Assign topic to the user
Answer:
Although it is not mandatory by the standard, a gap analysis is important in a sense that it can provide you a snapshot of the current situation of an organization considering a referential (in this case ISO 27001). It can give you an overview of where you are already compliant with the standard and about the effort required to be fully compliant, allowing a better planning of an implementation project. If you already have some information security practices already implemented but you are not sure if they are complaint with the standard, performing a gap analysis can help you with this understanding. On the other hand if you are starting your information security alternatives now there is no need to perform a gap analysis (remember, this is not a mandatory requirement for ISO 27001).
To see how a ISO 27001 gap analysis looks like, and perform it if you want, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
These articles will provide you further explanation about gap analysis and ISO 27001 implementation:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
so, it have no relation with establishing isms? i mean, i saw that some of reference just make gap analysis as one of its step, it placed between define scope and risk assessment. is there any method that make gap analysis as a step after we just passed risk treatment phase?
thank you
Please note that although Gap Analysis is not mandatory for ISO 27001, it is a good practice to perform it for the establishment of an ISMS compliant to this standard, for the reasons presented in the previous answer ("... It can give you an overview of where you are already compliant with the standard and about the effort required to be fully compliant...").
Gap analysis can be performed at any moment during your implementation project, but it is more effective before risk assessment (because its results can help you avoid unnecessary efforts and costs). Since you have passed the risk treatment phase (it is not clear if you already implemented the controls or not), the Gap analysis can help you confirm if your defined treatments that are the most relevant and proper ones to your context, or if you need to make adjustments (e.g., including, adjusting or excluding controls).
so, if i never implemented isms before, i just started to plan it now, gap analysis will be not necessary? or maybe it can be helpful ?
In my view, if you never implemented ISMS before and you are a small company, you should not be doing the gap analysis. It requires too much effort and it will only confuse you.
Far better approach is to follow the steps in the ISO 27001 implementation and find out along the way what is missing in your company.
These materials will show you the implementation steps:
- article ISO 27001 implementation checklist: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- ISO 27001 Foundations Course: https://advisera.com/training/iso-27001-foundations-course/
thank you so much. i found it very helpful.
best regard
monike
Comment as guest or Sign in
Jan 18, 2019