ISO 27001 Gap Assessment and ISO 27001 Checklist has been the top trending Google Keywords Search relating to ISO 27001. Many are interested in this topic. In this blog, I shall walk you through in detail to help you plan and conduct your ISO 27001 Gap Assessment.
At the end of this blog, I have included a FREE ISO 27001 Gap Assessment Checklist for download. This checklist will springboard your ISO 27001 Certification Journey and save you time and resources. To understand the entire ISO 27001 Certification Roadmap or Journey, please read my other blog titled "ISO 27001 Certification | Malaysia": https://www.energized-inc.com/post/iso-27001-certification-malaysia
Why ISO 27001 Gap Assessment?
Starting your ISO 27001 journey by getting to know where you are towards your target. I always use this analogy; a map with a destination is only useful by first knowing where you are. Therefore, you first need to find out where you are on the map before you can chart your journey towards your destination.
By doing an ISO 27001 Gap Assessment, you will find answers to these questions:
Where you are (Your Organization’s as-is status)
How far is your journey (How big is the Gap)
Based on the journey (Gap), What are the resources needed to get there (budget, technology, people & time)
This will mark the beginning of your journey by plotting the milestones, time and resources you need to go through to obtain your ISO 27001 certification.
Tips: If you are in the midst of compliance with Regulatory Bodies, the Gap Assessment Report and Roadmap are among the key documents to demonstrate commitment to compliance and certification to ISO 27001.
At times, a conditional approval may be granted with these commitments you presented to the Regulatory Bodies.
Prepare for ISO 27001 Gap Assessment
Forming your Information Security Management System Committee at this juncture is crucial. By forming this ISMS committee, you shall achieve the following benefits:
Management commitment to appoint resources to the ISO 27001 journey.
Give man-date to the ISMS committee to carry on Information Security related activities.
Ensuring each pillar under the ISO 27001 areas and controls has been taken care of.
Set clear directions and points of reference for Information Security related matters across your Organization.
Prepare ISO 27001 Gap Assessment
Conduct ISO 27001 Gap Assessment
Select and define the scope of ISO 27001 certification
Appoint ISO 27001 Gap Assessor
Identify ISO 27001 Assessment Respondents
Prepare ISO 27001 Gap Assessment Schedule
Issue ISO 27001 Gap Assessment Notice (at least 2 weeks in advance)
Obtain Commitment from Respondents on Gap Assessment Date
Conduct ISO 27001 Gap Assessment
Take Gap Assessment notes
Prepare ISO 27001 Gap Assessment Report
Present findings of the ISO 27001 Gap Assessment Report
Tip 1: Appointing an experienced ISO 27001 Gap Assessor is critical. The ISO 27001 Gap Assessor shall be fluent and must have experience in the interpretation and implementation of the ISO 27001 Requirements, Clauses and Controls.
Tip 2: During the ISO 27001 Gap Assessment session, your ISO 27001 Gap respondents may act defensive; the ISO 27001 Gap Assessor’s skills in tackling resistance by sharing real-life risks and practical implementation of ISO 27001 Security Controls are critical to obtaining the respondents’ buy-in.
Tip 3: During the Gap Assessment, Gap Assessment Correspondents should consist of the top most Experience representatives from respective Departments of your Organization.
Tip 4: Besides assessing documented Policies and Procedures, ISO 27001 Gap Assessor shall also assess existing practices that may not have been documented to check for compliance. If the practice meets the requirements of the ISO 27001 controls, the particular area may score partial compliance and will make a significant impact on the entire ISO 27001 certification journey.
FREE ISO 27001 Gap Assessment Checklist
To help you jump-start your ISO 27001 journey, I have included here a Free ISO 27001 Gap Assessment Checklist. This ISO 27001 Gap Assessment Checklist included the complete key Questions you should ask on each of the ISO 27001 Clauses and Controls.
The ISO 27001 Gap Assessment Checklist can be transformed into your ISO 27001 Gap Assessment Report. It includes a graphical representation of your overall ISO 27001 Compliance.