When it comes to implementing ISO27001, one of the first things people will tell you is that you need to perform a Gap Analysis. But what is a Gap Analysis, and why is it so important?
Great question. Glad you asked.
Firstly, if you’re looking to achieve ISO27001 certification, you need to know where you might fall short of the requirements. The Gap Analysis step of achieving certification is vitally important, so don’t underestimate it.
To put it simply, the Gap Analysis (done well) provides a road map to achieving ISO27001.
Additionally, without performing the Analysis, you’ll never know where your weaknesses are in your policies, processes and technologies. These gaps become windows of opportunity for cybercriminals, insider threats and data breaches.
Mind the Gap
To improve anything in your life, like health, wealth or business, you need to know where you are today. You need to understand what the ‘as is’ status is. This gives you a clear indication of what is missing in your life that can improve it.
As most of you will know, ISO27001 has a set of controls known as ‘Annex A’, which can assess where there are gaps and how to improve your security. There are 114 controls in ISO27001, which will soon be replaced with an updated version containing 93 controls.
The idea behind the Gap Analysis is that the consultant will look at what you do currently and assess you against the standard’s requirements to see if you meet its needs.
Allow me to offer an example.
Under section 5.1 of the current Annex-A controls, the requirement states
“A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.”
When we assess you against this requirement, we want to know;
Is there a defined (i.e. documented) set of policies in place? If so, what are they?
Have they been approved by management – If so, how?
Have they been published (i.e. shared) – If so, how and where?
Have they been communicated to employees and third parties? – If so, how?
Under just one requirement, there is a potential for several gaps to appear, and our job is to understand what gaps there are, assess how big the gap is, and what steps to take to close those gaps.
Is it a gap or a chasm?
Starting with a Gap Analysis is essential if you’re looking to achieve ISO27001. Please don’t just leap in and get started. That would be like attempting to walk up a mountain before assessing your basic fitness levels!
Once you’ve completed your Gap Analysis, you’ll know if you have a few small gaps to close or a chasm and a mountain to climb! This can then inform your decision to either go for formal certification against ISO27001 or if you feel the task would be too big for you (right now).
In my experience, too many organisations don’t understand the basic requirements of ISO27001 before taking on the challenge. But if they had completed the Gap Analysis, they would have a better understanding of what is required and where they fall short.
My Gap Analysis Process
When I work with companies to understand where their gaps are, it’s a pretty simple process;
Review all available documentation relevant to the standard
Interview key people from across the business
Assess the business using ISO27001 and the Annex A controls
Present a prioritised list of gaps and assign tasks and suggestions to close the gaps
Present this to the business.
To be honest, it’s a pretty standard process that most Consultants will take you on. However, I sprinkle a dose of pragmatism and reality on, just to add flavour! This is because not all controls are made equal, and some controls require a higher degree of evidence and documentation.
The Gap Analysis; A Window of Opportunity
Before embarking on ISO27001, you need to know if you’re up for the journey. You might be closer than you think, and the Gap Analysis process will show you just what you need to do to achieve this important standard.
The Gap Analysis shows you where you are vulnerable to internal and external threats and how you can manage your exposure to these risks.
The Gap Analysis becomes your road map to improving AND protecting your business. It is your ‘toe in the water’ to see if ISO27001 is right for you.
Don’t underestimate the power of the Gap!
Give me a call
If you’re interested in ISO27001 or concerned about GDPR, give me a call today, and we’ll discuss the Gap Analysis I provide.