ISO 27001:2013 – Free gap analysis spreadsheet tool

Posted by Marc Gardner on Wed, Aug 02, 2017

Time to sharpen up your information security management system? Thinking of using ISO 27001:2013 as a framework? 

Richard Green, founder of Kingsford Consultancy Services, recommends getting to grips with the standard, talking to your certification body and doing a thorough gap analysis before making any dramatic changes to your processes.

It may be that you actually already have many of the required processes in place. Or, if you've neglected your information security management practices, you may have a mammoth project ahead of you which will require fundamental changes to your operations, product or services. 

To access the Gap Analysis Tool, download the ISO 27001 Toolkit. Read on to find out how to use it.  


Download ISO 27001 Toolkit


What is a gap analysis?

Think of the gap analysis as simply looking for gaps. That's it. You're analysing the ISO 27001 standard clause by clause and determining which of those requirements you've implemented as part of your information security management system (ISMS).

Take clause 5 of the standard, which is "Leadership". There are three parts to it. The first part's about leadership and commitment – can your top management demonstrate leadership and commitment to your ISMS? It might be that you've already covered this in your information security policy (see #2 here), and so to that question you can answer 'Yes'.

Find the ISO 27001:2013 Gap Analysis Template Checklist in the ISO 27001 Toolkit


Gap analysis vs. risk assessment

Doing a gap analysis for the main body of the standard (clauses 4–10) isn't compulsory but very much recommended. It'll help to have first defined your ISMS's scope (see #1 here), because any ISO 27001 auditor will want to know exactly what information your ISMS intends to secure and protect. Having a clear idea of what the ISMS excludes means you can leave these parts out of your gap analysis.

A gap analysis is compulsory for the 114 security controls in Annex A that form your statement of applicability (see #4 here), as this document needs to demonstrate which of the controls you've implemented in your ISMS.

The risk assessment (see #3 here) is an essential document for ISO 27001 certification, and should come before your gap analysis. You can't identify the controls you need to apply without first knowing what risks you need to control in the first place. Once you've determined those risks and controls, you can then do the gap analysis to identify what you're missing.

Gap analysis

Tells you what you're missing to comply with ISO 27001.

Doesn't tell you which controls to apply to address the risks you've identified.

Risk assessment 

Tells you what controls you should apply.

Doesn't tell you what controls you already have.


When to do a gap analysis 

Complete the ISO 27001 Gap Analysis Questionnaire

When you do your gap analysis depends on how far along you are with implementing your ISMS. 

  • If you have no real system to speak of, you already know you'll be missing most, if not all, of the controls your risk assessment deemed necessary. So you might want to leave your gap analysis until further into your ISMS's implementation.
  • If your implementation's underway but still in its infancy, your analysis will still show lots of gaps, but you'll have a much better understanding of how much work you have ahead of you.
  • If you have a fairly established system in place, you can use the gap analysis to determine just how strong your system is. So you might want to do it towards the end of your implementation.

After completing the ISO 27001:2013 Gap Analysis Checklist, you'll be given an ISMS Gap Analysis Report, detailing where you need to make changes 


What you should do now

There's no prescribed method for doing your gap analysis, but we've made it really easy with our free Gap Analysis Checklist. Download the Gap Analysis Tool from the ISO 27001 Toolkit

 Download ISO 27001 Toolkit

Tags: ISO 27001

ISO 27001:2013 – Why is information security important?

Posted by Marc Gardner on Mon, Jul 31, 2017

Information in this day and age has become currency, driving business and commerce across the world. It could be your organisation's most important and valuable asset, and so it demands to be properly protected.

Protecting information means managing risk, just as you'd manage the risk of any other type of hazard occurring. Yet the risks around information security are all too often overlooked or brushed off  the mindset being that only the huge multinational corporations suffer data breaches and "it'll never happen to us".

But it can happen to any business – and does.

More than 1,500 UK businesses took part in the UK Government's Cyber Security Breaches Survey 2017 and virtually all were found to have been exposed to cyber security risks in some way. Once you have a website and social media, use cloud services, or hold electronic data on your customers, you become a potential target, regardless of size, wealth or reputation.

Yes, larger organisations are routinely hit, for various reasons. It might be that their security measures aren't integrated but operating in isolation, creating vulnerabilities for calculating hackers to exploit. Or perhaps their systems are outdated, unfit for purpose in staving off sophisticated cyber threats.

Nearly 70% of all medium (50 to 249 staff) to large (250+) businesses surveyed by the UK Government said they'd suffered some kind of cyber breach or attack in the previous year. For micro (2 to 9 staff) and small (10 to 49) businesses, it was a not-insignificant 45%.

Click the image to read findings from the Government's surveyClick the image to read findings from the Government's survey

Click the images to read findings from the UK Government survey

With technology only becoming more commonplace in business and industry, information security simply can't be ignored. Still, m
icro/small businesses are less likely than medium and large firms to have implemented cyber security measures (formal policies or staff training, for example) or sought advice on how to do it. 35% of micro/small businesses that had identified a breach still considered security a low priority. Some businesses thought themselves too small or insignificant to consider security measures at all.

While the big firms are hit with the highest costs in monetary terms, the financial impact of cyber attacks is disproportionately high for firms with fewer than 100 employees, as a report commissioned by insurance provider Hiscox found.

Click to read the Hiscox Cyber Readiness Report 2017

However, not all data breaches are hacks, and information security involves more than your company's website and IT network. The physical security of your buildings; your employees' use of electronic devices like laptops, smartphones and tablets; your handling of confidential documents – these are considerations that affect all businesses, regardless of size.

So organisations need to be heeding the warnings about data security, and recognising that it's vital to their reputation, brand and the continuity of their business. An increasing number of companies are adopting international standards like ISO 27001 and 27002 to demonstrate their commitment in this area. And many firms are devoting more budget and manpower to keeping their information secure.

Consider your own organisation. How committed to information security are you? Is there more you can be doing to protect yourself? 

If you're doing it right, you'll have built information security into everything you do – it'll be reflected in your corporate strategy and objectives, your company culture. You'll have planned and implemented an information security management system (ISMS). And every employee, from top-level management down, will know what's required and what they need to do to achieve it.


What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS

Tags: ISO 27001

ISO 27001:2013 – How EQMS can help with certification

Posted by Marc Gardner on Fri, Jul 21, 2017

Many organisations find themselves in a digital storm of relentless and continuous change, often brought on by rapidly evolving technology. For this reason, information security can no longer be a once-in-a-while project – it must be central to all your projects and processes.

ISO 27001 provides a framework for managing information security. Based on regular risk assessments that consider ever-changing scenarios, it's at its most effective with a robust and flexible electronic management system working alongside it.

And so to EQMS, Qualsys's solution for managing ISO 27001 documentation, audits, risk and suppliers simply, securely and efficiently.

EQMS Document Manager

Planning an information security management system (ISMS) is a crucial requirement of ISO 27001 accreditation.

ISO 27001 sets out a nine-stage process for doing so. The documentation you generate through this process will define your system's scope (i.e. what information it intends to protect), your organisation's context, and your detailed approach to keeping your information secure. This process needs to be embedded throughout your entire organisation.

With EQMS Document Manager, you can easily share compulsory documents (such as your information security policy, risk assessment methodology and statement of applicability) with the relevant members of your team. EQMS ensures only the most recent version of the documents will be seen and read.

Disseminating information too widely can expose your company to unnecessary risk. With EQMS, you can really lock down your data by reducing to the barest minimum the number of roles that have higher access privileges or levels of authorisation.

And EQMS uses electronic signatures to ensure that your employees confirm they've read and understood your latest operating procedures. This limits the risk of your company being liable for data breaches.

Download the EQMS Document Manager datasheet here

EQMS Risk Manager

Risk assessment is a complex part of ISO 27001 implementation – and the most important step.

EQMS Risk Manager is configured to your risk assessment methodology. How you treat those risks you've identified in your assessment can be managed through a workflow which is traceable at every stage. You'll be able to view real-time risk assessment reports in the KPI Dashboard, allowing you to proactively manage risk from a central system.

Download the EQMS Risk Manager datasheet here

EQMS Audit Manager

EQMS Audit Manager can be configured for both systematic and closed-loop auditing. And you can associate your audits with whatever regulations or standards (such as ISO 27001) might apply to your business.

iEQMS Auditor is an iPad application for mobile auditing. The application works without an internet connection and gives your top-level management complete visibility of how well your information security processes are working.

Download the EQMS Audit and Inspection Manager datasheet here

Request a demo of iEQMS Auditor here


What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS


Tags: ISO 27001

ISO 27001:2013 – Context of the organisation

Posted by Marc Gardner on Thu, Jul 20, 2017

When it was revised back in 2013, ISO 27001 adopted the Annex SL format, a generic framework for ISO standards that uses several identical sections of wording and a lot of similar terminology.

One of the core Annex SL clauses is clause 4, which concerns the context of the organisation. It's an important part of the standard, and it requires you to consider the internal and external issues that can impact on your strategic objectives and how you plan your information security management system (ISMS).

Your organisation should focus particularly on factors and conditions that can affect your products, services, investments and on your interested parties. Context becomes an important consideration and helps to ensure that your ISMS is designed and adapted for your organisation rather than taking a 'one size fits all' approach.

Determining the context (step by step)

There's no prescribed method for determining the context of your organisation in relation to ISO 27001, but you could take this simple and pragmatic four-step approach:

  1. Identify the internal issues that can affect your organisation's products, services, investments and interested parties.
  2. Identify the external issues that can affect your organisation's products, services, investments and interested parties.
  3. Identify who are the interested parties and what are their requirements.
  4. Regularly review and monitor those internal issues, external issues and interested parties you have identified.

1 – Internal issues

Your organisation's internal context is the environment in which you aim to achieve your objectives. Internal context can include your approach to governance, your contractual relationships with customers, and your interested parties.

Internal issues can include your:

  • regulatory requirements
  • strategies to conform to your policies and achieve your objectives
  • relationship with your staff and stakeholders, including partners and suppliers
  • resources and knowledge (e.g. capital, people, processes and technologies)
  • risk appetite
  • assets
  • product or service
  • standards, guidelines and models adopted by the organisation
  • information systems

2 – External issues

To understand your external context, consider issues that arise from your social, technological, environmental, ethical, political, legal and economic environment.

External issues may include:

  • government regulations and changes in the law
  • economic shifts in your market
  • your competition
  • events that may affect your corporate image
  • changes in technology

3 – Interested parties

Your interested parties include your customers, partners, employees and suppliers. When developing your ISMS, you only need to consider interested parties that can affect your:

  • ability to consistently provide a product or service that meets your customers' needs and any statutory requirements and regulations
  • continual improvement process
  • ability to enhance customer satisfaction through effectively applying your system
  • your process for ensuring you conform to your customers' requirements and any statutes or regulations that apply

4 – Regular reviews and monitoring

You must regularly review and monitor those internal or external issues you've identified. Understanding your internal context means your management can carry out a 'PEST' (political, economic, social and technological) analysis to determine which factors will affect how you operate.

While you have no control over external issues, you can adapt to them. PEST factors can be classified as 'risks' and 'opportunities' in a SWOT (strengths, weaknesses, opportunities, threats) analysis or other alternative methods.


What you should do now

ISO 27001 Toolkit - Updating ISMS

Tags: ISO 27001

ISO 27001 and information security – An introduction

Posted by Marc Gardner on Thu, Jul 20, 2017

Simply put, ISO 27001 is about information security, and how you manage it in an ever-changing world. You're not only having to contend with the effects of digitisation, big data and the Internet of Things, but the growing demands of globalisation, regulation, and protection against cyber threats.

What ISO 27001 gives you is a best-practice method of implementing an information security management system (ISMS). Having this system in place, and achieving ISO certification, means you can demonstrate to your customers and partners that you're committed to information security. And you'll have an advantage when it comes to winning tenders with government clients or large corporate clients, who often demand that their suppliers comply with the standard.

Already in 2017, several large organisations – the NHS, Wonga and Three, to name a few – have fallen victim to serious security breaches. The Government's Cyber Security Breaches Survey revealed that 7 out of 10 large businesses had suffered some form of breach or attack, costing them, on average, around £20,000, and in many cases much, much more.

So how exactly does ISO 27001 help you to more effectively manage your information security? And what does implementing an ISMS actually entail?

Managing information security means preserving the confidentiality, integrity and availability of your information and the facilities you use to process it. That could be your IT systems, infrastructure, or the actual buildings in which your organisation is based.

Confidentiality Ensuring information isn't made available to people or organisations who don't have authorisation to see it
Integrity Ensuring the information is both accurate and complete
Availability Ensuring the information can be made available and used when an authorised person or organisation demands it

It might be that you've been so focused on keeping information confidential that you've overlooked integrity and availability. You're not alone! But now IT and digital data are – or are likely to become – such vital elements of your business, you need to be mindful of all three aspects

And this is where an ISMS comes in.

It's a system of processes, documents, technology and people that helps to manage, monitor, audit and improve your information security. With an ISMS you can manage all your security practices consistently and cost-effectively.

But it's important not to see information security as solely your IT team's responsibility – 'information' isn't just confined to your computer files and IT networks. Information security must be a concern of your entire organisation, embedded in all practices, policies and procedures and communicated clearly to every employee.

And as is the case with all quality management systems, without buy-in from top management and the people who'll implement and maintain the system, you'll likely struggle to reach the level of diligence you need to achieve certification to the ISO standard.

Bear in mind that it's neither a quick nor temporary process. Embedding ISO 27001 practices into your organisation is complicated, and involves making often substantial changes to your strategy, operations and company culture. If you're a small business, you may need 4–5 months to prepare for an audit; larger organisations might need more than a year. And don't rest on your laurels: you're operating in a rapidly changing business environment, and your ISMS must continually evolve and improve to remain effective.


What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS


Tags: ISO 27001

ISO 27001:2013 – Essential documents for certification

Posted by Marc Gardner on Tue, Dec 22, 2015

“The biggest single problem with communication is the illusion that it has taken place.” GBS.png

You've applied for certification to ISO 27001 and you're about to undergo your Stage 1 audit. The auditor's coming to check that your documentation's up to scratch, but you're unsure what documents he'll actually want to see.

Well, don't panic! In this blog, we explain exactly which documents you must provide. None of them need to be lengthy epics – it's all about ensuring the documents provide the information they're required to, clearly and concisely.

ISO 27001 certification is a two-stage process. Stage 1 is when the auditor familiarises himself with your organisation, checks you have all the necessary documents, and confirms that your information security management system (ISMS) is established enough for a full audit to be worthwhile.

The Stage 1 audit is usually short – a day or two, perhaps – and the auditor may even review your documents remotely. However he chooses to do it, he'll expect to see the following documentation.

1)  Scope of the ISMS

Clause 1
Clause 4.3

If you've been certified to another ISO standard, you'll already know what's involved in defining the scope of your quality management system. You're aiming to clearly set out how far the system extends within your operations, and to justify any instances where you're excluding yourself from the standard's requirements.

Where an ISMS is concerned, you need to define which information your ISMS is set up to protect, whether this is information you store in your company offices, in the cloud, or on devices your employees take out of the building (e.g. laptops or USB drives). This is often referred to as your system's intended outcomes.

Clauses 1 and 4.3 of ISO 27001 refer to the scope, and an auditor will look for consistency between both sections in your document of it. This document must specify all the internal and external issues relevant to your organisation, and your interested parties.


Internal issues External issues
Governance, structure, roles and accountabilities Economic factors (e.g. exchange rates, economic situation, inflation, availability of credit)
Policies, objectives, strategies Market factors (e.g. competition, trends in customer growth, market stability, supply chain relationships)
Introduction of new products, software,
tools, premises and equipment
Technological factors (e.g. new technology, materials and equipment, patents expiring)
Capabilities Trade union regulations or industry-related regulations
Company culture  
Working time arrangements etc.  


Interested parties

Within your organisation--

Top management

Those who implement and maintain the ISMS

Other staff


Shareholders Media
Investors Trade groups
Distributors Emergency services
Government Pressure groups
Regulators Neighbours


Your scope should also describe:

  • The nature of your organisation
  • The business area in which it operates
  • The location(s) in which it's based
  • Your assets
  • The technology you use

Many organisations store their scope document in an electronic quality management system to ensure the relevant people have access to only the most recent version.

2)  Information security policy

Clause 5.2 
Clause 6.2

The main purpose of this policy is for your top management to demonstrate their commitment to the ISMS. By setting out your organisation's objectives, purpose, principles and agreed-upon strategy for securing information, they're creating an easy-to-understand document that can be followed to ensure the ISMS is properly implemented.

The policy must:

  • Be appropriate for your organisation's size. A policy created for a large manufacturing company won't suit a small IT company, for instance.
  • Show how top management will:
    • Satisfy the requirements of all interested parties
    • Make sure the ISMS is continually improved
  • Be communicated to all staff and – where appropriate – to interested parties
  • Be regularly reviewed

3)  Risk assessment and risk treatment methodology

Clause 6.1.2

ISO 27001 requires you to document how you'll assess and treat risk, which is a crucial early step in implementing your ISMS. Though the 2013 standard has removed the need (as per ISO 27001:2005) to use assets, threats and vulnerabilities as your methodology, this is still the common way to go about it.

Doing a risk assessment involves:

  • Identifying risks that could impact your information's confidentiality, integrity or availability
  • Identifying the risk owner (the person with the accountability and authority to manage a risk)
  • Setting criteria for assessing the likelihood and consequences of identified risks
  • Establishing how you'll calculate risk (a one-to-three scale, for example)
  • Setting criteria for accepting risks

But before you do any sort of assessment, you must first clarify your methodology – in other words, the rules by which you'll assess the risks to your organisation. Having that document means anyone in your organisation can assess risk using the same methodology.

Defining your risk assessment methodology means considering the following:

  • Will you measure risk quantatively or qualitatively?
  • What timeframe should each risk cover?
  • What scales should you use?
  • Who can accept risk?
  • What's your organisation's risk appetite and what's an acceptable level of risk?

Electronic quality management systems can support you in sharing your risk assessment methodology with all the relevant people. In the configuration stage of EQMS Risk Manager, for example, you can embed this methodology into your risk management process. 

4) Statement of applicability (SoA)

Clause 6.1.3(d)

In your SoA, you're setting out which of the 114 information security controls listed in Annex A of ISO 27001 you're going to apply, and why. This is different to your risk assessment document in that it must also show:

  • Which controls you'll apply for reasons other than reducing risk (e.g. legal obligations, contractual obligations etc.)
  • Which controls you've already implemented, and how.

Your SoA can be fairly short as it's intended for everyday operational use. However, it may take you a long time to create as it involves thinking about how to implement the necessary controls at a strategic level.

5)  Risk treatment plan

Clause 6.1.3(e)
Clause 6.2

Your risk treatment plan takes the controls you identified in your SoA and defines:

  • How you'll implement those controls
  • Who's responsible for that implementation
  • What resources (and how much time) they'll need to do so

You'll have identified both acceptable and unacceptable risks, but your risk treatment plan is concerned mainly with the unacceptable ones. You'll need to decide how you'll treat those risks you've deemed unacceptable – for instance, you might choose to:

  • Apply one of the Annex A controls to reduce the risk
  • Avoid whatever action is causing the risk
  • Transfer the risk to a third party (i.e. insure yourself against it)

6)  Risk assessment report

Clause 8.2

ISO 27001 offers little direction on what your risk assessment report needs to include. But by the time you come to create your report, it's likely you'll have compiled a lot of the information already.

  • Your risk assessment methodology
  • Risk owners
  • Risks you've identified, their impact and likelihood, and whether or not they're acceptable
  • For unacceptable risks, how they'll be treated
  • Controls

Most of this information you'll have in your risk assessment methodology document, your risk assessment and your risk treatment report.

7)  Definition of information security roles and responsibilities

Annex A 7.1.2
Annex A 13.2.4

You should have a written record of the roles and responsibilities of those employees involved in managing your information security.

Where you document this information is up to you. But it should be somewhere logical and easy to find – it could be job descriptions, your organisational chart, or your information security policy.

8)  Inventory of assets

Annex A 8.1.1

When the standard talks about assets (though, unhelpfully, it doesn't define the term!), it means anything that has value to your organisation. So this covers everything from hardware (laptops, PCs, printers, mobile phones) to data (electronic, paper and other formats) to your buildings and employees.

Assets are important to ISO 27001 as they help with identifying risks and protecting the confidentiality, integrity and availability of your information. As mentioned above, the 2013 revision has removed the need to use assets, threats and vulnerabilities to assess risk, but as a methodology it still makes sense.

You'll need to:

  • Put together an inventory of your assets
  • Nominate an owner (or owners) for each asset – a person responsible for managing the information relating to that asset

9)  Acceptable use of assets policy

Annex A 8.1.3

In this document, you're setting out clear rules for how your information system and other information assets must be used.

10)  Access control policy

Annex A 9.1.1

Your access control policy demonstrates how you mitigate risk by managing what assets you make available and how.

You might want to lock down some of your networks and services so that only certain employees can access them. The rules you set will be based on various factors – the sensitivity of the asset, where those employees accessing the asset are based, and any laws or regulations that might apply (e.g. the Data Protection Act or GDPR). You might choose to restrict access to certain types of users or roles (e.g. system admins, managers).

Bear in mind that the policy also covers physical access to secure areas in your buildings and other locations.

A software solution like EQMS can be used to deploy an access control policy.

11)  Operating procedures for IT management 

Annex A 9.1.1

This document provides a framework for all management procedures to make sure that correct and secure information can be acquired. This includes written descriptions of the management processes and activities necessary to plan, operate and control the ISMS.

12)  Secure system engineering principles

Annex A 14.2.5

Secure engineering is applying security while you develop your IT system. And this means security against a whole host of threats and vulnerabilities, from fire and natural disasters to terrorism, hacking and industrial espionage; from poor management of passwords to inadequate supervision of staff.

The principles are the high-level rules you set to apply this security. You'll need to devise a detailed procedure for each one to ensure they're followed throughout your organisation. And the principles will apply to every phase of your development projects, and to all architectural layers (business, data, applications, and technology) of your final products.

13)  Supplier security policy 

Annex A 15.1.1

Some of the information your organisation uses might not be under your direct control, but handled by third parties. Suppliers, partners, customers, cloud services – these may all have access to sensitive data about your company and its finances or inner workings.

As a result, you'll need a policy that dictates how you will work with these kinds of third parties. What systems will you use to manage how they handle your information? 

Suppliers and other third parties must agree to allow all aspects of their information security management system to be audited.

Organisations with complex supply chains or thousands of suppliers use EQMS Supplier Manager to track and manage suppliers' performance.

14)  Incident management procedure

Annex A 16.1.5

Unfortunately, there's often little you can do to prevent a hacker or an employee determined to flout procedure. But by quickly detecting security breaches and weaknesses, and reacting even more promptly, you can prevent damage to your reputation and even improve your brand.

Your incident management procedure is where you outline your procedures for managing these kinds of incidents. 

EQMS Incident & Accident Manager can be used to cut the response time from hours to minutes by instantly notifying the relevant parties when a breach or incident has occurred. 

15)  Business continuity procedure

Annex A 17.1.2

When a crisis hits, every minute counts. So it's essential to build a business continuity procedure which defines exactly how you'll manage your stakeholders managed to ensure your business continues as normal. The procedure should outline how you'll recover from critical activities within a set time frame.

16)  Statutory, regulatory and contractual requirements 

Annex A 18.1.1

This section of ISO 27001:2013 outlines the need to provide information about statutory, regulatory and contractual requirements. This will help you to demonstrate how you comply. Some of the information and data management regulations include:

  • Official Secrets Act 1989
  • Public Records Acts 1958 and 1967
  • Data Protection Act 1998
  • Freedom of Information Act 2000
  • Environmental Information Regulations 2004
  • Human Rights Act 1998 
  • Computer Misuse Act 1990
  • Copyright (Computer Programs) Regulations
  • Civil Evidence Act 1968
  • Police and Criminal Evidence Act 1985
  • Wireless Telegraphy Act 1949
  • Communications Act 2003
  • Regulation of Investigatory Powers Act 2000
  • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
  • Civil Contingencies Act 2004


What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS

Tags: ISO 27001