Competence

ISO 9001 Clause 7.2 requires you to define the competence needed for anyone doing work under your control that affects QMS performance, close gaps through training or other actions, and keep evidence that people are competent. Operationalize it by mapping competence requirements to roles and processes, verifying competence before work is performed, and maintaining controlled records. ¹

Key takeaways:

• Define competence criteria per role that impacts QMS performance, not generic “training completed.” ¹
• Prove competence through evidence (education, training, experience, evaluation) and retain records. ¹
• Treat contractors and third parties as “under your control” when they affect quality outcomes, and manage them the same way. ¹

“Competence” is one of the fastest ways auditors test whether your QMS is real or just documentation. Clause 7.2 is not asking for a training calendar. It is asking for a defensible method to (1) determine what competent performance looks like for work that affects QMS performance and effectiveness, (2) ensure the people doing that work can perform it, and (3) retain evidence you did those things. ¹

For a CCO, GRC lead, or compliance owner supporting an ISO 9001 program, the practical challenge is scope control: deciding which roles “affect QMS performance,” defining competence at the right level of specificity, and creating records that stand up in an audit without becoming a bureaucracy. Competence also reaches beyond employees. If temporary labor, contractors, or third parties perform work under your control (on-site, in your systems, or to your specifications), you must manage their competence too. ¹

This page gives requirement-level implementation guidance you can put into practice quickly: a role-to-competence mapping approach, a minimal but audit-ready evidence set, common auditor traps, and an execution plan you can run as a controlled project.

Regulatory text

ISO 9001:2015 Clause 7.2 (Competence) states: “The organization shall determine the necessary competence of persons doing work under its control that affects QMS performance and effectiveness.” ¹

Operator interpretation (what this means you must do):

1. Decide which work affects QMS performance and effectiveness (process outputs, product/service conformity, customer requirements, corrective action quality, inspection validity). ¹
2. Define the competence needed for the people performing that work under your control. ¹
3. Ensure people are competent based on education, training, or experience, and take actions to acquire competence where gaps exist. ¹
4. Retain evidence of competence as controlled documented information. ¹

Plain-English requirement (what auditors expect to see)

Auditors typically test competence by picking a high-impact process (production, service delivery, calibration, complaint handling, CAPA, internal audit, design review) and tracing:

• Who performed the work?
• What competence did you require for that role/task?
• How did you confirm the person met it before they did the work?
• Where is the evidence? ¹

A clean implementation ties together role requirements, qualification/authorization, performance evaluation, and record retention. A weak implementation relies on “everyone did annual training” without showing job-specific capability.

Who it applies to

Entity scope: Any organization operating an ISO 9001:2015 QMS. ¹

People scope (“under your control”):

• Employees in QMS-impacting roles. ¹
• Temporary workers and contractors supervised by you or working to your controlled procedures. ¹
• Third parties performing outsourced processes where you define requirements, provide instructions, or accept/reject outputs under your QMS controls. ¹

Operational contexts that trigger deeper scrutiny:

• Roles that approve, release, inspect, test, calibrate, disposition nonconforming outputs, perform root cause, or sign off on changes. ¹
• High turnover environments where “tribal knowledge” substitutes for qualification records.
• Multi-site operations where competence expectations vary by location.

What you actually need to do (step-by-step)

Step 1: Define “QMS-impacting work” and the role universe

Create a list of roles that can change quality outcomes. Start with your process map and owners, then add “quality gate” roles (inspection, release, CAPA, complaint handling). Keep the list short and defensible.

Practical test: If an error in this role could lead to nonconforming output, missed requirements, or ineffective corrective action, treat it as competence-controlled work. ¹

Step 2: Build a competence matrix with measurable criteria

For each role, define:

• Required competence elements: education/certifications (if applicable), required training, required experience, system access prerequisites, and task authorizations. ¹
• Evaluation method: observation, work sample review, test/quiz, supervised runs, KPI/quality metrics review, peer review, or supervisor sign-off.
• Re-evaluation triggers: process change, nonconformance tied to skill, extended absence, new equipment, procedure revision.

Example (lightweight, audit-friendly):

Role	QMS-impacting tasks	Competence requirement	How verified	Evidence retained
Final Inspector	Final acceptance decision	Trained on inspection WI; demonstrated measurement technique; understands acceptance criteria	Observed inspection + first-article review sign-off	Training record + qualification sign-off + observation checklist
CAPA Owner	Root cause + action effectiveness	Training in CAPA method used; can write problem statement; can verify effectiveness	Review of first CAPA package; supervisor approval	CAPA training + CAPA competency checklist + approved CAPA record

This is the heart of Clause 7.2: defined requirements, a verification method, and retained evidence. ¹

Step 3: Qualify people before independent work

Implement a “no independent work until qualified” rule for competence-controlled tasks. That can be as simple as:

• New hire completes required training, then performs tasks under supervision.
• Supervisor/qualified trainer signs a qualification record after a defined evaluation.
• Access to systems/tools is tied to qualification status.

If you use Daydream to manage third-party due diligence or internal control workflows, treat competence the same way: gated tasks, owner assignment, and attached evidence so qualification is auditable without inbox archaeology.

Step 4: Close competence gaps with documented actions

When someone does not meet requirements, define and track actions such as:

• Targeted training (not generic “refresher”). ¹
• Coaching, supervision period, re-assignment, or hiring.
• Process changes that reduce reliance on individual skill (work instructions, checklists, mistake-proofing).

Record the action, owner, due date, and completion evidence. Auditors look for proof you responded to gaps, not just that you discovered them. ¹

Step 5: Control and retain evidence of competence

Decide where records live (HRIS, LMS, QMS platform, shared drive under document control). Ensure:

• Records are attributable to a person and role.
• Versioning is clear when procedures change.
• Retrieval is fast during audits. ¹

Step 6: Extend the model to contractors and third parties under your control

For outsourced or contractor-performed work:

• Define competence requirements in contracts/SOWs when the work affects QMS performance. ¹
• Require evidence (certifications, training completions, qualification sign-offs, experience records) proportionate to the risk of the activity.
• Confirm authorization at the point of work (badge access, system permissions, supervisor oversight).

Required evidence and artifacts to retain

Minimum set most teams need to pass audits:

• Role-to-competence matrix (controlled document). ¹
• Training records linked to roles/procedures (attendance, completion, content/version). ¹
• Qualification/authorization records for competence-controlled tasks (sign-off by qualified evaluator).
• Competence evaluation forms (observation checklists, work sample review, exam results where applicable).
• Gap actions and outcomes (training/coaching plans, reassignment decisions, follow-up evaluation). ¹
• Third-party/contractor competence evidence when they perform QMS-impacting work under your control. ¹

Common exam/audit questions and hangups

Auditors often ask:

• “Show me how you determined competence for this role.” ¹
• “How do you know this person was competent on the day they performed this work?”
• “What do you do when someone fails a competence evaluation?” ¹
• “How do you control competence for contractors/temporary workers?” ¹
• “How do you handle competence after procedure changes?”

Hangups that cause findings:

• Requirements are defined, but verification is informal (“manager knows they’re good”).
• Evidence exists but is not retrievable within reasonable time.
• Training is tracked, but competence for high-risk tasks is not evaluated.

Frequent implementation mistakes and how to avoid them

1. Equating training completion with competence. Fix: require an evaluation method for competence-controlled tasks (observation or work sample). ¹
2. Over-scoping the matrix. Fix: start with QMS-impacting roles only; expand if audit feedback requires.
3. No triggers for re-evaluation. Fix: connect re-qualification to process/equipment/procedure changes and nonconformance trends.
4. Ignoring outsourced work under your control. Fix: include contractor roles in the matrix and require evidence before access/work. ¹
5. Records scattered across tools with no owner. Fix: assign a single record system of record and define retrieval responsibilities.

Enforcement context and risk implications

No public enforcement cases were provided for this requirement. Practically, Clause 7.2 failures show up as audit nonconformities because competence gaps directly correlate with nonconforming outputs, ineffective CAPA, and weak process control. The business risk is operational: rework, scrap, customer complaints, missed requirements, and inability to demonstrate control over outsourced processes. ¹

A practical 30/60/90-day execution plan

First 30 days (stabilize and make it auditable)

• Identify QMS-impacting roles and tasks; confirm owners.
• Draft role-to-competence matrix for those roles. ¹
• Choose evidence system of record; define naming conventions and retrieval steps.
• Pilot qualification sign-offs for one high-impact area (inspection, production cell, service team).

Days 31–60 (verify and close gaps)

• Run competence evaluations for incumbents in the pilot scope; document gaps and actions. ¹
• Extend the matrix to remaining QMS-impacting roles.
• Add contractor/third-party roles under your control; embed requirements into SOW onboarding. ¹
• Add authorization gates (system access, task sign-off rules).

Days 61–90 (operationalize and sustain)

• Connect competence triggers to change control and corrective action workflows.
• Create an internal audit checklist specifically for Clause 7.2 evidence retrieval.
• Train managers on how to perform and document competence evaluations consistently. ¹
• If you manage this in Daydream or a QMS tool, standardize templates for evaluation forms and attach evidence at the role/person level so audits become a query, not a scramble.

Frequently Asked Questions

Do we need a competence matrix for every job title in the company?

No. Clause 7.2 focuses on persons doing work under your control that affects QMS performance and effectiveness. Start with roles that can change quality outcomes, then expand if needed. ¹

Is training completion enough to prove competence?

Training can be part of competence evidence, but you should also verify ability to perform the task for competence-controlled activities. Use observation, work sample review, or supervised sign-off tied to the role. ¹

How do we handle competence for contractors and temporary workers?

Treat them as “under your control” when they perform QMS-impacting work to your procedures or specifications. Define requirements up front and keep evidence of qualification before independent work. ¹

What evidence do auditors usually ask for first?

They typically pick a person and a task, then ask for the defined competence requirement and objective evidence the person met it. Make records searchable by person, role, and procedure version. ¹

What should trigger re-qualification?

Trigger it on meaningful changes: revised procedures, new equipment or software, a nonconformance linked to skill, or role changes. Document the trigger and the evaluation outcome. ¹

We have experienced employees with no formal records. What’s the cleanest fix?

Use experience as part of competence, then document it through a structured evaluation (observation/work sample) and a supervisor qualification sign-off. That converts “tribal knowledge” into auditable evidence. ¹

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements