What Is Competence and How Do You Prove It for ISO?

Why Competence Is One of the Most Misunderstood Requirements in ISO

Ask most business owners what they need to do about competence for their ISO certification, and you will get one of two answers. Either they hand over a folder of training certificates, or they look at you blankly and say their staff are qualified. Neither response is wrong, but neither is complete. Competence in ISO is not just about qualifications. It is about demonstrating that the people doing work that affects your quality, safety, environment, or information security outcomes are actually capable of doing that work well, and that you have evidence to prove it.

This is one of those requirements that trips up businesses at audit, not because they have incompetent staff, but because they have not thought carefully about what the standard actually asks for. Let us walk through what competence means in ISO terms, which standards require it, what evidence auditors look for, and how to build a practical system that holds up under scrutiny.

What Does ISO Actually Mean by Competence?

Across most ISO management system standards, including ISO 9001, ISO 14001, ISO 45001, and ISO 27001, competence is defined in very similar terms. A person is considered competent when they have the education, training, and experience necessary to perform their role effectively, and when that capability has been assessed and confirmed.

The ISO 9001:2015 standard addresses competence in Clause 7.2, which requires organisations to determine the necessary competence for people doing work that affects the performance and effectiveness of the quality management system. It then requires the organisation to ensure those people are competent based on appropriate education, training, or experience, take actions to acquire the necessary competence where gaps exist, and retain documented information as evidence of competence.

That last part is where most businesses fall short. Saying your staff are experienced is not evidence. Having a signed training record that nobody ever reviewed is barely evidence. What auditors want to see is a connected, logical system that shows you know what competence is required, you have assessed your people against that requirement, you have addressed any gaps, and you have records to prove all of this happened.

The Four Elements of Competence Under ISO

It helps to think of competence as having four connected parts:

• Education: Formal qualifications, degrees, trade certificates, or professional credentials relevant to the role.
• Training: Specific instruction provided either internally or externally that equips a person to perform a task.
• Experience: Practical, hands-on time doing the work, which builds capability over time.
• Assessment: A process that confirms the person has actually achieved the required level of capability, not just attended a course.

Most businesses are reasonable at recording the first three. The fourth, assessment, is where the gap usually sits. Attending a forklift safety course does not make someone competent on a forklift. Completing the course and being observed operating equipment safely, then being signed off by a supervisor, is competence. The difference matters enormously to an auditor.

Which Roles Need to Be Covered?

One of the most common questions I get from businesses going through certification is whether they need to document competence for every single employee. The honest answer is no, but the scope is probably wider than you think.

ISO standards focus on people whose work affects the performance and effectiveness of the management system. In a quality management context, that means anyone whose actions can influence product or service quality. In a safety context, it means anyone performing tasks with a health and safety risk. In an information security context, it means anyone handling sensitive data or systems.

In practice, for most small to medium businesses, this covers the majority of operational staff. It does not typically include purely administrative roles with no direct impact on the management system, though even that line blurs in smaller organisations where one person wears many hats.

Start With a Competence Matrix

The most practical tool for managing this is a competence matrix, sometimes called a skills matrix or training matrix. This is a simple document, usually a spreadsheet, that lists roles or individuals down one side and required competencies across the top. Each cell shows whether the person meets, partially meets, or does not yet meet the requirement, and links to the relevant evidence.

If you want a structured approach to building this, our article on how to build an ISO training matrix for your team walks through the process step by step. A well-maintained matrix is one of the most useful things you can bring to an audit. It shows the auditor at a glance that you have thought systematically about who needs what capability and where you currently stand.

What Evidence Do Auditors Actually Look For?

When an auditor sits down to review competence, they are not just checking that you have a folder of certificates. They are asking a series of questions, and your records need to answer them.

Do You Know What Competence Is Required?

This means having defined, role-specific competency requirements. Job descriptions that list generic duties are not enough. You need something that says, for example, that a quality inspector must be able to read engineering drawings to a specified level, operate calibrated measuring equipment, and interpret test results against acceptance criteria. These requirements should be documented and reviewed when roles change.

Have You Assessed Your People Against Those Requirements?

Assessment records are critical. These can take many forms depending on the nature of the work. For technical roles, you might have a practical observation checklist signed by a supervisor. For roles requiring regulatory licences, a copy of the current licence serves as both the requirement and the evidence. For roles where knowledge is the key competency, you might use a written test or a structured interview with documented outcomes.

What auditors do not want to see is a training attendance sheet presented as proof of competence. Attendance proves presence. It does not prove capability.

Have You Addressed Any Gaps?

Where an assessment reveals a gap, you need a documented action. This might be a training plan, a mentoring arrangement, a period of supervised work, or in some cases a decision to reassign the role to someone who already meets the requirement. The action should be time-bound and followed up. If you identified a gap six months ago and there is no evidence that anything was done about it, that is a nonconformity waiting to happen.

Are Your Records Current?

Competence is not a one-time event. People change roles, technology changes, processes change, and regulations change. Your competence records need to reflect the current state of your workforce. An auditor will often look at the dates on your records. If all your training records are from three years ago and nothing has been updated since, they will question whether your system is actually being maintained.

This connects directly to the broader challenge of checking whether your ISO management system is actually working, which goes beyond just having documents in place.

Common Mistakes Businesses Make With Competence Records

Having reviewed competence systems across dozens of businesses, these are the patterns that come up repeatedly.

Treating Training and Competence as the Same Thing

Training is an input to competence. It is not competence itself. A person can complete training and still not be competent, particularly for complex or high-risk tasks. Your system needs to include a step after training where capability is actually assessed. This is not bureaucratic box-ticking. It is how you confirm that the training worked.

Only Documenting External Training

Many businesses diligently record external courses but completely ignore on-the-job training and informal skill development. If a new employee spends two weeks working alongside an experienced colleague learning how to operate a piece of equipment, that is training and it should be documented. A simple record noting what was covered, who provided the instruction, the dates, and the outcome of any assessment is sufficient.

Not Defining Competency Requirements Before Hiring

Competence management should start before a person joins the business, not after. If you hire someone and then figure out what they need to know, you are already behind. Role-specific competency requirements should be defined in advance, used as part of the selection process, and then used again to assess the person once they are in the role.

Letting Records Go Stale

A competence record that was accurate two years ago may not reflect the current situation. People get promoted, take on new responsibilities, or move to different areas of the business. Your system needs a trigger to review and update competence records when roles change. An annual review as part of your management review process is a good minimum, but for fast-changing businesses, more frequent reviews make sense.

Competence for Contractors and External Providers

This is an area that catches many businesses off guard. If you use contractors, subcontractors, or labour hire workers to perform work that affects your management system, you are still responsible for ensuring their competence. You cannot simply assume that because someone is a contractor, their competence is someone else's problem.

In practice, this means having a process for verifying contractor competence before they start work. This might involve checking licences and qualifications, reviewing their organisation's training records, conducting a site induction that includes competency-relevant content, or requiring them to demonstrate capability before performing certain tasks unsupervised.

The level of rigour required scales with the risk. A contractor painting an office requires a different level of competence verification than a contractor working on high-voltage electrical systems or handling hazardous chemicals. Your approach should reflect that.

Competence in Specific ISO Standards

ISO 9001 Quality Management

In ISO 9001, competence requirements sit in Clause 7.2 and are closely linked to Clause 7.3 on awareness. Your people need to be competent, but they also need to understand how their work contributes to quality outcomes and what happens when it goes wrong. Auditors often ask frontline staff direct questions about quality objectives and their own role in achieving them. If staff cannot answer those questions, it suggests awareness training has not been effective, which feeds back into competence.

ISO 45001 Health and Safety

For ISO 45001, competence takes on additional weight because the consequences of getting it wrong can be serious injury or death. The standard requires that workers performing tasks with significant health and safety risks are competent to do so. This includes not just technical competence but also hazard identification, emergency response, and the correct use of personal protective equipment. Competence records for safety-critical roles should be particularly robust and kept current.

ISO 27001 Information Security

In an information security context, competence requirements extend to anyone who handles sensitive data, manages systems, or has privileged access. This includes awareness of phishing and social engineering threats, correct data handling procedures, and incident reporting obligations. For technical roles, competence requirements might include specific certifications or demonstrated knowledge of security protocols. Given the pace of change in cybersecurity threats, competence records in this area need regular review.

ISO 14001 Environmental Management

For ISO 14001, competence requirements focus on people whose work has the potential to cause significant environmental impact. This includes those operating equipment that could cause spills or emissions, managing waste, or making decisions about environmental controls. Competence records should link clearly to the environmental aspects and impacts identified in your system, so there is a logical connection between the risk and the capability required to manage it.

How ISO 10015 Can Help You Structure Your Approach

If you want a more structured framework for managing training and competence, it is worth looking at ISO 10015, which provides guidelines for quality management in training. While it is not a certifiable standard, it offers a practical process model for identifying training needs, planning and delivering training, evaluating training outcomes, and improving the training process over time. Many organisations use it as a reference when building their competence management systems, even without seeking certification against it.

Practical Steps to Get Your Competence System Audit-Ready

1. Define role-specific competency requirements for all positions whose work affects your management system. Be specific about what education, training, experience, and assessed capability is required.
2. Build a competence matrix that maps people to requirements and shows current status against each one.
3. Conduct and document assessments for each person in scope. Do not rely solely on training attendance records.
4. Create a gap register that captures identified shortfalls and the actions being taken to address them, with target dates and responsible persons.
5. Establish a review trigger so that competence records are updated when roles change, when processes change, or at a minimum annually.
6. Extend your system to contractors by defining how you verify external worker competence before they perform work on your behalf.
7. Link your competence records to your document control system so they are version-controlled and accessible to auditors.

If you are preparing for your first certification audit, reviewing your competence records and documentation is one of the most valuable things you can do in the weeks before the audit. Auditors will almost certainly review this area, and a well-organised, current competence system sends a strong signal that your management system is genuinely operational rather than just a set of documents.

Getting the Right Help

Building a competence management system that satisfies ISO requirements is not complicated, but it does require someone who understands both the standard and your business. If you are not sure where to start, or if a recent audit has flagged competence as an area of concern, working with an experienced ISO consultant can save you significant time and help you avoid the common pitfalls.

At CertBetter, we connect businesses with verified ISO consultants and accredited certification bodies across Australia and globally. You submit one form, receive up to three competing quotes, and can compare providers before making any commitment. The service is completely free for businesses. If you are working through your competence requirements and want expert guidance, it is worth getting a few perspectives before deciding how to proceed.