Sternberg Consulting Logo
Kontaktiere uns
sternberg consulting logo
Contact Us

ISO 9001 Competence and Awareness: A Practical Guide for SMEs (Clauses 7.2 and 7.3)

A practical, audit-ready guide to Clause 7.2 and 7.3 for small and medium-sized businesses.

Our complete ISO 9001 implementation guide for SMEs lays out the full path to certification. Our quality policy guide explains how top management sets direction. Our quality objectives guide shows how to turn that direction into measurable targets. Our process landscape article maps the processes that make the QMS work in practice. The next step is making sure the people inside those processes are competent to do the work and aware of why it matters.

For many SMEs, this is where ISO 9001 starts to feel personal. Process maps and procedures can be written in a workshop. Competence and awareness depend on real people, real skills, and real day-to-day behaviour. Auditors know that. They will not stop at a training list or a few signatures. They will look for evidence that your team understands the work, can perform it correctly, and knows how its actions affect quality results.

This article shows how to implement Clause 7.2 Competence and Clause 7.3 Awareness in a way that works for an SME without turning training management into a bureaucratic side business. We will cover the simplest structure that satisfies auditors: role-based competence requirements, a usable competence matrix, training records with real evidential value, and awareness measures that go beyond posters on the wall.

Aquarelle illustration of three professionals beside a three-level framework of boxes, arrows, and documents.
Competence management works best when role requirements, learning actions, and evidence are connected.

What ISO 9001 Actually Requires for Competence and Awareness

Clause 7.2 requires the organisation to determine the necessary competence of people doing work under its control that affects the performance and effectiveness of the quality management system. It also requires you to ensure those people are competent on the basis of appropriate education, training, or experience, take actions where needed to acquire competence, and retain documented information as evidence.

Clause 7.3 focuses on awareness. People doing work under the organisation’s control need to be aware of the quality policy, relevant quality objectives, their contribution to the effectiveness of the QMS, including the benefits of improved performance, and the implications of not conforming to QMS requirements.

Those two clauses are closely connected, but they are not identical. Competence is about ability. Awareness is about understanding. A machine operator may be technically competent to run a process and still lack awareness of why a certain inspection step matters. A sales coordinator may understand the quality policy very well and still be unable to perform contract review correctly without training. You need both.

If you want the broader context around Clause 7, read our overview of ISO 9001 Clause 7 Support. This article is the deeper implementation guide for the two subclauses that most often create audit findings in SMEs.

Which Roles Need Competence Defined?

A common mistake is assuming Clause 7.2 only applies to production staff or the quality department. In reality, it applies to any role that influences quality performance or QMS effectiveness. The exact list depends on your business model, but in a typical SME it usually includes people from several functions.

  • Top management, because they approve policy, objectives, resources, and management review decisions.
  • Process owners, because they define and control how key processes operate.
  • Sales and order review staff, because unclear customer requirements often create downstream quality problems.
  • Purchasing staff, because supplier selection and control affect incoming quality and delivery reliability. See also our guide to practical supplier evaluation.
  • Production or service delivery personnel, because they perform the work that creates the product or service.
  • Inspection, test, and release personnel, because they make quality-relevant decisions.
  • Internal auditors, because the organisation must be able to demonstrate audit competence and independence. Our internal audit guide covers that in more detail.
  • Document controllers or administrators, where incorrect document handling could lead to obsolete instructions being used. For that topic, see our ISO 9001 document control article.

The practical rule is simple: if errors in a role can affect customer requirements, product or service conformity, legal compliance, or the effectiveness of the QMS, define competence requirements for that role.

Start With the Process Landscape, Not the Org Chart

The easiest way to define competence is to start from your process landscape, not from job titles alone. Processes tell you where quality risks actually sit. Once your key processes are defined, ask four practical questions for each process.

  1. Who performs the work?
  2. Who approves or releases the output?
  3. What knowledge or skill is needed to avoid errors?
  4. What evidence would convince an auditor that the person is competent?

This approach produces much better results than a generic HR training matrix because it ties competence directly to process performance. It also keeps the system lean. You do not need a complex company-wide learning management system if your real need is a clear mapping between key roles, required competence, and evidence.

Aquarelle illustration of three professionals discussing a hand-drawn process map on a table.
Process discussions help teams define where competence matters most in day-to-day operations.

The Simplest Competence Matrix That Works in an SME

A competence matrix is often the fastest way to implement Clause 7.2. It gives you one place to see role requirements, current status, gaps, and planned actions. The matrix should stay simple enough that someone updates it without resentment. If it becomes a spreadsheet monster, it will drift out of date.

For most SMEs, five columns are enough.

Role or Process Function Required Competence Current Evidence Gap or Risk Action Needed
Internal Auditor
  • Knowledge of ISO 9001 requirements
  • Audit technique and interviewing skills
  • Understanding of audited processes
  • Internal auditor certificate
  • Witnessed audit participation
  • Previous audit reports
 No evidence yet for independent audit performance Assign as co-auditor in next audit and review report quality
Purchasing
  • Supplier approval criteria
  • Incoming quality escalation
  • Contract and specification review
  • 2 years experience
  • Supplier evaluation training record
 Limited knowledge of new risk-based supplier criteria Targeted workshop on revised supplier evaluation process
Production or Service Delivery
  • Work instruction knowledge
  • Process-specific technical skill
  • Inspection and escalation rules
  • Supervisor sign-off
  • Observed job performance
  • Training attendance
 Training completed, effectiveness not yet verified Observe first three jobs after training and document result

The evidence column matters. ISO 9001 does not require you to prove competence only through formal certificates. Experience, supervised practice, successful execution, test results, observed performance, and customer feedback can all be valid evidence if they are appropriate to the role.

How to Define Competence Requirements Without Overcomplicating It

Do not write vague requirements such as “must be qualified” or “should understand quality.” They are too abstract to manage and too weak to defend in an audit. Define competence in terms that are specific to the role and observable in practice.

A useful structure is:

  • Education or baseline qualification, where relevant.
  • Process knowledge, including procedures, customer requirements, and acceptance criteria.
  • Practical skill, meaning the person can perform the work reliably.
  • Quality-specific knowledge, such as escalation paths, nonconformity handling, or traceability rules.
  • Experience threshold, where experience genuinely matters.

For example, a competence requirement for final inspection could state that the person must understand the inspection plan, be able to use the relevant measurement tools, know the release criteria, understand what constitutes a nonconformity, and know when to stop shipment and escalate. That is concrete enough to assess, train, and audit.

Practical template for a competence requirement:

Role: Final Inspector

Required competence: Able to perform final inspection against the approved inspection plan, use measuring equipment correctly, identify nonconforming product, document results completely, and escalate deviations according to the nonconformity process.

Evidence: On-the-job demonstration observed by supervisor, completed training record, one reviewed inspection report with no critical errors.

Closing Competence Gaps: Training Is Only One Option

When a gap exists, training is often the right action, but it is not the only one. Clause 7.2 requires the organisation to take action to acquire necessary competence. Depending on the gap, that action could be formal training, mentoring, supervised work, qualification by observation, recruitment, reassignment, or a temporary control measure until the gap is closed.

A practical five-step method works well in SMEs.

  1. Define the required competence for the role.
  2. Assess the current person against that requirement.
  3. Identify the gap precisely.
  4. Select the smallest effective action to close the gap.
  5. Verify effectiveness after the action, not just attendance.

The fifth step is where many systems fail. A signed training attendance sheet only proves that someone sat in a room or joined a call. It does not prove that the person can now perform the task correctly. Auditors often challenge exactly this point.

Effective verification can include a supervisor observation, a short competence test, review of the first completed jobs after training, an internal audit result, or a process KPI that improves after the action. If the training was on contract review, for example, you would expect fewer order-entry errors or fewer clarifications with the customer.

Aquarelle illustration of a supervisor coaching an employee at a desk beside a four-step circular diagram.
Training becomes effective when learning is reinforced through practice, coaching, and follow-up review.

What Awareness Means in Practice Under Clause 7.3

Awareness is broader than “employees have seen the quality policy once.” ISO 9001 expects people to understand the framework around their work. They need enough awareness to make better decisions, recognise when something is wrong, and understand why compliance matters.

For most employees, awareness should cover four things.

That last point is important. Awareness becomes real when employees can explain the consequences of failure in their own context. A warehouse employee should know why traceability matters. A sales employee should know why unclear order acceptance creates cost and complaint risk. A process owner should know how weak follow-up on actions shows up in performance evaluation and management review.

Awareness can be built through onboarding, toolbox talks, team meetings, visual work instructions, supervisor briefings, and internal audit feedback. What matters is not the medium. What matters is whether people genuinely understand the message and can connect it to their work.

What Auditors Typically Ask for

Auditors usually test competence and awareness in three layers: documents, interviews, and observed practice.

1. Document Review

They may ask to see role requirements, training records, competence matrices, onboarding records, internal auditor qualifications, or evidence that employees were briefed on revised procedures. If your system is lean but orderly, that is fine. If records are scattered across email folders, WhatsApp screenshots, and manager memory, you create avoidable risk.

2. Employee Interviews

Auditors often ask employees questions such as:

  • What is your role in the process?
  • Which instructions or criteria do you follow?
  • What do you do if something goes wrong?
  • What are the main quality objectives for your area?
  • How were you trained for this task?

If the answers are natural, specific, and aligned with the documented process, the audit usually moves on quickly. If employees look surprised, refer vaguely to “the office,” or cannot explain basic quality expectations, the auditor will dig deeper.

3. Practical Evidence

Auditors also compare records with reality. If the matrix says a person is qualified, but the person uses the wrong revision of a form or cannot explain the release criteria, your documented information is no longer credible. For audit preparation, our article on preparing for an ISO audit without internal expertise is a useful companion.

The Training Records That Actually Help in an Audit

Training records should answer five questions quickly.

  • Who was trained?
  • On what topic?
  • Why was the training needed?
  • When was it completed?
  • How was effectiveness checked?

If your record only captures the first four, it is incomplete from an ISO 9001 perspective. The fifth point is where the evidential value comes from. This does not have to be complex. A supervisor sign-off after observed performance can be enough, provided the expectation is clear and the record is retrievable.

This is also where good document control supports competence. When procedures change, affected employees must be informed and, where relevant, re-trained. If document revisions are distributed informally and nobody can tell who was trained on what version, awareness and competence both weaken immediately.

Common Mistakes SMEs Make With Clause 7.2 and 7.3

  • Confusing attendance with competence. Attendance sheets alone do not show that people can do the job.
  • Using generic role descriptions. Requirements like “good communication skills” are too vague to assess.
  • Ignoring temporary or external personnel. If work under your control affects quality, the competence question still applies.
  • Treating awareness as a poster campaign. A signed policy on the noticeboard is not enough evidence by itself.
  • Failing to re-evaluate after process changes. New equipment, new software, or revised procedures often create new competence needs.
  • Not linking training to process performance. If training priorities are disconnected from process risk, effort goes to the wrong places.

Many of these problems show up together with the broader issues described in our article on common ISO 9001 implementation pitfalls. The pattern is usually the same: a system exists on paper, but it is not tightly connected to operational reality.

A Lean Implementation Model for SMEs

If you want the minimum viable structure that is still audit-ready, use this model:

  1. A process landscape that identifies key roles per process.
  2. A competence matrix for quality-relevant roles.
  3. Simple role-based competence requirements.
  4. Training or other gap-closing actions with effectiveness verification.
  5. Awareness built into onboarding, meetings, and supervisor communication.
  6. Retrievable records controlled as documented information.

That is enough for most SMEs. You can scale later if the organisation grows or the regulatory environment becomes more demanding. In a mature system, you might add formal annual competence reviews, digital training dashboards, and KPI tracking by qualification group. For a first ISO 9001 certification, the simpler structure is often the stronger one because it is more likely to stay current and be used.

How Competence and Awareness Connect to the Rest of the QMS

Competence and awareness are not isolated HR topics. They connect to the whole management system.

  • Quality policy: awareness starts with understanding the direction management has set. See our quality policy guide.
  • Quality objectives: people need to know the targets relevant to their process and how their work influences them. See our practical guide to quality objectives.
  • Risks and opportunities: competence gaps are themselves operational risks and should be considered in planning. See our guide to risks and opportunities.
  • Internal audits: audits test whether competence and awareness work in practice. See our internal audit article.
  • Management review: recurring competence gaps, training needs, and process-related human-factor issues belong in management review inputs and decisions.

When those links are clear, the QMS becomes much easier to manage. Training priorities become risk-based. Awareness becomes process-specific. Audit results produce focused actions instead of generic reminders.

How We Help Clients Implement Competence and Awareness

We help clients translate Clause 7.2 and 7.3 into a working system that fits the business rather than a generic training bureaucracy. In practice, that usually means defining competence requirements per key process, building a lean competence matrix, identifying the highest-risk gaps, and creating simple records that hold up in certification audits. We also support managers in turning the quality policy and objectives into messages employees can actually understand in their daily work. If you want support implementing this in your organisation, contact us here.

Aquarelle illustration of two professionals reviewing a tablet checklist together at a desk.
Regular coaching helps turn quality expectations into consistent day-to-day behaviour.

Frequently Asked Questions

Do we need formal training records for every employee?

No. You need evidence of competence for people whose work affects quality performance and QMS effectiveness. For some roles, formal training records are appropriate. For others, supervisor observation, experience records, onboarding confirmation, or reviewed work results may be sufficient if they clearly demonstrate competence.

Is a competence matrix mandatory under ISO 9001?

No. ISO 9001 does not prescribe a competence matrix. It is simply one of the most practical ways for SMEs to demonstrate that they have determined competence requirements, assessed current capability, and taken action where needed.

How can we demonstrate awareness during an audit?

The strongest evidence is a combination of records and employee interviews. Employees should be able to explain the quality policy in plain terms, identify the quality expectations relevant to their work, describe how they contribute to quality outcomes, and explain what they do when something goes wrong.

Does Clause 7.2 also apply to temporary staff or outsourced personnel?

Yes, where they perform work under your control that affects product or service conformity or QMS effectiveness. You do not always need the same form of evidence as for permanent employees, but you still need to ensure the necessary competence is present and controlled.

How often should competence be reviewed?

At minimum whenever there is a role change, process change, new equipment, revised procedure, recurring error pattern, or audit finding that suggests a gap. Many SMEs also review competence annually as part of broader planning and management review activities.

What is the difference between competence and awareness?

Competence is the demonstrated ability to do the work correctly. Awareness is understanding the policy, objectives, contribution to quality, and consequences of nonconformity. A functioning QMS needs both.

About the Author

Jonathan Sternberg is a certified internal auditor and external quality management representative with experience in automotive, semiconductor, laser optics, and medical technology. Through Sternberg Consulting, he supports organisations with practical implementation of ISO 9001, ISO 14001, ISO 45001, and ISO 13485.

Related Articles

About the Author

Jonathan

Jonathan Sternberg, founder of Sternberg Consulting, brings extensive experience from the automotive, semiconductor, and optical industries. He focuses on customized solutions and genuine collaboration in quality management.