Gap Analysis Question
I would like to know if it is necessary to define a scope to conduct a gap analysis. What is the best practice?
Assign topic to the user
First is important to note that ISO 27001 does not require a gap analysis to be performed.
Considering that, you should define a scope for your gap analysis so you can understand which kind of questions you need to consider.
For example, if your gap analysis scope is Research and Development, it does not make sense to include questions related to HR or sales processes.
Additionally, we do not recommend using it for companies smaller than 500 employees because it would make your implementation unnecessarily complex.
You can access the ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
For further information, see:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
Comment as guest or Sign in
Mar 03, 2023