Competence Explained for ISO 42001
ISO 42001 Clause 7.2
AI competence covers a wider range of skills than other management system standards - data, ethics, oversight and the AI technology itself.
ISO 42001 Clause 7.2 - Competence Explained
Clause 7.2 follows the standard Annex SL competence requirements and adds the AI-specific competence considerations set out in the implementation guidance under Annex B.4.6. The control under Annex A.4.6 requires the organisation to document information about the human resources and their competences across the AI system life cycle.
What ISO 42001 Clause 7.2 requires
The organisation must determine the necessary competence of people doing work under its control that affects AI performance. It must make sure those people are competent on the basis of appropriate education, training or experience. Where applicable, it must take action to acquire the necessary competence and evaluate the effectiveness of those actions. Documented information must be available as evidence of competence.
Determining the necessary competence
Competence requirements for AI cover a wider range of skills than for many other management system standards. The implementation guidance recognises that necessary human resources can include data scientists, roles related to human oversight of AI systems, experts on trustworthiness topics such as safety, security and privacy, and AI researchers and specialists alongside domain experts relevant to the AI systems in use.
For an AI deployer, the typical competence areas include AI awareness across the wider workforce, AI risk and impact assessment skills for the management system team, technical competence for the people who configure and operate AI tools, oversight competence for the people who review AI outputs, and legal and regulatory awareness for the people responsible for compliance. For an AI developer, the picture extends to model development, evaluation, validation and the broader engineering disciplines associated with AI system life cycle management.
How competence is achieved
Competence is achieved through education, training, experience or a combination. The implementation guidance recognises that appropriate actions can include providing training to currently employed people, mentoring, reassigning people to align competence with role, hiring or contracting additional competent people, or sourcing external expertise where the necessary skills cannot be developed in-house. The choice depends on the role, the timeframe and the criticality of the activity.
For most organisations, an AI awareness programme covering the basics of AI, the management system, the AI policy and the responsibilities of staff is appropriate for the wider workforce. More specialised training is needed for the people directly involved in AI risk assessment, impact assessment, supplier management, oversight and incident response.
Evidence of competence
Documented information must be retained as evidence of competence. This typically takes the form of training records, qualification records, competence assessments and where relevant, role-specific competence frameworks that map the required skills against the people in each role. The standard does not require a particular format. It does require the evidence to be retrievable and current.
When auditing Clause 7.2, I look for the link between the management system and the people. I want to see the roles defined under Clause 5.3, the competence required for each, the records that demonstrate the people in each role have the necessary competence, and the actions taken where competence has been developed.
Generic awareness training records without role-specific competence evidence are usually not enough on their own. The auditor will want to see that the people responsible for the AI risk assessment, the impact assessment and the management system have the specific competence to perform those activities.
The competence question for AI is often less about whether the IT team can build models and more about whether the wider business has the awareness to use AI responsibly. People making decisions supported by AI, people communicating with customers about AI, people approving AI procurement - they all need a level of competence that is rarely already in place.
An AI awareness programme tailored to the organisation's actual AI use is the most efficient way to address this. The programme covers what AI is being used for, the policy, the principles, the roles, and the practical things staff need to know - how to spot an AI-related concern, who to raise it with, what to do if an AI output looks wrong. This is what closes the gap between management system documents and operational reality.
We did three levels of training. A short briefing for everyone, a longer session for line managers and the office team who use the generative tool, and a deeper module for the IMS lead and the QA team who own the inspection AI risk assessment. Three different audiences, three different competence needs, all recorded against the relevant role.
Practical Compliance Guidance
IMS1 Section 3.1 Staff Training, Awareness and Competence sets out the training programme planned to maintain competence for employees, including the AI-specific competence required under Clause 7.2. New employees complete induction training that covers the management system and the AI policy, with role-specific competence developed through ongoing training and recorded against each individual.
The following alphaZ documents support compliance with ISO 42001 Clause 7.2.
| alphaZ document | How to use it |
|---|---|
| ISO 42001 AI Management System Toolkit | The full toolkit containing the AI management system documentation including the training and competence templates. |
| GEN1-1 Staff Handbook | The consolidated staff handbook setting out the awareness expectations for all staff, which can be extended to include AI awareness content. |
Note - all the above files can be downloaded with an alphaZ subscription.
