We want to be compliant with the Baseline Information Security for Dutch governments, abbreviated as the BIO. For more info https://bio-overheid.nl/ This baseline is a selected subset of ISO27002 controls. Controls selected based on information security risks for Dutch governments. We already created information security policies, procedures and implemented most of the organizational and technical controls.
1. would it be acceptable for the ISO27001 certification to do a risk assessment and treatment with a GAP analyses of the technical and organizational controls described in our information security policies? A risk would come from not having implemented a technical or organizational control. The treatment would be: implement the technical or organizational control.
2. if so – do we have to implement all technical and organizational controls before we start the certification process? Or I it sufficient that we proof we are in control of the risks by following the ISO27001 ISMS norm?