The best documented quality management system fails if the people who operate it are not competent to do so. The ISO 9001:2015 standard recognises this explicitly: its clause 7.2 (Competence) requires the organisation to determine the necessary competence of those who affect quality performance, ensure they have it on the basis of education, training or experience, take action to acquire it where it is lacking, and retain the documented information that proves it. Training is therefore not a human-resources detail: it is an auditable requirement. This article develops how to build a quality training plan that meets the standard and, above all, genuinely changes behaviour on the job.
Competence, not attendance: what clause 7.2 really requires
A frequent mistake is to confuse training with competence. The fact that an employee has attended a course does not prove they can do the task. The standard speaks of competence, a broader concept that integrates knowledge, skill and attitude applied effectively on the job. The cycle ISO 9001 expects is: define the competence required for each role, assess the person's current competence, identify the gap, close it with the right action (training, mentoring, rotation, recruitment) and, finally, evaluate the effectiveness of that action. This last step is the one most audits fail: the course is delivered, but nobody checks afterwards whether the operator applies what they learned and whether the nonconformity that prompted the training has stopped recurring.
The competence matrix: the map of who knows what
The central tool of a training plan is the competence matrix (also called the versatility matrix or skills matrix). It is a table that cross-references people with required competences and shows, for each cell, the current level against the level demanded by the role. A common four-level scale (from "untrained" to "can train others") makes the status visible at a glance. The matrix immediately reveals operational risks: critical competences that depend on a single person (the dreaded bus factor), roles with insufficient cover and natural candidates to take on more responsibility. Keeping it up to date turns training planning into a data-driven decision rather than guesswork.
| Level | Meaning | Expected evidence |
|---|---|---|
| 0 | Untrained | No record of training or practice |
| 1 | In training / supervised | Performs with a tutor's support |
| 2 | Autonomous | Performs alone and meets the standard |
| 3 | Reference / can train others | Trains others and improves the process |
Training the internal auditor: the most demanding competence
Within the quality staff, the internal auditor requires specific training. The ISO 19011:2018 standard provides the guidelines for auditing management systems and defines the principles the auditor must embody: integrity, fair presentation, due professional care, confidentiality, independence and an evidence-based approach. A good internal auditor is not improvised: they need to master the requirements of the standard they audit, interview techniques (asking open questions, listening, not leading the answer), sampling, the objective wording of findings and the correct classification between major nonconformity, minor nonconformity and opportunity for improvement. The independence requirement is critical and is often breached: nobody should audit their own work, which in small SMEs forces you to train several people or to resort to cross-auditing between departments.
Designing training that changes behaviour: the Kirkpatrick model
So that the investment in training does not evaporate, it is worth evaluating its impact on the four levels of the Kirkpatrick model, the reference standard in training evaluation:
- Level 1 — Reaction: what did they think of the training? This is the satisfaction survey. Useful, but the most superficial level.
- Level 2 — Learning: what knowledge or skills did they acquire? Measured with an exam, a practical test or a demonstration.
- Level 3 — Behaviour: do they apply what they learned on the job weeks later? Observed in real work. This is where the effectiveness ISO 9001 requires is decided.
- Level 4 — Results: did the process indicators improve (fewer defects, fewer complaints, less rework)? This is the return that justifies the investment.
Most organisations stop at level 1, handing out satisfaction surveys that prove nothing to an auditor. Demonstrating effectiveness requires reaching at least level 3, linking the training to the disappearance of the problem that prompted it.
The annual training plan: recommended structure
A well-built quality training plan starts from four sources of needs: the gaps detected in the competence matrix, recurring nonconformities whose root cause is a lack of competence, changes in regulation or processes, and the staff's own development requests. From there you derive prioritised actions with an owner, a date, a modality (in-person, online, on-the-job, mentoring), a criterion for evaluating effectiveness and a budget. The plan should be reviewed during the management review (clause 9.3), where its execution is accounted for. Retaining competence records (certificates, evaluation results, evidence of application) is mandatory under 7.2 and must respect the GDPR when it contains the employee's personal data: legitimate purpose, minimisation and a defined retention period.
Training modalities and when to use each one
Not all competence is acquired in the same way, and applying the wrong modality wastes budget. Classroom training (in-person or online) works well for transmitting conceptual knowledge: the requirements of a standard, the fundamentals of a statistical method, the interpretation of an indicator. On-the-job training, where a reference person accompanies someone while they carry out the real task, is irreplaceable for manual skills and the organisation's specific processes; no generic course teaches you to calibrate that particular instrument with that procedure. Mentoring accelerates the development of judgement-based competences, such as classifying findings in an audit, which mature only with the guidance of someone experienced. And planned rotation between roles combats dependence on a single person and raises the versatility of the whole matrix.
The most effective combination is usually a blended pathway: the classroom lays the theoretical base, supervised practice turns it into skill, and the subsequent evaluation verifies that the competence has been consolidated. For the internal auditor, for example, a solid pathway chains together a course on the standard and on ISO 19011, participation as an observer in a real audit, the execution of a complete audit under the supervision of a senior auditor and, finally, the evaluation of their performance by the system manager. Designing training as a pathway with verifiable milestones, rather than as an isolated event, is what lets you prove to the auditor that the competence is real and not a mere note on a record card.
Common mistakes in quality training
- Confusing attendance with competence: filing the attendance signature as if it proved the person can already do the task.
- Not evaluating effectiveness: delivering the course and never checking whether behaviour changed. It is the most repeated audit finding under 7.2.
- Training everyone in the same thing: generic sessions instead of closing specific gaps in the competence matrix.
- Auditor without independence: the same person auditing the process they design or operate.
- Concentrating critical knowledge in a single person: failing to plan for versatility and remaining exposed to their absence or departure.
Frequently asked questions
Does ISO 9001 require training for all staff?
Not exactly. It requires you to ensure the competence of those who affect quality performance. If a person is already competent through experience or education, they need no additional training; what you must retain is the evidence of that competence.
How do I prove to the auditor that the training was effective?
By linking the training action to an observable result: a passed practical test (level 2), application on the job (level 3) or a reduction in the indicator or nonconformity that prompted it (level 4).
What training does an internal auditor need?
Knowledge of the standard they audit, interview and sampling techniques, the objective wording of findings and the principles of ISO 19011 (integrity, impartiality, independence, an evidence-based approach). And they must never audit their own work.
How long are training records kept?
The period is set by the organisation according to its judgement and legal requirements. As it contains the employee's personal data, the GDPR storage limitation principle applies: do not keep it beyond what is necessary for the purpose.
Conclusion: competence is the invisible foundation of the system
A perfect procedure executed by someone who does not understand it produces the same defects as the absence of a procedure. That is why, at Summum Quality, we insist that training be planned as an investment with measurable returns and not as a formality for filling folders ahead of the audit. The difference between an organisation that survives staff turnover and one that wobbles every time someone leaves lies in the competence matrix: in knowing precisely who knows what, where the dangerous dependencies are and which gaps must be closed before they turn into a nonconformity. If your training plan starts from real needs, reaches at least the Kirkpatrick behaviour level and leaves traceable evidence of the competence acquired, your quality system will have a foundation that no unexpected departure can topple. The standard requires competence; the business requires continuity; both are built by training the right people in the right things and verifying that it worked.