#iso27001/2022/EN

## 7.2 Competence

The organization shall:

a\) determine the necessary competence of person(s) doing work under its control that affects its information security performance;

b\) ensure that these persons are competent on the basis of appropriate education, training, or experience;

c\) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and

d\) retain appropriate documented information as evidence of competence.

NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the re-assignment of current employees; or the hiring or contracting of competent persons.