What is an ISO 27001 Gap Analysis?Published August 6, 2020 • 3 min read
An ISO 27001 gap analysis allows companies to compare their current information security systems to the requirements of the ISO 27001 standard, giving them an idea of what steps must be taken to earn their ISO 27001 certification.
An ISO 27001 gap analysis gives organizations a complete view of exactly how they conform or do not conform to the international ISO 27001 family of information security standards.
The breadth of applicability of the ISO 27001 standard can make it hard for companies to determine how to apply the ISO 27001 standard economically and effectively.
As a result, it can be challenging for organizations to build an information security management system (ISMS) that meets the requirements of the ISO 27001 standard. One way to do that is to conduct an ISO 27001 gap analysis.
An ISO 27001 gap analysis provides companies with the necessary information to help them understand where they need to focus as part of their ISO compliance efforts.
An ISO 27001 gap analysis offers clear recommendations for any organizational, technological, or people-based cybersecurity controls they may need to implement to close any gaps.
As part of ISO 27001 certification, a number of ISO 27001 audits must be performed to help organizations identify areas for improvement and ensure that they have best practice processes and data protection procedures in place to safeguard corporate information. An ISO gap analysis is a professional assessment undertaken between stage 1 and stage 2 of the ISO 27001 audit process.
The main benefit of an ISO 27001 gap analysis is that it bridges the gap between stage 1 and stage 2 of the ISO 27001 audit. And its goal is to ensure that any ISMS weaknesses that were identified in stage 1 have been addressed appropriately. The ISO 27001 gap analysis also helps companies thoroughly prepare for stage 2 and the certification process.
An ISO 27001 gap analysis is mandatory in ISO 27001, but only when an organization develops its Statement of Applicability, which summarizes its position on each of the 114 information security controls outlined in Annex A of ISO 27001.
Consequently, a company only needs to perform the ISO 27001 gap analysis for the controls from Annex A of the ISO 27001 standard. And an organization doesn’t need to perform the ISO 27001 gap analysis before it starts the ISO 27001 implementation. Rather, the organization must do it only after the ISO 27001 risk assessment and risk treatment.
The ISO 27001 implementation and review process focuses on the ISO 27001 risk assessment and ISO 27001 gap analysis. These steps provide a company with the majority of the information necessary to comply with the ISO 27001 standard.
However, since the ISO 27001 risk assessment and ISO 27001 gap analysis processes are very similar, companies can easily confuse them and jeopardize their ISO 27001 compliance.
An ISO 27001 risk assessment helps organizations understand which of the ISO 27001 standard’s cybersecurity controls they need to address. But it doesn’t factor in whether the organizations have already implemented those cybersecurity controls, which is why they must also conduct an ISO 27001 gap analysis.
An ISO 27001 gap analysis shows companies which of the ISO 27001 cybersecurity controls are already in place, and sometimes offers additional information about their progress in meeting the requirements of the ISO 27001 standard.
Companies often hire consultancies to perform the ISO 27001 gap analysis. During this process, an ISO 27001 gap analysis specialist will assess their existing information security processes, procedures, and documentation.
The specialist will then compare those against the requirements of the ISO 27001 standard to identify any opportunities for improvement in their existing information security processes and procedures, address any deficits against the requirements of the ISO 27001 standard, and mitigate the risk of data breaches.
After this assessment, the organizations will receive their gap analysis reports detailing the findings, including:
- The overall state and maturity of their information security processes and procedures.
- The specific gaps between these processes and procedures and the requirements of the ISO 27001 standard.
- Options for the scope of an ISMS, and how that helps meet business and strategic objectives.
- An outline action plan and indications of the level of effort by management that’s needed to implement an ISO 27001 ISMS.