Gap analysis results

1 - Firstly, as part of our gap analysis, the processes followed within Conformio did not provide any documentation to Clause 4 of the standard, nor did we get any system assistance in completing these clauses. There was no interested parties section beyond the contractual and legal requirements, thus we were unable to evidence clause 4.2.

Please note that besides the ISMS scope, required by clause 4.3, there is no other documentation required by section 4 of the standard. The ISMS Scope is documented within Conformio.

Clause 4.1 requires the context of the organization to be determined, but it does not need to be documented.

Clause 4.2 requires interested parties and their requirements to be determined, and this is documented in the List of legal, regulatory, and contractual requirements.

For further information, see:

• For clause 4.1: How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

2 - Secondly, the Risk Assessments failed to provide a CIA category for any risks. We are told this is mandatory and as such, the Risk Register provided does not meet the requirements of ISO.

The standard requires risks to be identified considering the loss of confidentiality, integrity, and availability, and this is done in Conformio by assessing the impact taking into account C-I-A - this is also specified in the Risk Assessment Methodology. The standard does not require C-I-A to be assessed separately.

For further information, see:

• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment