. .

This design element requires flash & JavaScript to be enabled to play. Download the latest version of flash from Adobe.com.

ISO 27001/2 Gap Analysis Information Security

commissum consulting services include audits, security healthchecks, ISO27001 reviews, CLAS consultancy and policy creation and management.

Our security awareness, training and education services allow organisations to enhance their employees' awareness and understanding of information security issues through managed awareness programmes, and delivery of training and educational products.

ISO 27001 Reviews & Gap Analysis Assessments

  • ISO 27001 is the internationally accepted standard for Information Security management.
  • A number of regulating agencies, including the Data Protection Commissioner, have declared ISO 27001 to be a benchmark for prudent and competent practice.
  • commissum offers expert, independent assessment of the gap between current security management and an implementation of ISO 27001 that is appropriate to the organisation.

An ISO 27001/2 gap analysis identifies:

  • Improvements in security based upon industry best practice.
  • Achievement and shortfall in ISO 27001/2 control areas relevant to the business.
  • Plan of activities for ISO 27001 compliance.
  • Expert comment on formal ISO 27001 certification.

ISO 27001/2 gap analysis issues

ISO 27001 is the internationally accepted standard for Information Security management. Organisations of all sizes have identified the value of compliance, either pursuing formal certification through accreditation agencies, or adopting the standard through implementing ISO 27001 as their guiding framework for internal security management.

This issue been reinforced by a number of regulating agencies declaring ISO 27001 as their benchmark for prudent and competent practice, including the Data Protection Commissioner. There is also growing support within government contracting circles for ISO 27001 to be a future mandated standard.

There is obviously increased pressure to comply with ISO 27001. However, the scope of the standard is wide, and experienced, professional interpretation and guidance is essential for effective and economical application of the standard.

It can be difficult for an enterprise to make objective, well-informed decisions about how to adopt the standard cost-effectively, and whether to seek formal certification. It is a sensible first step to commission an independent expert review to assess how current practice compares with the standard and with accepted industry practice.

Approach

The gap analysis is essentially an audit focused on identifying the appropriate implementation of ISO 27001, and outlining the improvements required to achieve this.

The steps followed are:

  • Review information security policy and advise on and agree scope of the Information Security Management System.
  • Conduct a risk assessment workshop.
  • Agree control objectives (Statement of Applicability).
  • Review controls (interview, observation, and inspection).
  • Information Security Management status report and findings workshop - agree gap analysis.
  • Final report with recommendations for improvement and options for implementation of ISO 27001.

ISO 27001/2 gap analysis customer benefits

  • Provision of an expert, independent assessment of the gap between current security management and an implementation of ISO27001 appropriate to the customer's organisation.
  • Recommendations on business areas, systems and processes requiring improvements in security, based upon industry best practice.
  • Statement of achievement and shortfall in ISO27001 control areas relevant to the business.
  • Outline plan of activities for ISO27001 compliance.
  • Expert comment on the advisability of seeking formal ISO27001 certification.

Icon ISO 27000 gap analysis PDF (43.4 KB)

Get in touch with one of our security consultants today

  • No obligation
  • Expert advice
  • Tailored solutions
"commissum understood exactly what we needed and delivered excellent service on time, and on budget. Why can't all companies be like them!"

Mr Duncan M, Information Security Manager - National Building Society