Expert Advice Community

Guest

Gap analysis

  Quote
Guest
Guest user Created:   Dec 13, 2018 Last commented:   Dec 17, 2018

Gap analysis

I wonder, how important is gap analysis for planning process in isms based ISO 27001:2013 ? Why we should do gap analysis (at this point, i want to make a plan for implementing isms in an organization)?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 13, 2018

Answer:

Although it is not mandatory by the standard, a gap analysis is important in a sense that it can provide you a snapshot of the current situation of an organization considering a referential (in this case ISO 27001). It can give you an overview of where you are already compliant with the standard and about the effort required to be fully compliant, allowing a better planning of an implementation project. If you already have some information security practices already implemented but you are not sure if they are complaint with the standard, performing a gap analysis can help you with this understanding. On the other hand if you are starting your information security alternatives now there is no need to perform a gap analysis (remember, this is not a mandatory requirement for ISO 27001).

To see how a ISO 27001 gap analysis looks like, and perform it if you want, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

These articles will provide you further explanation about gap analysis and ISO 27001 implementation:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0
Guest
monikefebrianti Dec 17, 2018
so, it have no relation with establishing isms? i mean, i saw that some of reference just make gap analysis as one of its step, it placed between define scope and risk assessment. is there any method that make gap analysis as a step after we just passed risk treatment phase?
thank you
Quote
0 0
Expert
Rhand Leal Dec 18, 2018
Please note that although Gap Analysis is not mandatory for ISO 27001, it is a good practice to perform it for the establishment of an ISMS compliant to this standard, for the reasons presented in the previous answer ("... It can give you an overview of where you are already compliant with the standard and about the effort required to be fully compliant...").

Gap analysis can be performed at any moment during your implementation project, but it is more effective before risk assessment (because its results can help you avoid unnecessary efforts and costs). Since you have passed the risk treatment phase (it is not clear if you already implemented the controls or not), the Gap analysis can help you confirm if your defined treatments that are the most relevant and proper ones to your context, or if you need to make adjustments (e.g., including, adjusting or excluding controls).
Quote
0 0
Guest
monikefebrianti Jan 17, 2019
so, if i never implemented isms before, i just started to plan it now, gap analysis will be not necessary? or maybe it can be helpful ?
Quote
0 0
Expert
Dejan Kosutic Jan 18, 2019
In my view, if you never implemented ISMS before and you are a small company, you should not be doing the gap analysis. It requires too much effort and it will only confuse you.

Far better approach is to follow the steps in the ISO 27001 implementation and find out along the way what is missing in your company.

These materials will show you the implementation steps:
- article ISO 27001 implementation checklist: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- ISO 27001 Foundations Course: https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0
Guest
monikefebrianti Jan 18, 2019
thank you so much. i found it very helpful.

best regard
monike
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 13, 2018

Jan 18, 2019

Suggested Topics

Guest user Created:   Sep 07, 2020 ISO 27001 & 22301
Replies: 1
0 0

Inquiry about Gap Analysis

Guest user Created:   Jun 12, 2020 ISO 27001 & 22301
Replies: 1
0 0

Gap analysis

Guest user Created:   May 27, 2020 ISO 27001 & 22301
Replies: 1
0 0

ISO 22301 gap analysis