What Is a Competence Matrix and Why Does ISO 9001 Require One?
If you have ever sat through an ISO 9001 audit and watched an auditor flip through your personnel records looking for training evidence, you already know how uncomfortable that moment can be. A competence matrix is the document that turns that uncomfortable moment into a confident one.
On this page
Put simply, a competence matrix is a table that maps each role in your organisation against the skills, qualifications, and experience required to perform that role effectively. It shows, at a glance, who has what competence, where the gaps are, and what you are doing about those gaps.
ISO 9001:2015 Clause 7.2 requires your organisation to determine the necessary competence of persons doing work that affects quality, ensure those persons are competent, take action where they are not, and keep documented evidence of all of this. A competence matrix is the most practical way to meet all four of those requirements in a single document.
This is not just a compliance box-ticking exercise. A well-built competence matrix helps you make better hiring decisions, plan training budgets, reduce errors caused by undertrained staff, and demonstrate to customers and auditors that your quality management system is built on capable people, not just good intentions.
If you want a broader understanding of how competence fits into the overall quality management framework, the beginner's guide to ISO 9001:2015 is a good starting point before diving into the detail here.
What ISO 9001 Clause 7.2 Actually Requires
Before building your template, it is worth being precise about what the standard actually asks for. Clause 7.2 of ISO 9001:2015 sets out four clear obligations.
Determine Necessary Competence
You need to identify what competence is needed for each person whose work affects the conformity of products and services. This is broader than just your quality team. It includes production workers, purchasing officers, customer service staff, project managers, and anyone else whose actions can influence whether your output meets requirements.
Ensure People Are Competent
Competence can come from education, training, or experience. The standard does not prescribe which one. A machinist who has spent fifteen years on the floor may be more competent than someone with a trade certificate and six months of experience. Your matrix needs to reflect reality, not just credentials.
Take Action Where Gaps Exist
Where someone is not yet competent, you need to do something about it. That might be internal training, external courses, mentoring, reassigning tasks, or in some cases deciding not to use that person for certain work until they are ready. The action needs to be documented and its effectiveness needs to be evaluated.
Retain Documented Evidence
This is where many businesses fall down. You need to keep records that demonstrate competence. Certificates, training records, performance reviews, and signed-off on-the-job assessments all count. Your matrix should point to where this evidence is stored, or include it directly.
For a deeper look at how competence evidence works in practice, the article on what competence means and how to prove it for ISO covers this in useful detail.
Building Your Competence Matrix: The Core Structure
A competence matrix does not need to be complicated. The most effective ones are simple enough that a line manager can update them without needing a quality manager to hold their hand. Here is the structure that works consistently across different industries and business sizes.
Column One: Roles or Individuals
You can build your matrix around job roles or around named individuals. Role-based matrices are easier to maintain because you do not need to update them every time someone leaves. Individual-based matrices are more useful for gap analysis because they show exactly who needs what. For most small to medium businesses, a hybrid approach works well: list job roles as the primary column, then add a sub-row for each person currently in that role.
Column Two: Competence Requirements
List each competence requirement across the top of your matrix. These should be specific and measurable, not vague. “Good communication skills” is not a competence requirement you can evaluate objectively. “Ability to conduct internal audits per ISO 19011” or “certified to operate forklift under AS 2359” are requirements you can actually verify.
Group your competence requirements into logical categories. Common categories include technical skills, regulatory knowledge, equipment operation, quality system knowledge, and leadership or supervisory skills.
Column Three: Required Level
Not every role needs the same depth of competence in every area. A four-level rating system works well in practice. Level one means awareness only, the person understands why something matters but does not perform the task. Level two means basic competence, the person can perform the task with supervision. Level three means independent competence, the person performs the task without supervision. Level four means expert or trainer level, the person can train others.
Column Four: Current Level
This is where you record the actual competence level of the person or role against each requirement. Be honest here. Auditors are not looking for perfection. They are looking for evidence that you understand where your gaps are and that you are managing them. A matrix that shows everyone is fully competent across everything often raises more suspicion than one that shows some gaps with a training plan attached.
Column Five: Evidence Reference
Record where the evidence of competence is kept. This might be a file reference, a training record number, a certificate number, or a link to a digital document. This column is what saves you during an audit. Instead of scrambling to find a training certificate, you can point directly to the record.
Column Six: Gap and Action
Where the current level is below the required level, record what action is being taken, who is responsible for it, and by when it will be completed. This turns your matrix from a snapshot into a living management tool.
Column Seven: Review Date
Competence requirements change as your business changes. New equipment, new regulations, new processes, and new customer requirements all affect what your people need to know and be able to do. Set a review date for each row so that the matrix stays current.
ISO 9001 Competence Matrix Template
The table below shows a simplified version of the template structure. You can replicate this in a spreadsheet, your quality management software, or even a Word table. The format matters less than the content.
Column headers for your matrix:
- Role or Name: The job title or individual being assessed
- Competence Requirement: The specific skill, qualification, or knowledge area being assessed
- Required Level (1 to 4): The minimum level needed for this role
- Current Level (1 to 4): The actual level demonstrated by this person or role
- Evidence Reference: Where the proof of competence is stored
- Gap Identified (Y or N): Whether there is a shortfall between required and current
- Action Required: What training or development is planned to close the gap
- Responsible Person: Who is accountable for completing the action
- Target Date: When the action will be completed
- Completion Status: Open, In Progress, or Closed
- Next Review Date: When this row will be reassessed
This structure works for any size of business. A five-person company might have ten rows. A manufacturing business with sixty staff might have two hundred. The principle is the same regardless of scale.
Worked Example: Competence Matrix for a Small Manufacturer
To make this concrete, here is a worked example for a fictional Australian precision engineering business called Barton Engineering Pty Ltd. They manufacture custom metal components for the mining and construction sectors and hold ISO 9001 certification.
Example Row One: Quality Manager
Role: Quality Manager. Competence Requirement: Internal audit leadership per ISO 19011. Required Level: 4. Current Level: 4. Evidence Reference: Certificate ISO 19011 Lead Auditor Course, file QM-CERT-001, completed March 2024. Gap: No. Next Review Date: March 2027.
Example Row Two: CNC Machinist
Role: CNC Machinist. Competence Requirement: Operation of Mazak Integrex i-200 turning centre. Required Level: 3. Current Level: 2. Evidence Reference: On-the-job training record OJT-MACH-007, signed off by Production Supervisor, January 2026. Gap: Yes. Action Required: Complete advanced CNC programming module with external provider, 16-hour course. Responsible Person: Production Supervisor, James Tran. Target Date: 30 September 2026. Completion Status: In Progress. Next Review Date: October 2026.
Example Row Three: Purchasing Officer
Role: Purchasing Officer. Competence Requirement: Supplier evaluation and approved supplier list management. Required Level: 3. Current Level: 3. Evidence Reference: Internal training record TR-PURCH-003, completed August 2025. Performance review confirming competence, HR file P-004. Gap: No. Next Review Date: August 2027.
Example Row Four: Welding Inspector
Role: Welding Inspector. Competence Requirement: Visual weld inspection to AS/NZS 1554. Required Level: 4. Current Level: 3. Evidence Reference: WTIA certification pending renewal, current certificate expired June 2026, file WI-CERT-002. Gap: Yes. Action Required: Renew WTIA certification. Welding Inspector not to sign off on critical welds until renewal confirmed. Responsible Person: Operations Manager, Sarah Okafor. Target Date: 31 August 2026. Completion Status: Open. Next Review Date: September 2026.
Notice what the last example does. It does not hide the gap. It records it, assigns responsibility, sets a deadline, and puts a temporary control in place. That is exactly what a good auditor wants to see. It demonstrates that the business is managing competence actively, not just filing paperwork.
Common Mistakes to Avoid When Building Your Matrix
Having reviewed hundreds of quality management systems over the years, the same mistakes appear repeatedly. Knowing them in advance saves you a lot of rework.
Listing Roles That Do Not Affect Quality
You do not need to include every person in your organisation. The receptionist who answers phones and books meeting rooms probably does not need to appear in your quality competence matrix unless they also handle customer complaints or manage calibrated equipment. Focus on roles that genuinely affect product or service conformity.
Using Vague Competence Descriptions
Descriptions like “good product knowledge” or “understands quality principles” are impossible to evaluate objectively. Make each requirement specific enough that two different managers would reach the same conclusion about whether a person meets it.
Treating It as a One-Off Document
A competence matrix that was built for your initial certification and never touched again is a liability, not an asset. It will show evidence references that no longer exist, gaps that were never closed, and requirements that no longer match your processes. Build a review cycle into your management system. Most businesses do this annually as part of their management review, with interim updates when significant changes occur.
Storing Evidence in Someone's Head
If the only person who knows where the training records are kept is the person who created them, you have a single point of failure. Evidence should be stored in a location that any authorised person can access, with the reference recorded in the matrix itself.
If you are also building a training matrix alongside your competence matrix, the guide on how to build an ISO training matrix for your team covers the training planning side of this in detail.
Integrating Your Competence Matrix With the Rest of Your QMS
A competence matrix does not exist in isolation. It connects to several other parts of your quality management system, and understanding those connections makes the whole system more coherent.
Connection to Clause 6.1 Risk and Opportunities
Competence gaps are a source of risk. If a critical role has no backup person with the required competence, that is a genuine operational risk. Your risk register and your competence matrix should reference each other. When a gap appears in the matrix, ask whether it needs to be reflected in your risk register as well.
Connection to Clause 9.1 Monitoring and Measurement
How do you know your training is actually working? Effectiveness evaluation is a requirement, not optional. Your matrix should record how you assessed whether the action taken actually resulted in the required competence level being achieved. This might be a practical assessment, a test, a supervised work period, or a formal re-evaluation.
Connection to Clause 9.3 Management Review
Competence status is a legitimate input to your management review. Bring your matrix to the table, highlight any persistent gaps, and make resourcing decisions at the right level. If a gap has been open for two review cycles, it needs a different response than a training plan that keeps getting deferred.
For guidance on how internal audits interact with your management system documentation, the article on how to run ISO internal audits that actually find problems is worth reading alongside this one.
Digital Tools vs Spreadsheets: What Actually Works
The honest answer is that for most small to medium businesses, a well-maintained spreadsheet is perfectly adequate. ISO 9001 does not specify what format your documented information must take. It just requires that it is available, controlled, and fit for purpose.
Spreadsheets work well when you have fewer than fifty people in scope, your competence requirements are relatively stable, and one person is responsible for maintaining the matrix. They start to break down when multiple people need to update the same document simultaneously, when you have complex version control requirements, or when your matrix needs to feed into other systems automatically.
Quality management software platforms can handle larger, more complex matrices and often include automated reminders for review dates and expiring certifications. If you are at the stage where spreadsheet maintenance is taking significant time, it may be worth the investment. But do not let the search for the perfect tool delay you from building the matrix in the first place. A working spreadsheet today is worth more than a perfect software solution in six months.
What Auditors Look for in a Competence Matrix
When an ISO 9001 auditor reviews your competence matrix, they are typically checking five things. First, that it covers all roles affecting quality, not just the obvious ones. Second, that the requirements are specific and measurable. Third, that evidence references are real and retrievable. Fourth, that gaps are acknowledged and managed, not hidden. Fifth, that the document has been reviewed recently enough to be credible.
An auditor will often pick two or three roles at random and ask to see the evidence referenced in the matrix. If you say a training certificate is in file QM-CERT-003 and you cannot produce it within a few minutes, that becomes a nonconformity. The matrix is only as good as the evidence behind it.
If you are preparing for an upcoming audit and want to make sure your documentation is in order, the checklist in 8 things to do before an ISO Stage 1 readiness audit is a practical reference.
The ISO 9001:2015 standard published by ISO sets out the full text of Clause 7.2 if you want to read the exact wording of the requirement alongside what is described here.
Getting Help If You Are Starting From Scratch
Building a competence matrix from scratch is straightforward once you understand the structure, but it does take time to do properly. You need to review job descriptions, interview line managers, gather existing evidence, and identify gaps honestly. For a business of twenty to thirty people, this typically takes one to two days of focused work.
If you are implementing ISO 9001 for the first time and want support not just with the competence matrix but with the full quality management system, working with an experienced consultant makes a significant difference. The challenge is finding one who genuinely understands your industry rather than just applying a generic template to your business.
That is exactly the problem CertBetter was built to solve. You submit one form describing your business, your industry, and what you need, and you receive up to three competing quotes from verified ISO consultants and accredited certification bodies. The service is completely free for businesses, and it removes the guesswork from finding a provider who actually knows what they are doing. If you are at the stage where you need expert help to build your quality management system properly, it is worth a look.
