ISO 27001: Gap analysis vs. risk assessment

Gap analyses and risk assessments are two of the most important processes organisations must complete when implementing ISO 27001 or reviewing their compliance status.

There are a lot of similarities between the two, which often causes organisations to confuse them and use elements of one process in the other.

This leads to unnecessary work and expenditure, and in some instances can result in the organisation failing to meet ISO 27001’s requirements.

To make sure this doesn’t happen to you, we’ve provided a quick guide explaining how each process works and how they fit together.

What is an ISO 27001 gap analysis?

An ISO 27001 gap analysis gives organisations an overview of what they need to do to meet the Standard’s requirements.

It involves going through each clause of ISO 27001 and determining whether the organisation has implemented the necessary requirements.

This could be a simple tick-box exercise, with the unchecked requirements forming the gaps that might need to be addressed (not all clauses need to be implemented).

Alternatively, you could take a more complex approach, determining whether:

  • There is no plan to implement the requirement;
  • There is a plan but the requirement hasn’t been implemented;
  • The requirement has been partially implemented;
  • The requirement has been implemented but hasn’t been reviewed; or
  • The requirement has been implemented and is regularly reviewed.

Gap analyses only need to be performed when developing your Statement of Applicability, which means that you don’t need to analyse the clauses contained in the main part of the Standard, only those in Annex A.

What is an ISO 27001 risk assessment?

Risk assessments give organisations an idea of the threats facing them, how likely it is that each of those scenarios will occur and how severe the damage will be.

The process begins by creating a long list of risks, which will be given a risk score.

This is calculated by assigning a number to varying degrees of probability and damage, thus enabling the organisation to prioritise its biggest risks and which of ISO 27001’s controls it should implement.

If there are no risks that would justify the use of a certain control, there is no need to implement it.

By contrast, if a control helps prevent a highly damaging or probable risk, the organisation should dedicate additional time and resources to it.

What’s the difference between the two?

A gap analysis shows organisations which of ISO 27001’s controls they have implemented, and in some cases provides additional information about their progress in meeting the Standard’s requirements.

However, it doesn’t help organisations understand whether each control is necessary. That’s what a risk assessment is for. The two processes therefore form two parts of a whole.

Simplify the risk assessment process

The risk assessment process is often difficult, complex to manage and requires external assistance.

Download our free green paper ‘Risk Assessment and ISO 27001‘ to find out:

  • Common issues to avoid surrounding the risk assessment process;
  • How to produce reliable and robust results in five straightforward stages; and
  • How to use risk assessments to achieve maximum benefits from minimum security costs.