Performance Management and Competency Assessment

Why it matters

Weak performance management creates blind spots: you may have admin-level staff who lack secure coding practices, sysadmins unfamiliar with your incident response procedures, or developers unaware of current threat patterns—all increasing the likelihood of preventable security failures. Competency gaps in security-relevant roles directly increase operational risk and are a root cause in many breach post-mortems, especially when elevated-access staff miss critical training or updates.

Evidence to collect

• Completed performance review documents or competency assessment checklists for 3–5 employees covering role-specific security skills (e.g., secure coding, access controls, incident response)
• Job descriptions or competency frameworks defining security requirements for elevated-access and security-relevant roles
• Training completion records or certificates showing security awareness and role-specific training aligned to identified gaps
• Performance management policy or procedure document outlining the annual cycle, assessment criteria, and competency gap remediation process

Testing procedure

For 5–10 employees in security-relevant roles (engineers, admins, developers, operators), auditor requests: (1) their job description or role definition, (2) the most recent formal performance review or competency assessment document, (3) evidence of any security training completed in the review period, and (4) remediation/training plans for documented gaps. Verify the review covers role-specific security competencies (e.g., secure coding for developers, incident response for ops) and is dated within the last 12 months. Confirm training completions are tracked and linked to performance files.

Common gotchas