Expert Advice Community

Guest

Gap analysis results

  Quote
Guest
Guest user Created:   Oct 21, 2022 Last commented:   Oct 21, 2022

Gap analysis results

We have recently undergone a Gap Analysis with NQA ready for our ISO certification, and some significant failings were discovered during the process.

The key bits were the difficulty in identifying / linking documentation to clauses, missing clauses without explanation and missing information on areas provided.

Firstly, as part of our gap analysis, the processes followed within Conformio did not provide any documentation to Clause 4 of the standard, nor did we get any system assistance in completing these clauses. There was no interested parties section beyond the contractual and legal requirements, thus we were unable to evidence clause 4.2.

Secondly, the Risk Assessments failed to provide a CIA category for any risks. We are told this is mandatory and as such, the Risk Register provided does not meet the requirements of ISO.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 21, 2022

1 - Firstly, as part of our gap analysis, the processes followed within Conformio did not provide any documentation to Clause 4 of the standard, nor did we get any system assistance in completing these clauses. There was no interested parties section beyond the contractual and legal requirements, thus we were unable to evidence clause 4.2.

Please note that besides the ISMS scope, required by clause 4.3, there is no other documentation required by section 4 of the standard. The ISMS Scope is documented within Conformio.

Clause 4.1 requires the context of the organization to be determined, but it does not need to be documented.

Clause 4.2 requires interested parties and their requirements to be determined, and this is documented in the List of legal, regulatory, and contractual requirements.

For further information, see:

2 - Secondly, the Risk Assessments failed to provide a CIA category for any risks. We are told this is mandatory and as such, the Risk Register provided does not meet the requirements of ISO.

The standard requires risks to be identified considering the loss of confidentiality, integrity, and availability, and this is done in Conformio by assessing the impact taking into account C-I-A - this is also specified in the Risk Assessment Methodology. The standard does not require C-I-A to be assessed separately.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 21, 2022

Oct 21, 2022

Suggested Topics

Guest user Created:   May 04, 2023 ISO 27001 & 22301
Replies: 3
0 0

Risk assessment and treatment

Guest user Created:   Apr 17, 2023 ISO 27001 & 22301
Replies: 1
0 0

Gap analysis question

Guest user Created:   Feb 10, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 certificate