The competence matrix defines which competencies each ISMS role requires — and at what level. It is the target profile you compare against the actual qualification status of your team.
ISO 27001 Clause 7.2 (Competence) requires that persons affecting ISMS performance have the necessary competence — demonstrated through education, training or experience. The competence matrix makes this requirement operationally tangible.
What does it contain?
Each row represents a competence requirement for a specific role. The columns:
- Role — ISMS role (e.g. ISO, IT Operations, Development, Executive Management)
- Required Competence — specific competence (e.g. ISO 27001 Lead Implementer, Secure Coding, Incident Response)
- Proficiency Level — required level (Basic, Intermediate, Advanced)
- Source — how the competence is acquired (external certification, internal training, professional experience)
- Mandatory — whether the competence is binding (Yes/No)
- Refresh Interval — refresh interval in months
How to use it
Initial population: Define required competencies for every ISMS-relevant role. Start with core roles (ISO, IT Operations, Data Protection) and then add business units. For each competence, set the target level and acquisition source.
Gap analysis: Compare the matrix against the training register. Where competencies are missing or refreshers are overdue, schedule targeted training.
Annual review: At least once a year (and after organisational changes), check whether new roles or competencies have emerged. Technological changes (e.g. cloud migration) typically create new qualification needs.
| Rolle | Erforderliche Kompetenz | Niveau | Quelle | Pflicht | Auffrischungsintervall (Monate) |
|---|---|---|---|---|---|
| Informationssicherheitsbeauftragte/r | ISO/IEC 27001:2022 Lead Implementer | Fortgeschritten | Externe Zertifizierung | Ja | 36 |
| Informationssicherheitsbeauftragte/r | Risikobeurteilung (ISO/IEC 27005) | Fortgeschritten | Externe Schulung | Ja | 36 |
| Informationssicherheitsbeauftragte/r | Incident-Response-Koordination | Fortgeschritten | Intern + Tabletop | Ja | 12 |
| IT-Betriebsleitung | Linux/Windows Hardening (CIS Benchmarks) | Fortgeschritten | Externe Schulung | Ja | 24 |
| IT-Betriebsleitung | Backup- und Restore-Verfahren | Fortgeschritten | Interne Übungen | Ja | 12 |
| IT-Betriebsleitung | Change Management (ITIL v4 Foundation) | Mittel | Externe Zertifizierung | Ja | 36 |
| Systemadministrator | Patch-Management | Mittel | Herstellerschulung | Ja | 12 |
| Systemadministrator | Privileged-Access-Management | Mittel | Interne Schulung | Ja | 12 |
| Entwickler | Sichere Softwareentwicklung (OWASP Top 10) | Mittel | E-Learning + Workshop | Ja | 12 |
| Entwickler | SAST-/DAST-Werkzeuge | Mittel | Interne Schulung | Ja | 24 |
| Datenschutzbeauftragte/r | DSGVO-Grundlagen | Fortgeschritten | Externe Zertifizierung | Ja | 36 |
| Datenschutzbeauftragte/r | DSFA-Methodik | Fortgeschritten | Externe Schulung | Ja | 24 |
| HR-Leitung | Background-Screening-Prozess | Mittel | Interne Prozessschulung | Ja | 24 |
| HR-Leitung | Vertraulichkeitspflichten für Mitarbeitende | Mittel | Interne Schulung | Ja | 24 |
| Abteilungsleitung | Informationsklassifizierung | Basis | E-Learning | Ja | 12 |
| Abteilungsleitung | Meldepflichten bei Sicherheitsvorfällen | Basis | E-Learning | Ja | 12 |
| Alle Mitarbeitende | Security Awareness Grundlagen | Basis | E-Learning | Ja | 12 |
| Alle Mitarbeitende | Phishing-Erkennung | Basis | Phishing-Simulation | Ja | 6 |
| Alle Mitarbeitende | Richtlinie zur akzeptablen Nutzung | Basis | E-Learning | Ja | 12 |
| Alle Mitarbeitende | Datenschutz-Grundlagen | Basis | E-Learning | Ja | 12 |
| Remote-Arbeitende | Sicherheit bei Telearbeit | Basis | E-Learning | Ja | 12 |
| Finanzabteilung | CEO-Fraud / BEC Awareness | Mittel | Zielgerichteter Workshop | Ja | 12 |
| Role | Required Competence | Proficiency Level | Source | Mandatory | Refresh Interval (months) |
|---|---|---|---|---|---|
| Information Security Officer | ISO/IEC 27001:2022 Lead Implementer | Advanced | External certification | Yes | 36 |
| Information Security Officer | Risk assessment (ISO/IEC 27005) | Advanced | External training | Yes | 36 |
| Information Security Officer | Incident response coordination | Advanced | Internal + tabletop | Yes | 12 |
| IT Operations Lead | Linux/Windows hardening (CIS Benchmarks) | Advanced | External training | Yes | 24 |
| IT Operations Lead | Backup & restore procedures | Advanced | Internal drills | Yes | 12 |
| IT Operations Lead | Change management (ITIL v4 Foundation) | Intermediate | External certification | Yes | 36 |
| System Administrator | Patch management | Intermediate | Vendor training | Yes | 12 |
| System Administrator | Privileged access management | Intermediate | Internal training | Yes | 12 |
| Developer | Secure coding (OWASP Top 10) | Intermediate | E-learning + workshop | Yes | 12 |
| Developer | SAST/DAST tool usage | Intermediate | Internal training | Yes | 24 |
| Data Protection Officer | GDPR fundamentals | Advanced | External certification | Yes | 36 |
| Data Protection Officer | DPIA methodology | Advanced | External training | Yes | 24 |
| HR Lead | Background screening process | Intermediate | Internal process training | Yes | 24 |
| HR Lead | Confidentiality obligations for staff | Intermediate | Internal training | Yes | 24 |
| Department Head | Information classification | Basic | E-learning | Yes | 12 |
| Department Head | Incident reporting duties | Basic | E-learning | Yes | 12 |
| All Employees | Security awareness fundamentals | Basic | E-learning | Yes | 12 |
| All Employees | Phishing recognition | Basic | Phishing simulation | Yes | 6 |
| All Employees | Acceptable Use Policy | Basic | E-learning | Yes | 12 |
| All Employees | Data protection basics | Basic | E-learning | Yes | 12 |
| Remote Workers | Remote working security | Basic | E-learning | Yes | 12 |
| Finance Staff | CEO fraud / BEC awareness | Intermediate | Targeted workshop | Yes | 12 |
Sources
- ISO/IEC 27001:2022 Clause 7.2 — Competence
- ISO/IEC 27001:2022 Clause 7.3 — Awareness