ISO 27001 gap analysis: what you need to know

Alexander Pavlović Date published: Aug 02, 17

Are you looking to overhaul your information security system with ISO 27001 as a framework? Conducting an ISO 27001 gap analysis is an essential step in assessing where your current informational security system falls down and what you need to do to improve. Getting to grips with the standard and what it entails is an important starting point before making any drastic changes to your processes.

It may be that you already have many of the required processes in place. Or, if you've neglected your information security management practices, you may have a mammoth project ahead of you which will require fundamental changes to your operations, product or services.

What is a gap analysis?

Think of the gap analysis as simply looking for gaps. That's it. You're analysing the ISO 27001 standard clause by clause and determining which of those requirements you've already implemented as part of your information security management system (ISMS), and which ones you haven’t.

Take clause 5 of the standard, which is "Leadership". There are three parts to it. The first part is about leadership and commitment – can your top management demonstrate leadership and commitment to your ISMS? It might be that you've already covered this in your information security policy, and so to that question you can answer 'Yes'.

Gap analysis vs. risk assessment

Doing a gap analysis for the main body of the standard (clauses 4–10) isn't compulsory but very much recommended. It'll help to have first defined your ISMS's scope, because any ISO 27001 auditor will want to know exactly what information your ISMS intends to secure and protect. Having a clear idea of what the ISMS excludes means you can leave these parts out of your gap analysis.

A gap analysis is compulsory for the 114 security controls in Annex A that form your statement of applicability, as this document needs to demonstrate which of the controls you've implemented in your ISMS.

The risk assessment is an essential document for ISO 27001 certification and should come before your gap analysis. You can't identify the controls you need to apply without first knowing what risks you need to control in the first place. Once you've determined those risks and controls, you can then do the gap analysis to identify what you're missing.

Gap Analysis: Tells you what you're missing to comply with ISO 27001. Doesn't tell you which controls to apply to address the risks you've identified.

Risk Assessment: Tells you what controls you should apply. Doesn't tell you what controls you already have.

When to do a gap analysis

When you do your gap analysis depends on how far along you are with implementing your ISMS.

• If you have no real system to speak of, you already know you'll be missing most, if not all, of the controls your risk assessment deemed necessary. In this case, you might want to leave your gap analysis until further into your ISMS's implementation.
• If your implementation is underway but still in its infancy, your analysis will still show lots of gaps, but you'll have a much better understanding of how much work you have ahead of you.
• If you have a fairly established system in place, you can use the gap analysis to determine just how strong your system is. So, you might want to do it towards the end of your implementation.

How can quality management systems help? 

Your quality management system (QMS) can be used as your ISO 27001 gap analysis tool to perform a thorough analysis of your information security system, identifying the key areas of the standard which you need to prioritise. Our quality management software, Q-Pulse, brings all your data into one centralised location making it easier to perform a gap analysis and subsequent planning out of actions that need to be taken.

Find out more about how Q-Pulse can help you undertake an ISO 27001 gap analysis and how to achieve ISO certification in our free white paper.

Download now