
As you can notice, they are not limited to information security. In fact information security competencies will drive which specific competencies in these areas must be developed.
For example, for protecting confidentiality, competencies related to physical and logical access control must be developed, as well as security practices in systems development will need to protect confidentiality of information stored and processed by information systems.
These articles will provide you further explanation about managing competencies:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding managing competencies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/