Basket
United Kingdom
Select regional store:
GRC Solutions x Digital Trust Consulting. One partner for complete cyber resilience
Case studies UK Borough Council Case Study

UK Borough Council Case Study

ISO 27001 Gap Analysis

The need

Our client, a UK local authority, wanted to compare its information security practices with the security controls set out in Annex A of the information security management standard ISO/IEC 27001.

The solution

IT Governance’s ISO 27001 Gap Analysis consultancy service.

The outcome

Understanding the extent to which our client was following information security best practice, with the aim of improving its data processing activities.

Background

Our client, a large UK borough council, provides residents with a full range of local government services, including social care, children’s services, housing, libraries and environmental services.

In its daily activities, the council processes a vast amount of data relating to residents, businesses and other parties. Much of this data is very sensitive, so its protection is paramount, especially in light of the GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018, both of which prescribe severe penalties for data breaches.

The council therefore commissioned IT Governance to carry out a gap analysis against ISO 27001, the international standard for information security management.

Requirements

Our client wanted to determine the extent to which it was following information security best practice to protect the data it processes, as a breach could have serious consequences both for the client and for the public.

It therefore commissioned an assessment of its current security practices, using the best-practice controls in Annex A of ISO 27001 as a benchmark.

ISO 27001 sets out the requirements for an information security management system (ISMS), a holistic approach to information security that comprises policies, procedures, guidelines, and associated resources and activities that protect an organisation’s information assets.

Annex A of ISO 27001 contains a comprehensive list of security controls, which are typically selected and implemented as part of the Standard’s risk management process.

Implementing an ISMS enables an organisation to secure its information in all forms, increase its resilience to cyber attacks, and, because it is based on a formally defined risk management process, adapt to evolving security threats and reduce the costs associated with information security.

It also helps an organisation demonstrate that it has implemented the “appropriate technical and organisational measures” required by the GDPR and DPA 2018.

(For organisations that want to go further, ISO/IEC 27701 was created with the aim of demonstrating compliance with data protection laws. Its requirements can be integrated with any ISMS.)

Independently audited certification to ISO 27001 is recognised around the world as an indication that an organisation has implemented and maintains information security best practice.

The first step of any ISO 27001 implementation project is to conduct a gap analysis to determine how far short of the Standard’s requirements your organisation’s existing information security practices fall.

The process

We conducted a discovery phase on site over several days, comprising interviews with key stakeholders covering the relevant control areas.

We also reviewed the council’s relevant documents and records, where possible, to determine the extent of their conformity to each control in Annex A.

This analysis included an assessment of:

  • Whether each of the Annex A controls was likely to be required by the council and, if they were, whether they were currently in place; and
  • The extent to which and/or how consistently the selected controls were implemented, operated, monitored and evaluated.

Our consultant then produced a compliance status report detailing the findings for each Annex A control, complete with recommendations for improvement.

Comparing the council’s existing security practices against international best practice provided a clear understanding of where improvements can be made, organised according to importance.

The findings of our gap analysis report were colour-coded to help our client prioritise its approach to improving its information security practices: red to indicate nonconformity with the relevant control requirements, yellow to indicate partial conformity and areas where improvement could be made, and green to indicate conformity.

Implementing an ISMS is a significant undertaking that requires focused investment of time and resource across the entire organisation. Gaining the necessary high-level support for such a project therefore takes time, and not every organisation has the capacity to achieve full compliance with ISO 27001 immediately.

Although the council is not yet in a position to implement all the elements of an ISO 27001-compliant ISMS or pursue certification to the Standard, we recommended adopting an overarching information security policy. We therefore supplied a sample policy as part of our report.

The outcome

Our consultant worked with our client to analyse its information security practices against ISO 27001, and provided a detailed report that helped the council prioritise the areas that required improvement.

The council was found to conform to 52% of the Annex A controls. Where it was non-conformant, we provided guidance on the improvements it needed to make.

In most cases, the necessary process improvements involved revising and improving documentation.

The solution: ISO 27001 Gap Analysis

IT Governance’s ISO 27001 Gap Analysis service provides a specialist, in-person review of your information security posture against the requirements of ISO 27001.

This gives you an accurate picture of your ISO 27001 compliance gaps, as well as expert advice on how to scope your project and establish your project resource requirements.

One advantage over questionnaire-based gap analyses is the level of expert analysis and insight you get from a specialist. With an in-person gap analysis, you will have a clear idea of the proposed scope of the ISMS, be able to set realistic project expectations, and obtain customised and detailed information necessary to develop a strong business case for implementing an ISO 27001-compliant ISMS.

Key features

An informed assessment of:

  • Your compliance gaps against ISO 27001;
  • The proposed scope of your ISMS;
  • Your internal resource requirements; and
  • The potential timeline to achieve certification readiness.

Find out more about this service

Why choose IT Governance?

Our ISO 27001 implementation methodology has been honed over 15 years.

We are known as the global authority on ISO 27001 – our founders led the world’s first certification project when the Standard was known as BS 7799.

We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else.

You benefit from real-world practitioner expertise, not just academic knowledge.

We have trained more than 7,000 professionals on ISO 27001 implementation and audit worldwide.

We have helped more than 600 clients achieve certification to and compliance with ISO 27001.

We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organisation.

Our pricing and proposals are completely transparent, so you won’t get any surprises.

Find the expert you need

Choose a service
Or choose a subject

If you need technical support please, contact us .

Fill in the form to request a callback