Want to contribute to this article?
Time to sharpen up your information security management system? Thinking of using ISO 27001:2013 as a framework?
Richard Green, founder of Kingsford Consultancy Services, recommends getting to grips with the standard, talking to your certification body and doing a thorough gap analysis before making any dramatic changes to your processes.
It may be that you actually already have many of the required processes in place. Or, if you've neglected your information security management practices, you may have a mammoth project ahead of you which will require fundamental changes to your operations, product or services.
To access the Gap Analysis Tool, download the ISO 27001 Toolkit. Read on to find out how to use it.
What is a gap analysis?
Think of the gap analysis as simply looking for gaps. That's it. You're analysing the ISO 27001 standard clause by clause and determining which of those requirements you've implemented as part of your information security management system (ISMS).
Take clause 5 of the standard, which is "Leadership". There are three parts to it. The first part's about leadership and commitment – can your top management demonstrate leadership and commitment to your ISMS? It might be that you've already covered this in your information security policy (see #2 here), and so to that question you can answer 'Yes'.
Gap analysis vs. risk assessment
Doing a gap analysis for the main body of the standard (clauses 4–10) isn't compulsory but very much recommended. It'll help to have first defined your ISMS's scope (see #1 here), because any ISO 27001 auditor will want to know exactly what information your ISMS intends to secure and protect. Having a clear idea of what the ISMS excludes means you can leave these parts out of your gap analysis.
A gap analysis is compulsory for the 114 security controls in Annex A that form your statement of applicability (see #4 here), as this document needs to demonstrate which of the controls you've implemented in your ISMS.
The risk assessment (see #3 here) is an essential document for ISO 27001 certification, and should come before your gap analysis. You can't identify the controls you need to apply without first knowing what risks you need to control in the first place. Once you've determined those risks and controls, you can then do the gap analysis to identify what you're missing.
Tells you what you're missing to comply with ISO 27001.
Doesn't tell you which controls to apply to address the risks you've identified.
Tells you what controls you should apply.
Doesn't tell you what controls you already have.
When to do a gap analysis
When you do your gap analysis depends on how far along you are with implementing your ISMS.
- If you have no real system to speak of, you already know you'll be missing most, if not all, of the controls your risk assessment deemed necessary. So you might want to leave your gap analysis until further into your ISMS's implementation.
- If your implementation's underway but still in its infancy, your analysis will still show lots of gaps, but you'll have a much better understanding of how much work you have ahead of you.
- If you have a fairly established system in place, you can use the gap analysis to determine just how strong your system is. So you might want to do it towards the end of your implementation.
What you should do now
There's no prescribed method for doing your gap analysis, but we've made it really easy with our free Gap Analysis Checklist. Download the Gap Analysis Tool from the ISO 27001 Toolkit.