Gap analysis results
We have recently undergone a Gap Analysis with NQA ready for our ISO certification, and some significant failings were discovered during the process.
The key bits were the difficulty in identifying / linking documentation to clauses, missing clauses without explanation and missing information on areas provided.
Firstly, as part of our gap analysis, the processes followed within Conformio did not provide any documentation to Clause 4 of the standard, nor did we get any system assistance in completing these clauses. There was no interested parties section beyond the contractual and legal requirements, thus we were unable to evidence clause 4.2.
Secondly, the Risk Assessments failed to provide a CIA category for any risks. We are told this is mandatory and as such, the Risk Register provided does not meet the requirements of ISO.
Assign topic to the user
1 - Firstly, as part of our gap analysis, the processes followed within Conformio did not provide any documentation to Clause 4 of the standard, nor did we get any system assistance in completing these clauses. There was no interested parties section beyond the contractual and legal requirements, thus we were unable to evidence clause 4.2.
Please note that besides the ISMS scope, required by clause 4.3, there is no other documentation required by section 4 of the standard. The ISMS Scope is documented within Conformio.
Clause 4.1 requires the context of the organization to be determined, but it does not need to be documented.
Clause 4.2 requires interested parties and their requirements to be determined, and this is documented in the List of legal, regulatory, and contractual requirements.
For further information, see:
- For clause 4.1: How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
2 - Secondly, the Risk Assessments failed to provide a CIA category for any risks. We are told this is mandatory and as such, the Risk Register provided does not meet the requirements of ISO.
The standard requires risks to be identified considering the loss of confidentiality, integrity, and availability, and this is done in Conformio by assessing the impact taking into account C-I-A - this is also specified in the Risk Assessment Methodology. The standard does not require C-I-A to be assessed separately.
For further information, see:
Comment as guest or Sign in
Oct 21, 2022