ISO 9001 Skills Management: Quality System Compliance

What ISO 9001 requires on competence (clause 7.2)Copied

ISO 9001:2015 clause 7.2 requires you to define competence needs, ensure people are competent, take actions to close gaps, evaluate effectiveness, and retain evidence as documented information.

The control covers employees and relevant external providers performing work affecting quality.

Competence isn’t assumed; it’s specified, demonstrated, and recorded. Start by defining the knowledge, skills, qualifications, and experience required for each role or process that affects product conformity and customer satisfaction.

Assess current personnel against those requirements and address gaps using training, coaching, reassignment, supervision, or hiring. Critically, evaluate whether the actions taken were effective because completion of a course alone isn’t enough.

Keep documented information that proves both the basis for competence and the results of your evaluations. Apply the same discipline to contractors and temporary staff performing work under your organization’s control.

This closes a common audit weakness: relying on outdated knowledge without objective evidence.

• Scope: People whose work affects quality, including contractors and agency staff
• Must do: Define required competence, provide actions to achieve it, evaluate effectiveness, retain evidence
• Typical evidence: Skills matrices, training records, certificates, observation checklists, test results, authorizations

Clause 7.2 translated into operations

How to assess and define required skillsCopied

Start by translating processes into role-specific competence requirements, then measure current proficiency objectively. Use a risk-based skills matrix to expose gaps, prioritize actions, and connect each gap to training, supervision, or hiring, so competence becomes measurable, auditable, and improvable.

Begin with your QMS process map and critical-to-quality steps. For each role, specify the knowledge, skills, qualifications, and experience essential to meeting requirements. Define clear proficiency levels (e.g., Aware → Performs with supervision → Performs independently → Trains others) and the evidence that proves them.

Next, conduct assessments using observation, work samples, and practical tests—not self-declaration alone. Consolidate results in a skills matrix that shows who can perform which tasks across shifts, sites, and teams. Weight each skill by risk and regulatory impact to focus on the highest-consequence gaps first.

Finally, link gaps to actions: targeted courses, on-the-job coaching, temporary authorizations with supervision, or recruitment if internal capability is insufficient.

• Good inputs: Process FMEAs, customer/regulatory requirements, control plans
• Strong evidence: Observed demonstrations, signed authorizations, pass/fail tests
• Prioritization rule: High risk + high frequency = fix first

Example: role-to-skill mapping

How to acquire, maintain, and improve competenceCopied

Use targeted actions matched to each gap: train for skills, coach for behaviors, authorize with supervision for short-term coverage, or recruit when capability is missing. Recertify on a defined cycle, and verify effectiveness with objective, post-training checks and on-the-job performance.

Map every identified gap to the most effective intervention and define how you’ll prove it worked. Training alone isn’t sufficient so pair coursework with practical demonstrations, shadowing, and monitored authorizations until proficiency is stable.

Build a recertification cadence based on risk, frequency, and regulatory requirements. Track certificates and expiries centrally to avoid last-minute scrambles, and refresh high-risk skills more frequently.

For scarce expertise, enable structured knowledge transfer and cross-training to reduce single-point failures.

Where internal options won’t close the gap in time, recruit or contract external specialists—then subject them to the same competence controls and records.

• Interventions: Classroom/e-learning, on-the-job coaching, mentoring, cross-training, temporary authorization with supervision, recruitment
• Effectiveness checks: Witnessed task completions, error/defect trend shifts, first-time-right rates, calibration or practical tests
• Sustainment: Recertification cycles, certificate tracking, refresher triggers, supervisor sign-offs

Match actions to gaps

How to document, track, and audit competence evidenceCopied

Centralize competence records, standardize evidence types, and maintain airtight audit trails. Use a skills matrix plus certificate tracking with expiry alerts, effectiveness checks, and versioned authorizations so you can prove “who is competent for what” at any moment.

Treat competence evidence as controlled documented information. Standardize what counts as proof (e.g., witnessed task checklists, pass/fail tests, certificates, authorizations) and where it lives (a single system with role-based access).

Link each role requirement to specific evidence artifacts and keep change history: who added it, when, and under which procedure version. Track expiry dates for licenses and mandatory training, trigger renewal workflows, and attach post-training effectiveness evaluations.

For contractors and temporary staff, store the same evidence set and map them to your processes. During audits, be ready to filter by process → role → person → evidence and to show evaluation outcomes, not just training completion.

• Control points: Standardized templates, version control, audit logs, access permissions
• Time savers: Certificate vault, automated reminders, mobile capture for frontline proof
• What auditors test: Traceability from requirement to evidence, effectiveness of actions, current validity of credentials

Evidence map: From requirement to record

Auditor-ready checklist (quick scan)

• A single source of truth for skills matrices and certificates
• Evidence linked to the latest procedure/work instruction version
• Expiry alerts and renewal logs visible to managers
• Effectiveness checks stored with outcomes and dates
• External providers included in the same control scheme

How to integrate competence management into your QMSCopied

Embed competence into core QMS processes—planning, operations, nonconformity/CAPA, and management review—so skills data drives decisions.

Define ownership, standardize workflows, connect records to procedures, and review outcomes with KPIs for sustained, audit-ready control.

Treat competence as a cross-functional control, not an HR silo. Start by mapping each procedure and work instruction to the roles that execute it and the competencies required.

Build competence checkpoints into onboarding, change control, and pre-production readiness, so no task begins without verified authorization.

When nonconformities occur, analyze whether competence contributed and route corrective actions to training, coaching, or recertification with measurable effectiveness checks.

Finally, surface competence KPIs—coverage, expiry risk, cross-training depth—in management review to steer resources and mitigate single-point failures.

• Where it lives: Procedures, work instructions, authorization lists
• When it triggers: Onboarding, process changes, new equipment, high-risk tasks
• How it’s governed: RACI ownership, periodic recertification, KPI review

Operational embed: RACI and checkpoints

• Coverage: % of roles meeting proficiency targets
• Expiry risk: count of credentials expiring ≤60 days
• Depth: # of cross-trained staff per critical skill
• Effectiveness: post-training pass rate and 60-day defect trend shift

Do’s, don’ts, and pitfalls in competence complianceCopied

Build auditable controls around competence, not just training. Define requirements clearly, assess objectively, verify effectiveness, and retain evidence. Avoid vague role profiles, self-attestations, and “completed course = competent.” Close gaps with targeted actions and recertify on a risk-based cycle.

Strong competence control is specific, measurable, and traceable. Auditors frequently find “tribal knowledge” and undocumented assumptions—people performing critical tasks without objective proof of proficiency.

Replace generic job descriptions with role-based competency profiles mapped to procedures and risks. Use witnessed demonstrations and practical tests rather than self-declarations.

After interventions, verify effectiveness by observing on-the-job performance or checking error trends. Maintain a single source of truth for authorizations and expiries, and include contractors under the same rules.

Finally, schedule recertification based on risk and frequency, so competence stays current when processes or equipment change.

Do this

• Define proficiency levels and evidence per skill
• Use observed demonstrations and practical tests
• Link gaps to specific actions with due dates
• Track certificates and expiries centrally with alerts
• Evaluate effectiveness 30–60 days after training

Avoid this

• Assuming “years of experience” equals competence
• Relying on self-attestations without observation
• Treating training completion as proof of proficiency
• Scattering records across email, paper, and shared drives
• Excluding contractors or temps from competence control

Common pitfalls and fixes

Why strong skills management helps your organizationCopied

Robust skills management reduces defects and downtime, accelerates onboarding, and makes audits routine. It turns competence into a controllable variable—improving quality, safety, and delivery while lowering compliance risk and administrative effort.

When competence is visible and current, you allocate the right people to the right tasks, first time. That cuts variation, scrap, and rework. Onboarding and changeovers become faster because proficiency targets and evidence are clear.

Compliance risk drops as expiries are managed proactively and effectiveness checks demonstrate real capability. Cross-training improves resilience against vacations or turnover, while expert-finder capability mobilizes scarce skills quickly.

Leaders gain forward-looking insight—where gaps are forming and which teams need investment—so training budgets deliver measurable impact.

Operational benefits

• Fewer nonconformities and customer complaints
• Faster time to proficiency for new hires and promotions
• Reduced single-point-of-failure risk via cross-training depth
• Predictable audits with clean evidence and traceability
• Better capacity planning with skill coverage visibility

Management outcomes

• KPI-driven decisions in management review
• Clear ROI on training through effectiveness metrics
• Stronger readiness for new lines, equipment, or regulations

ConclusionCopied

ISO 9001 competence is operational control. Define role requirements, verify proficiency objectively, fix gaps with targeted actions, and retain airtight evidence.

Do this consistently, and audits become routine while quality, safety, and delivery all move in the right direction.

Strong skills management turns clause 7.2 into day-to-day practice. With risk-weighted skills matrices, clear proficiency levels, effectiveness checks, and centralized certificate tracking, you know exactly who is qualified for what—and you can prove it.

The return is tangible: fewer nonconformities, faster onboarding, resilient staffing, and confident customer and auditor conversations.

FAQs Copied

Author Copied

Rick van Echtelt

Rick van Echtelt is the Co-Founder and CEO of AG5, where he leverages over two decades of experience in entrepreneurship and developing skills management software.

Read author profile