ISO 27001 & 22301 / Gap Analysis Question
I would like to know if it is necessary to define a scope to conduct a gap analysis. What is the best practice?
Please select user.
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First is important to note that ISO 27001 does not require a gap analysis to be performed.
Considering that, you should define a scope for your gap analysis so you can understand which kind of questions you need to consider.
For example, if your gap analysis scope is Research and Development, it does not make sense to include questions related to HR or sales processes.
Additionally, we do not recommend using it for companies smaller than 500 employees because it would make your implementation unnecessarily complex.
You can access the ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
For further information, see:- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
HTML tags are not allowed