Is a training matrix actually required by ISO standards?

ISO standards do not prescribe a specific format or document called a training matrix, but they do require documented evidence of competence for persons doing work that affects your management system. A training matrix is the most practical and auditor-friendly way to organise and present that evidence. Most experienced consultants and auditors will expect to see one in some form.

How often should I update my training matrix?

At a minimum, review your training matrix annually as part of your management review cycle. You should also update it whenever there are changes to roles, processes, equipment, regulations, or your management system scope. Any time a new competency requirement is identified, the matrix should reflect it promptly, not at the next annual review.

Should I include contractors and temporary staff in my training matrix?

Yes, if contractors or temporary staff perform work that affects your management system, they need to be included. This is particularly important under ISO 45001, where site-specific safety inductions and hazard awareness are required regardless of employment status. A separate section of your matrix can cover external workers without overcomplicating the main document.

What counts as evidence of competence for an ISO audit?

Evidence of competence can include training attendance records, certificates from external training providers, records of on-the-job assessments, supervisor sign-offs confirming demonstrated ability, licences, and qualifications. The key is that the evidence is retained, dated, and traceable to a specific person and competency requirement. Verbal confirmation from a manager that someone has been trained is not sufficient on its own.

Can I use a spreadsheet or do I need specialist software?

A well-structured spreadsheet is perfectly acceptable for the vast majority of businesses and will satisfy any ISO auditor. Specialist competency management software adds value when you are managing large teams across multiple sites or when you need automated expiry alerts and reporting. For most small to medium businesses, the priority is building a matrix that is accurate and maintained, not one that is technically impressive.

What should I do if my training matrix shows a lot of gaps?

Gaps in your training matrix are not automatically a problem in an audit, provided you have acknowledged them and have a documented action plan to address them. What auditors look for is evidence that you are actively managing competence, not that everything is already perfect. Prioritise gaps based on risk, assign clear ownership and deadlines, and track progress. A matrix full of honest gaps with a credible action plan is far better than one that has been artificially marked as complete.

How to Build an ISO Training Matrix for Your Team

What Is an ISO Training Matrix and Why Does It Matter?

An ISO training matrix is a simple but powerful document that maps every role in your business against the competency requirements, training activities, and qualification records your management system demands. If you are working toward ISO 9001, ISO 45001, ISO 14001, or almost any other ISO standard, you will find that competence and awareness requirements appear in every single one of them. Auditors look for this evidence on day one of a certification audit, and businesses that cannot produce it clearly tend to struggle.

On this page

The matrix itself is not a complicated concept. Think of it as a grid. Roles or individuals sit along one axis. Required competencies, training topics, or qualifications sit along the other. Each cell tells you whether the requirement has been met, is in progress, or is outstanding. That is the core of it. The challenge is building one that actually reflects how your business operates rather than one that looks good in a folder but means nothing in practice.

This guide walks you through exactly how to build a training matrix that satisfies your ISO auditor and genuinely helps your team stay competent at their jobs.

Why ISO Standards Require Competence Evidence

Before getting into the how, it helps to understand the why. ISO standards are built around the idea that a management system only works if the people running it know what they are doing. ISO 9001:2015 Clause 7.2 requires organisations to determine the necessary competence of persons doing work that affects quality performance, ensure those persons are competent, take action where they are not, and retain documented evidence of competence.

ISO 45001, ISO 14001, and ISO 27001 all contain similar requirements. The wording varies slightly between standards, but the intent is the same. You need to be able to show an auditor that you have thought carefully about what skills and knowledge each role requires, that you have trained people accordingly, and that you have kept records proving it happened.

Many businesses treat this as a box-ticking exercise. They create a training register, log a few induction records, and call it done. Auditors see through this quickly. A well-built training matrix does something different. It connects your competency requirements directly to the risks and objectives of your management system, which is exactly what the standard intends.

If you want a deeper look at how competence fits into the broader picture of keeping your system functional, the article on how to check if your ISO management system is actually working covers this well alongside other performance indicators worth tracking.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Step One: Define the Roles in Your Business

Start with your organisational structure. List every role that interacts with your management system in any meaningful way. This does not mean every single job title in the company. It means every role that has responsibilities defined within your quality, safety, environmental, or information security system.

For a small manufacturer, this might include the production manager, quality technician, warehouse supervisor, maintenance staff, and senior management. For a professional services firm pursuing ISO 27001, it might include IT staff, account managers, HR, and executive leadership. The point is to be deliberate. Vague categories like “all staff” are not useful in a matrix because they do not tell you who is responsible for what.

Once you have your roles listed, note whether you are mapping by role or by individual. Both approaches work, but they serve different purposes. Role-based matrices are easier to maintain when staff turn over frequently. Individual-based matrices give you more precise visibility into gaps. Many businesses use a hybrid approach, mapping by role first and then tracking individual completion records separately.

Step Two: Identify Competency Requirements for Each Role

This is where most businesses either get it right or get it badly wrong. Competency requirements need to come from two sources: the ISO standard itself and the actual operational demands of the role.

Drawing from the ISO Standard

Read through your standard carefully and extract every clause that mentions competence, awareness, training, or knowledge. In ISO 9001, this includes Clause 7.2 (Competence), Clause 7.3 (Awareness), and various process-specific requirements. In ISO 45001, you will also find competence requirements tied to hazard identification, emergency response, and legal obligations. Make a list of these standard-driven requirements and assign them to the relevant roles.

Drawing from Operational Reality

The standard only gets you so far. Your business has specific processes, equipment, products, or services that create their own competency demands. A forklift operator needs a licence. A food safety supervisor needs HACCP training. A calibration technician needs to understand measurement uncertainty. These operational requirements belong in your matrix just as much as the standard-driven ones do.

Talk to supervisors and team leaders when compiling this list. They know what actually goes wrong when someone is not properly trained. Their input will make your matrix far more useful than anything you could build from a standard alone.

Separating Mandatory from Desirable

Not every competency is equally critical. Some are mandatory for legal or certification reasons. Others are desirable for performance reasons. Mark these differently in your matrix. This helps you prioritise training spend and gives you a clear picture of what gaps represent a genuine risk versus a development opportunity.

Step Three: Build the Matrix Structure

Now you are ready to put the actual matrix together. You do not need specialist software for this. A well-structured spreadsheet works perfectly well for most businesses. The key is making it readable and easy to update.

Columns and Rows

Place your roles or staff names across the top row. Place your competency requirements down the left column. Group related competencies together to make the matrix easier to navigate. For example, group all induction requirements together, then standard awareness requirements, then role-specific technical requirements, then regulatory or licence requirements.

Status Indicators

Each cell in the matrix needs to show a status. Keep it simple. Common approaches include using colour coding (green for complete, amber for in progress, red for outstanding or expired), letters (C for complete, IP for in progress, N for not required), or dates showing when training was completed and when it expires. Expiry dates are particularly important for licences, certifications, and refresher training requirements.

Supporting Evidence Column

Add a column or linked reference that points to where the evidence of competence is stored. This might be a training record number, a file location, or a reference to a certificate. When an auditor asks to see evidence, you want to be able to pull it up in under two minutes. A matrix that references evidence makes that possible.

Step Four: Populate the Matrix With Honest Data

This is the step that requires discipline. Fill in the matrix based on what you can actually prove, not what you think has probably happened. If someone completed an induction three years ago but there is no record of it, that cell should show as outstanding until you can locate or recreate the evidence.

Go through your existing training records, HR files, licence registers, and any previous audit findings. Match what you find to the competency requirements in your matrix. You will almost certainly discover gaps. That is the point. A training matrix that shows everything is green from day one is either a very small business or a document that has not been filled in honestly.

Document the gaps clearly. They become your training action plan, which is exactly what your ISO system requires you to have.

Step Five: Create a Training Action Plan From the Gaps

Every gap in your matrix should generate a training action. List each gap, assign it to a responsible person, set a target completion date, and identify how the training will be delivered. This action plan sits alongside your matrix and shows auditors that you are actively managing competence rather than just recording it.

Be realistic with your timelines. If you have twenty gaps across a team of fifteen people, you are not going to close all of them in a month without disrupting operations. Prioritise based on risk. Gaps that relate to safety, legal compliance, or core quality processes should come first. Development training can follow.

This approach also connects directly to what ISO 10015 on quality management in training recommends, which is treating training as a planned, systematic process with measurable outcomes rather than an ad hoc response to problems.

Step Six: Link Your Matrix to Your Internal Audit Program

A training matrix is not a document you build once and file away. It needs to be reviewed regularly and audited as part of your internal audit program. Include competence and training as a standing item in your internal audit schedule.

During internal audits, check whether the matrix reflects current roles and responsibilities, whether training records match what the matrix shows, whether any licences or certifications are approaching expiry, and whether new processes or risks have created new competency requirements that are not yet captured.

If you want guidance on running internal audits that genuinely find and address these kinds of issues, the article on how to run ISO internal audits that actually find problems is worth reading before your next audit cycle.

Common Mistakes Businesses Make With Training Matrices

Making It Too Complex

Some businesses try to capture every possible competency in their matrix and end up with a document so large that nobody uses it. A training matrix should be comprehensive but practical. If your team cannot navigate it easily, it will not be maintained. Start with what matters most and add complexity only when you have a clear reason to.

Not Updating It When Roles Change

Staff leave. New people join. Roles evolve. A training matrix that reflects the organisational structure from eighteen months ago is worse than useless in an audit because it creates confusion and raises questions about how seriously you take competence management. Assign someone the responsibility of keeping the matrix current and make that responsibility explicit in your system.

Confusing Training Attendance With Competence

Attending a training session does not automatically mean someone is competent. ISO standards are clear on this distinction. Competence is about demonstrated ability, not just exposure to information. Where it matters, include some form of assessment or verification in your process. This might be a practical observation, a written test, or a sign-off from a supervisor confirming the person can perform the task correctly.

Ignoring Contractors and Temporary Staff

Many businesses build their training matrix around permanent employees and forget about contractors, labour hire workers, and temporary staff. If these people are doing work that affects your management system, they need to be included. This is a common finding in ISO 45001 audits in particular, where contractors may be exposed to the same hazards as permanent staff but have received no site-specific induction.

What Auditors Actually Look For

When a certification auditor reviews your training matrix, they are looking for a few specific things. First, they want to see that your competency requirements are logically connected to the roles that perform work affecting your management system. Second, they want evidence that training has actually occurred, not just a plan that says it will. Third, they want to see that you have identified gaps and are doing something about them.

Auditors also pay attention to how confidently your staff talk about their own training. If an operator cannot explain what training they received before starting a critical process, that is a red flag regardless of what the matrix says. The matrix and the reality need to match.

If you are preparing for a certification audit and want to make sure your documentation is in order, the 10 things to do before an ISO Stage 2 certification audit checklist covers training records as one of the key preparation steps.

Maintaining Your Matrix After Certification

Getting certified is one milestone. Staying certified is the ongoing work. Your training matrix needs to be a living document that evolves with your business. Set a formal review date at least annually, but also trigger a review whenever there is a significant change in your business. New equipment, new processes, new regulations, new staff in critical roles, and changes to your management system scope all create potential competency gaps that need to be assessed and addressed.

Many businesses also find it useful to connect their training matrix to their management review process. Presenting a summary of training completion rates, outstanding gaps, and upcoming expiries at your management review meeting gives leadership the visibility they need to make informed decisions about training investment.

Tools and Templates Worth Considering

A basic spreadsheet is sufficient for most small to medium businesses. Microsoft Excel or Google Sheets both work well. If you want something more structured, there are purpose-built competency management tools available, but they add cost and complexity that most businesses do not need until they are managing training across multiple sites or large teams.

Whatever tool you use, the most important thing is that it is accessible to the people who need to update it and readable by the people who need to use it. A beautifully designed matrix that lives in a folder nobody opens is not a management system. It is a document that exists to satisfy an auditor for one day a year.

Getting Expert Help When You Need It

Building a training matrix from scratch is manageable if you have a clear understanding of your ISO standard and your business processes. But if you are new to ISO certification, working across multiple standards, or trying to retrofit a matrix into an existing system that has never really addressed competence properly, it helps to have someone experienced guide you through it.

If you are at that stage, CertBetter can connect you with verified ISO consultants who have real experience building practical management system documentation, including training matrices, for businesses in your industry. You submit one form, receive up to three competing quotes, and compare your options without any obligation. The service is completely free for businesses seeking certification support.