SkillsInventory.comSkills Tracking Platform
ISO 9001 Competency Requirements: What Clause 7.2 Means for Your Records
Certification & Compliance

ISO 9001 Competency Requirements: What Clause 7.2 Means for Your Records

Rovaryn Digital· June 1, 2026· 9 min read

The Audit Binder That Wasn't Ready

Picture this: your ISO 9001 external audit is three weeks out. The lead auditor's pre-audit questionnaire lands in your inbox, and one question stops you cold: "Please provide documented evidence of competence for personnel whose work affects product or service quality."

You know the training happened. The new machine operators went through the process walkthrough in March, and the quality technician completed her calibration refresher in the fall. But where is the documented evidence? There's a folder on the shared drive, a sign-in sheet someone printed, and a spreadsheet — last updated seven months ago — that may or may not reflect the current team.

Three weeks suddenly feels short.

This scenario plays out regularly in quality-managed organizations of every size. The underlying problem is rarely a lack of training. It's a lack of a system that captures, organizes, and surfaces competence evidence on demand — before the auditor asks.

ISO 9001's Clause 7.2 is specific about what you need. This article explains exactly what the clause requires, what "documented information as evidence of competence" actually means in practice, and how a structured skills matrix becomes the living record that satisfies an auditor's questions — and your own operational ones — every day, not just in the three weeks before a surveillance visit.


What ISO 9001 Clause 7.2 Actually Requires

ISO 9001:2015 Clause 7.2 (Competence) establishes three connected obligations for any organization operating a quality management system. The clause requires organizations to:

  1. Determine the necessary competence for persons doing work that affects the quality of products or services.
  2. Ensure that those persons are competent — through appropriate education, training, or experience.
  3. Retain documented information as evidence of competence.

That third obligation is the one that generates the most audit findings. "Retained documented information" is ISO's language for records you can produce and show. It is not enough to have conducted training; the standard requires evidence that the training happened, that the person achieved the required level of competence, and that the record is maintained over time. (Auditor Training Online, 2023)

The clause also contains a fourth element that is often overlooked: where applicable, organizations must take action to acquire the necessary competence and evaluate the effectiveness of that action. In plain language — if a gap exists, you close it, and you document that you closed it.

One more thing worth noting: the competence and documented-evidence requirements in Clause 7.2 are not unique to ISO 9001. The same clause structure applies to ISO 45001 and other standards built on ISO's common high-level structure. (DeGrandson Global, 2026) If your organization is working toward multiple certifications, the same records system can serve both. See our companion article on ISO 45001 competency records for how the requirements align.

Always confirm the exact requirements of your applicable standard, and your organization's specific obligations under it, with your certifying body or a qualified auditor — clause interpretation can vary by industry and audit context.


The Three Documentation Gaps Auditors Find Most Often

Understanding the clause is one thing. Understanding where organizations fall short is more useful preparation. In practice, three gaps appear repeatedly in ISO 9001 Clause 7.2 audit findings.

Gap 1: Competence defined at hiring, never revisited

Many organizations document required competence in the job description — and only in the job description. The role profile from three years ago lists the skills needed when the position was filled; it does not reflect process changes, new equipment, regulatory updates, or the skills the person has since developed. When an auditor asks "how do you know this person remains competent for their current work," a dated job description is a weak answer.

Gap 2: Training records without proficiency evidence

Sign-in sheets and course completion certificates prove attendance, not competence. Clause 7.2 requires evidence that persons are competent, not only that they sat through a session. A training log that shows "completed forklift refresher — 4 hours" satisfies attendance; a skills record that shows "forklift operation — rated 3/5, assessed by supervisor — March 2024" satisfies competence.

Gap 3: Records scattered across systems (or people)

When competence records live in HR's folder, the quality manager's spreadsheet, the safety binder, and a few supervisors' email archives, producing a coherent picture in an audit is slow and stressful — and gaps are easy to miss. The auditor's request for "documented evidence" implies a single, retrievable source of truth.

For a structured approach to finding these gaps before an auditor does, our skills audit step-by-step guide walks through the full process.


What "Documented Information as Evidence of Competence" Looks Like

ISO 9001 uses the term "documented information" intentionally — it is deliberately neutral about format. The standard does not mandate a specific form: not a spreadsheet, not a software platform, not a paper binder. What it requires is that the information is controlled (accessible when needed, protected from unauthorized change), current (reflects the actual state of competence, not a snapshot from two years ago), and retrievable (an auditor can see it quickly, for any relevant person).

In practice, the most functional format for meeting these criteria across a team of any meaningful size is a skills matrix: a structured record that maps each person's current proficiency against each required skill or competency for their role.

A well-constructed skills matrix for ISO 9001 purposes typically includes:

  • Roles and required competencies — what each position requires, defined specifically enough that "competent" and "not yet competent" mean the same thing to everyone who reads the record.
  • Individual proficiency ratings — a consistent scale (commonly 1–5) that distinguishes between "no exposure," "developing," "working independently," "experienced," and "can train others."
  • Evidence references — what backs each rating: a completed course, a supervisor assessment, a certification, demonstrated work output.
  • Date and reviewer — when the rating was assessed and by whom, so the record ages transparently.
  • Gap indicators — where current proficiency falls below the required level for a role, making training needs visible at a glance.

This structure answers an auditor's question — "show me that this person is competent for their role" — with a specific, dated, attributable record rather than a general assurance.

For organizations in production environments, a skills matrix also serves daily operational needs beyond compliance: scheduling around verified competence, planning cross-training to reduce single-point dependencies, and identifying where training investment will close real gaps rather than repeat coverage people already have. Our guide to building a cross-training matrix covers the operational side of this.


Why a Spreadsheet Eventually Breaks Down

A spreadsheet can be a valid starting point. Many organizations build their first ISO 9001 competence records in Excel or Google Sheets, and for small, stable teams, it works — for a while.

The structural limitations appear as the team grows or turns over. Spreadsheets have no access controls that protect the record from accidental edits; they have no automatic change history that shows when a rating changed and who changed it; they do not alert anyone when a certification is approaching expiry; and when multiple people need to view or update records for different departments, version conflicts and shadow copies multiply quickly. Past roughly 50 employees, maintaining a single coherent source of truth in a spreadsheet becomes a significant ongoing effort rather than a routine update.

The ISO 9001 internal audit cycle — typically annual, with surveillance audits in between — means the competence records need to be accurate at the time of the audit, not just at the moment they were last manually refreshed. A system that ages quietly in a shared drive can be accurate today and wrong by audit day through no deliberate neglect.

A dedicated skills matrix tool addresses these limitations directly: it maintains a single record, logs changes with timestamps, surfaces expiring certifications before they lapse, and produces a filtered view by role, department, or skill on demand. Our certification tracking guide explains how automated expiry alerts work in practice — including the kind of 90/30/7-day advance notice that replaces the "discovered it at the audit" scenario.

For manufacturers specifically, the skills matrix has a second life beyond the QMS: cross-training planning, line coverage, and compliance with ISO 45001 competence requirements for safety-critical tasks. Our article on skills matrices for manufacturing covers that use case in detail.


Seeding Your Skills Matrix from an O*NET Foundation

One of the practical blockers to building a comprehensive competence record is simply knowing which skills to include. Job descriptions are a useful starting point but often incomplete, inconsistently worded across roles, or written for hiring rather than competency management.

Skills Inventory Manager addresses this through a pre-loaded starter taxonomy of 270+ skills built on ONET data — the Occupational Information Network maintained by the US Department of Labor's Employment and Training Administration. ONET organizes skills across Basic Skills, Cross-Functional Skills, and Knowledge domains, mapped to hundreds of occupations.

When you set up a role profile in the product, the O*NET taxonomy gives you a starting point for which skills are relevant to that occupation — so you are not building from a blank page. You then adjust: add company-specific or process-specific competencies, set the required proficiency level for each skill in that role, and define what evidence backs each rating.

ONET data used under CC BY 4.0. Source: O*NET OnLine, US Department of Labor / Employment and Training Administration. ONET provides the skills taxonomy; proficiency ratings, role requirements, and gap thresholds are defined by your organization inside the product.

The result is a skills matrix that reflects your actual operations — not a generic template — and that serves as the documented information ISO 9001 Clause 7.2 requires, complete with the structure, consistency, and retrievability an audit demands.


Getting Audit-Ready Before the Auditor Arrives

Building and maintaining competency records is not only an audit-readiness task. The most useful outcome of a well-maintained skills matrix is operational: knowing, at any point, who is qualified to do what, where gaps exist, and what training will close them most efficiently.

But when the audit questionnaire does arrive, the organizations that answer it quickly and confidently are the ones that have treated their competence records as a live system rather than a pre-audit project.

The practical path forward:

  1. Define required competencies by role — specific enough to be assessable, aligned to the work that actually affects product or service quality.
  2. Rate current proficiency against those requirements — using a consistent scale, with evidence linked to each rating.
  3. Identify gaps — where current proficiency falls below required, document the action plan and track closure.
  4. Maintain the record — update ratings after training, after role changes, and on a regular review cycle; track certification expiry dates alongside skill ratings.
  5. Ensure retrievability — organize the record so any role, department, or individual can be queried quickly.

If you are starting from scratch or pressure-testing your current records against these criteria, our 52-point Workforce Skills Audit Checklist gives you a structured walkthrough — covering role definitions, evidence standards, gap documentation, and the record-management practices that hold up under audit scrutiny.

It is a practical starting point whether you are preparing for initial ISO 9001 certification, a surveillance visit, or simply want to know where your current competence documentation stands before anyone else asks.

Ready to go beyond the guide?