NCSAM: Get started with ISO 27001 – identify your gaps

Building an information security management system (ISMS) that meets the requirements of ISO 27001 is a challenging project that covers many aspects of your business operation. Conducting a gap analysis is an important starting point when putting a prioritized plan in place.

An ISO 27001 gap analysis enables you to assess your organization’s existing information security arrangements and compare them with ISO 27001’s requirements. It will paint a clear picture of the specific areas where your business does and does not meet the Standard’s requirements.

It also enables you to scope out your ISMS parameters across all business functions.

An ISO 27001 gap analysis is valuable for justifying ISMS needs

A gap analysis will provide you with the content needed to outline an action plan, which describes the internal framework resources required to achieve certification readiness, while determining a realistic budget and timeline for the project.

An important part of implementing an ISO 27001-accredited ISMS is obtaining support from senior management. A gap analysis with succinct summaries and visual aids (e.g. charts) can help project leaders to identify the key drivers for an ISMS and develop a strong business case for ISO 27001 implementation.

The gap analysis process comprises three critical stages:

  1. Discovery, which usually takes place on-site, and should account for the information security needs of remote workers
  2. Reporting and creation of a statement of work
  3. Report approval and distribution

Documentation is important and will comprise all the interviews, analysis, observations and insights you collect. Additional consultants may be called on-site to collect information about your organization and its existing cybersecurity infrastructure.

One of the first things you should do is identify key staff within the organization who you can interview to classify process and control arrangements that are either in place (current state), or being considered (future state). They will make your job easier.

Select individuals from the organization will become part of the information security personnel team. They will support the ISMS, either for the short or long term. Knowing the levels of internal management effort required is important to this human resource element.

After conducting an ISO 27001 gap analysis, you should have a good understanding of your existing infrastructure, scope, budget, and timeline for your ISMS project. You will also know the ins and outs of the ISMS solutions from which you have to choose.

The ISO 27001 Gap Analysis Tool will come in handy as you prioritize your project and work towards compliance. An ISO 27001 specialist will:

  • Interview key personnel.
  • Perform an analysis of your existing information security arrangements and documentation.
  • Deliver an accurate and thorough report depicting your ISO 27001 compliance gap, including scope options and an action plan.