What is an ISO 27001 Gap Analysis?
Conducting an ISO 27001 gap analysis enables you to assess and compare your organization’s existing information security state to the ISO/IEC 27001:2013 Information security management systems requirements.
The gap analysis tells you how far you are from ISO 27001 requirements/controls and provides a high-level overview of what your organization needs to do in order to achieve the certification.
It’s only required when writing the Statement of Applicability. SOA is a key ISMS document listing the organization’s information security control objectives and controls you’ve implemented in your ISMS.
However, sometimes companies perform a gap analysis before the start of an ISO 27001 implementation in order to get a feeling of where they are right now, and to find out which resources need to be employed in order to implement ISO 27001.
You will assess your existing information security state and documentation. These will be compared to the requirements of ISO 27001 standard clause by clause to identify any opportunities for improvement in the existing arrangements, address shortfalls to the ISO/IEC 27001:2013 Information security management systems requirements and mitigate the risk of data breaches.
It will likely detail:
- The overall state and maturity of your information security state
- The gaps between this state and the requirements of ISO 27001
- Options for the scope of an ISMS, and how they help to meet your business and strategic objectives
- An outline action plan and indications of the level of internal management effort required to implement an ISO 27001 ISMS
The timing to carry out your gap analysis depends on how far along you are with implementing your ISMS:
- If you have no idea of your systems, you’ll be missing most of the controls your risk assessment deemed necessary. In that case, you might want to leave your gap analysis until further into your ISMS’s implementation.
- If your implementation is underway but still in its early stage, your analysis will still show lots of gaps, but you’ll have a much better understanding of how much work you have ahead of you.
- If you have a fairly established system in place, you can use the gap analysis to determine just how strong your system is. So, you might want to do it towards the end of your implementation.