Clients interested in implementing ISO 27001 sometimes ask why they should consider a consultant-driven ISO 27001 gap analysis if there are many free gap analysis tools available online.
Some say that a gap analysis only tells you how far you are from meeting the ISO 27001 requirements/controls, and doesn’t actually explain what you should do to close that gap.
The simple answer is that a gap analysis is really as long as a piece of string: a questionnaire-based gap analysis will merely give you a list of questions you need to answer – clause-by-clause for ISO 27001:2013, and per control from the Statement of Applicability.
Although this kind of approach could be helpful if you are merely thinking about ISO 27001 and its application to your organisation, it has serious shortcomings for an organisation more serious about implementing the Standard but not yet ready to go ahead with a full-scale implementation.
A gap analysis isn’t always required
Firstly, a gap analysis is indeed not always needed. When we undertake an ISO 27001 FastTrack™ project, for instance, in which our consultants deliver the entire ISMS for a small company, there is no need for a gap analysis because the scope of the project is known and the entire project will be managed for a fixed price.
For larger companies or more extensive projects, a gap analysis is the logical starting point.
Know what ‘good’ looks like
Free tools, while having the advantage of being free, don’t come with the sort of depth of understanding that a professional consultancy service offers. Most organisations will benefit from an external examination to really get a handle on what will be required for an effective and successful ISO 27001 implementation.
If you are going to opt for a gap analysis, you should know what to expect in order to get the most value for your money.
A comprehensive gap analysis should be conducted on-site, giving you the benefit of a detailed, in-person assessment of your current security arrangements. Such an exercise should ideally be conducted over a period of two or three days by an ISO 27001 implementation specialist.
The gap analysis should serve as a high-level review of your policies, procedures, management understanding and commitment, organisational culture, information security processes and controls. The consultant will conduct interviews with key managers and review your existing documentation and records in order to get a general understanding of your business and its readiness for such an implementation project.
A critical starting point for implementing ISO 27001 is to scope your intended ISMS. This can be a tricky undertaking if data is stored in different locations or business units. Accordingly, by getting to understand your business requirements, your consultant should also provide you with guidance that will help you define the scope of your ISMS implementation project.
The gap analysis should culminate in a concise document, with a red-amber-green compliance check against the Standard’s management system clauses and the information security controls in Annex A. You should also receive an action plan outlining ‘to-do activities’, including a description of the resources you may require for such an undertaking. This will enable you to compile a more accurate cost analysis for budgeting purposes.
For those still in the initial stages of securing budgetary approval for implementing ISO 27001, a gap analysis is a critical piece of work that will provide you with the evidence you need to develop a solid business case, and will enable you to secure the investment required for such a project.