Conducting Gap Analysis for ISO 27001

L

LaJWa

#1
Hello,

My company is ISO 9001 certified and i'm been asked to review the ISO 27K and conduct a gap analysis. I am new to this project and not sure how to start. I am reviewing the International standard ISMS requirement, but not sure how to apply to the gap analysis.

Any help would be appreciated. Thank you!
 
Elsmar Forum Sponsor

harry

Super Moderator
#2
Re: Conducting Gap Analysis for ISO 27K

Basically, a gap analysis is a comparison between the requirements of the standard versus your current business practice. You will identify what you have (comply), don't have (gap) or partial (smaller gap).

Carrying it out for the documentation side (method) is easier but not for the security control side where one would need to have relevant experience.

Some of these documents in our post attachments list may help make life easier for you.
 
P

pldey42

#5
ISO 27001 is unlike most (all?) other management system standards in that the Controls listed in Appendix A (and described in more detail in ISO 27002) aren't mandatory, but selected as a result of the risk assessment performed in 4.2.1 (and periodically thereafter). The controls need to be proportional to the risks identified.

(Some organizations are made to do all the controls by unthinking customers, and this makes no sense. Controls should be proportional to risks, some are not affordable, some mitigate risks that only apply to some organizations. Some - vetting staff or encryption - aren't even legal in some countries, some circumstances. Insisting on all the controls risks a false sense of security, waste of money on unnecessary controls, and installation of flimsy controls that are insufficient to withstand determined attacks.)

So, for example, having locks on doors might satisfy A.9.1.2, or might not: one only knows whether the locks are likely to be effective after risk analysis. If the risk analysis indicates that foreign intelligence services are a threat, good locks and probably several of them are advisable.

The most common reason for initial certification failures is putting controls in place (by following Appendix A or ISO 27002 mechanically) without implementing clauses 4, 5, 6, 7 and 8. The next most common cause for initial certification failure is inadequate risk assessment methodology.

One common difficulty is trying to "boil the ocean". Scope is often defined too broadly, and then the ISMS is too big to manage, and offers little value. 4.2.1.a allows an organization to focus its ISMS on the information assets that are critical to it in terms of confidentiality, integrity and availability and leave the rest to "normal" controls. For example, HR are usually good at controlling personal information and for many organizations ISO 27001 adds little value - the exceptions are those organizations (certain nameless government departments for example) whose staff might be vulnerable to coercion, in which case ISO 27001 might help protect their personal information (where they live) more effectively.

Some clients pragmatically iterate through defining scope, assessing risks, identifying controls until they narrow down on the information assets that really benefit from ISO 27001.

Especially challenging in ISO 27001 is managing behaviours of everyone in the organization, including top management. Like other management system standards, writing procedures is the easy bit - getting people to do them is another matter. For example, while a "no tailgating" policy is easy to write, getting people to do it here in the UK can be a challenge: Brits are too polite and insist on holding doors open for each other - especially when the tailgater is wearing jeans and heels, carrying a cup of hot tea in each hand and pretending to be unable to get her pass out of her pocket.

And a "clear desk" policy is sometimes greeted with "I'm too busy to do that. Lock the doors so we don't have to bother." Please note also that auditors and information security managers develop a sixth sense for where passwords are likely to have been written down ... It's important to remember too that introducing a control can itself bring risks, e.g. losing the encryption keys, backups get stolen, new automated locks lock everyone out, information security officer commits fraud (this allegedly happened at Renault), etc.

For some organizations a serious breach of information security can lead to loss of contracts, reputational damage or worse. For example, more than one company in the UK has lost Government business by mislaying a USB stick carrying large volumes of personal data, unencrypted, thus falling foul of Data Protection law. Often, breaches are caused by disgruntled employees - Wikileaks and the US diplomatic cables is the most obvious example.

This is what makes ISO 27001 an interesting challenge, and why risk assessment is essential. It's too easy to react emotionally to risks, and get controls out of proportion or even miss essentials by focusing too much on the dramatic risks reported in newspapers. The risk assessment method, leading to a sober, balanced assessment of information security risks, is an essential first step, arguably more important than the gap analysis because it will help identify where significant controls - and time and money - will be required.

Hope this helps,
Pat
 
Thread starter Similar threads Forum Replies Date
M Lean: Conducting Capacity Study, calculating Cycle times on laser cutting machines Lean in Manufacturing and Service Industries 2
atitheya Need of conducting medical trials in European Union EU Medical Device Regulations 2
M Informational IMDRF draft document – Requirements for Regulatory Authority Recognition of Conformity Assessment Bodies Conducting Medical Device Regulatory Reviews Medical Device and FDA Regulations and Standards News 0
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
T Results from conducting a Capability Studies Statistical Analysis Tools, Techniques and SPC 4
P Suggestions on conducting Internal Audit of a new site Internal Auditing 15
dubrizo Internal Audit Value - What is the point of conducting internal audits to a checklist Internal Auditing 40
S Conducting an MSA study for ICT(HP3070) and Functional Testing Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 3
Q AS9100 Repairs - Approval from a non-aerospace customer prior to conducting a repair AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 14
M Conducting a Project for Safety Improvement Misc. Quality Assurance and Business Systems Related Topics 4
A Is conducting of all MSA studies required, even if not required by the customer? IATF 16949 - Automotive Quality Systems Standard 23
B Best Methods for conducting Shadowgraph MSA Studies Quality Manager and Management Related Issues 2
M Sample size when conducting capability analysis with OK and NOK parts Statistical Analysis Tools, Techniques and SPC 3
N Who is responsible for conducting Root Cause investigation? Problem Solving, Root Cause Fault and Failure Analysis 8
H What information do I need to collect when conducting 2nd party audit? General Auditing Discussions 6
drgnrider Suggestions for conducting a Spill Clean-up Exercise Miscellaneous Environmental Standards and EMS Related Discussions 8
O Conducting MSA on Multiple Measurement Mystems Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 1
C What kind of information you provide when conducting QMS Orientation? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
G Conducting a Bias Study for a CMM with no Traceable Master or Reference value Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
M Conducting Limited Internal Audits of QMS Elements - Simple question I hope ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
K Conducting ISO 9001:2008 and ISO 14001:2004 New Supplier Audit Supplier Quality Assurance and other Supplier Issues 5
D Anyone use an iPad for conducting Audits? Internal Auditing 18
T Conducting the "are all points within the control limits" test when there is no LCL? Statistical Analysis Tools, Techniques and SPC 2
J Need help calculating actual Ppk - Result of % GR&R=11.8% when conducting MSA Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 11
automoto Excel (xlsx) spreadsheet for conducting Type 1 MSA Analysis. Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 23
A Conducting a DOE in Minitab - Improving Surface Finish of an Impeller Using Minitab Software 10
K Advisable Period of Records to be Checked in Conducting an Audit Food Safety - ISO 22000, HACCP (21 CFR 120) 2
B Conducting a study on Hexagon Nuts "turned" on a multi-spindle automatic lathe Statistical Analysis Tools, Techniques and SPC 9
W Conducting Audit and Audit Report in accordance to 21 CFR 820 and ISO 13485 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 13
Q Design of Experiments Using Subgroup Data - Conducting a 2^3 factorial DoE Quality Tools, Improvement and Analysis 6
M Send a Supplier an Audit Plan prior to conducting an audit at their premises? General Auditing Discussions 8
P Suggestions on conducting an Internal Audit on 7.5.1.6 Production Scheduling IATF 16949 - Automotive Quality Systems Standard 2
D Forms and Templates used for Conducting Internal Audits (API Q1/TS 29001) Oil and Gas Industry Standards and Regulations 5
S Time Study Std/Books that define minimum requirements for conducting time study? Capability, Accuracy and Stability - Processes, Machines, etc. 9
Y Conducting a Mock Recall on a Medical Device Product ISO 13485:2016 - Medical Device Quality Management Systems 6
H Gathering the Data before Conducting GR&R (Gage R&R) Study Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 3
Colin Conducting audits without procedures Internal Auditing 8
J Conducting Gage R&R - 300 plug gauges - Different diameters - One for each plug gage? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 10
F Conducting an ISO 9001, Clause 5.xx audit General Auditing Discussions 12
T Conducting an Energy Usage Audit - Seeking template or form Miscellaneous Environmental Standards and EMS Related Discussions 3
P Conducting a MSA - Measurement of plaster by use of a scoop - I need Help Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 6
A Goods-In Process Audit - Any pointers or hints for conducting a 'good' audit? Process Audits and Layered Process Audits 3
Marc Conducting Internal Audits vs. Third Party (Registrar) Audits Internal Auditing 11
J ISO 9001 'Compliant' Company - Conducting a supplier audit on a major supplier Supplier Quality Assurance and other Supplier Issues 17
L Conducting general overview training on ISO 14001 Training - Internal, External, Online and Distance Learning 1
V ISO 10360-5: 2020 Gap analysis and Action plan Excel .xls Spreadsheet Templates and Tools 1
JoCam MDR Gap Analysis - Consultant fees EU Medical Device Regulations 10
R Gap Audit Aerospsace and Rail QMS Quality Manager and Management Related Issues 0
R Complex IEC 60601-1 gap assessment IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
S EU MDR CAPA - GAP Assessment on CAPA SOPs EU Medical Device Regulations 1

Similar threads

Top Bottom