I just started working for a fintech company and they are aiming at getting the iso27001 certificate. I have the two part question, how can I conduct the iso27001 gap analysis and what are the minimum requirements to achieve the iso27001 certificate?
Answer: First is important to note that ISO 27001 gap analysis is not mandatory, and is actually not recommended for smaller companies because it only takes away the resources without providing many benefits.
Considering that, the best approach is to develop a checklist of which items you need to verify, and which results you have to find to define if there is a gap or not. When looking for results, some approaches you may use are interviews, documentation evaluation, and field observation. Based on that approach it is easier to develop action plans to eliminate the gaps.
It was developed as a simple question-and-answer questionnaire so you can visualize which specific elements of an information security management system are already implemented, and what is still needed to do.
2 - what are the minimum requirements to achieve the iso27001 certificate?
Answer: Broadly speaking, the minimum requirements to fulfill if you want to go for ISO 27001 certification are related to clauses 4 to 10 of the standard, involving: - documentation and implementation of information security-related requirements (e.g., ISMS scope, Information Security Policy, Risk Assessment and Risk treatment, etc.) - performing internal audit and management review - treatment of nonconformities and corrective actions.