Gap analysis question
They have sent me a gap analysis agenda on the implementation of ISO 27001:2013. The documentation I have acquired allows me, I understand, once completed, to respond to this gap analysis. This is correct?
Assign topic to the user
First is important to note that the toolkit provides all the steps and documents for the implementation, and the best way for you is to follow the logic of the toolkit.
Considering that, you can use the results of the gap analysis to decide which controls to prioritize (once you start working on the folder Implementation Plan), but gap analysis, in general, is not required for small organizations, because the effort to perform it does not bring a significant advantage to the implementation process (it is better to perform the risk assessment during the implementation).
Please note that a gap analysis is used for you to assess your current situation regarding ISO 27001 requirements, so you can use it right now. At this time the gap analysis will give you an understanding of the effort to implement the standard.
For further information, see:
- ISO 27001 gap assessment vs risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section20
Comment as guest or Sign in
Apr 17, 2023