1. I have a question to ask. Do we do the gap analysis first or IT risk framework?
2. Which is easier to do? Looking forward to your feedback.
Assign topic to the user
1. I have a question to ask. Do we do the gap analysis first or IT risk framework?
I'm assuming your questions are about ISO 22301 implementation and the management of IT-related risks.
Considering that, first is important to note that ISO 22031 does not require a gap analysis to be performed, while the risk assessment is mandatory. Second, gap analysis is not recommended for smaller companies, because in general, it is not worth the effort due to their size and complexity. So, for smaller companies, it is better to perform only the IT risk framework, because will give you more specifics about handling risks in your IT environment.
For bigger companies, the gap analysis will provide you a quick and comprehensive view of how much of the standard you already have implemented, and the results of gap analysis can be used as input for the IT risk framework.
2. Which is easier to do? Looking forward to your feedback.
Because gap analysis requires an overview of the situation, and the IT Risk Framework involves a deeper knowledge of risk management steps, the gap analysis would be easier to perform for a beginner.
This article will provide you a further explanation about the gap analysis and risk assessment (although the article is about ISO 27001 the concepts also apply to ISO 22301):
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
Comment as guest or Sign in
May 19, 2020