Hi,

I'm kinda new to the ISO 27001 standard and was wondering if I could get some views on what a gap assessment should cover. I been told by a number of people that it is performed to evaluate the readiness of the organization against all clauses (4 to 8).

However some mention that the controls (A.5 to A.15) are also to be checked against. Isn't an RA performed to check this ?

Any clarifications would help. Thanks

Perhaps a view of a gap analysis worksheet on ISO 27001 and found in this post (http://elsmar.com/Forums/showpost.php?p=239843&postcount=1) may be helpful.

Thanks Harry!!!!