ISO 27001 Gap Analysis
The creation of ISMS documents takes a lot of time. Important aspects can be overlooked. As complexity increases, ISO27001 documentation becomes increasingly massive in quantity and variety. It helps to carry out an ISO27001 gap analysis. This is used to identify inconsistencies in the management system. The aim is to identify the documentary issues so that these gaps can be corrected faster and in a focused manner. Without a gap analysis, you may run the risk of failing in the certification audit. For very simple business models, the ISMS should not be overly complex, so a gap analysis is not absolutely necessary. However, anyone who has created their ISMS independently without a consultant should not risk submitting the documentation to a certification body without a gap analysis.
What is a Gap Analysis?
A gap analysis is often incorrectly referred to as an “internal audit”. During this analysis, the security level is analyzed based on the documentation. The requirements of the respective standard are taken into account (e.g. ISO27001:2022, TISAX, ISO9001, ISO14001). All documents, including company records, are examined on the basis of the standard-specific catalog of requirements. The identified gaps must then be remedied before the certification audit. Contrary to some claims, a gap analysis is not a measure required by the standard. Therefore, you can apply for and successfully carry out an audit of the certification body even without a GAP analysis. Nevertheless, these gap analyzes will make you better prepared for the audit date. The fewer gaps an auditor identifies, the faster you can resolve the outstanding issues and get your certificate. If there are too many obvious gaps, the certification body can reject an audit during the preliminary inspection.
The auditors refer to weaknesses in the documentation as non-conformities. A distinction is made between small deviations (minor non-conformity) and large deviations (major non-conformity). Small deviations do not pose a risk of failing the audit. But if too many such small deviations accumulate, they can develop into a large deviation. Large deviations prevent the certification authority from issuing a certificate. Only when the organization has addressed all of its major problem areas and demonstrated compliance can the certification body issue the ISO27001 certificate.
In addition, the gap analysis of an ISMS provides a number of suggestions / opportunities for improvement. It identifies areas in which areas of improvement can make it easier to implement in everyday operations.
In the following video you will learn more about gap analyzes and their effect on information security:
What can a Gap Analysis detect?
In addition to inconsistencies, a gap analysis also identifies problems in the available resources and operational evidence.
The GAP analysis has a similar effect to the interim report at school, because it tells you the level of maturity achieved by the organizational, technical and personnel measures. Some companies believe that you can buy an ISO 27001 document template from the Internet for £200 and then successfully survive a certification audit. Reality quickly catches up with these companies: Experienced auditors quickly recognize a run-of-the-mill template without reference to the business model. In such a case, the audit fails right at the beginning of stage 1.
As already mentioned, gap analysis supports compliance with ISO27001 requirements.
Here are a few examples of what this investigation can identify:
- Failure to implement required security measures
- Lack of relevance of security measures to the company
- Need for improvement in the formulation of security measures
- Missing or incomplete employee training
- Incomplete training plans and possibly unsuitable awareness training
- Lack of management reviews or internal audits
- Incomplete or missing emergency plans
- Incomplete risk assessment
- Inconsistencies in applicability & scope
A gap analysis can identify information security risks and request appropriate countermeasures. The results of the gap analysis represent a measurement of organizational security. The organization’s goal should be to ensure a high level of security in the company.
How do you improve your information security management system?
You have to go through your ISMS systematically. The best thing to do is to print everything out and read it step by step. You use 3 different markers (red, orange/yellow, green/blue) to mark text passages that may need to be improved or are good but can achieve considerable sustainability in operational practice through an addition. Of course, you have to sift through typos, grammar and sentence structure just like you would in school. You shouldn’t repeat this too often because you’ll quickly start to miss incorrect content. Here it helps to have a second person read through the text.
To proceed systematically, use checklists for each area of documentation. It also helps to have the standard at hand. In the UK, BSI Knowledge is responsible for publishing the standard documentation for ISO27001. The English-language standard documentation costs around £126 (plus VAT) and can be purchased online from BSIK together with comments. This allows you to read individual things. However, this document is not the only criterion for creating an ISMS.
How can you find out more about ISO 27001 certification?
On this website you will find several videos that explain the process of an ISO 27001 project as well as the certification (audit, certification body). These give you a quick insight into what you should pay attention to. But if you would like more information, you can click on this English-language ISO 27001 book from our company founder: ISBN: 979-8865141501, book title: “Information Security based on ISO 27001 Strategies: A Leadership Introduction to Information Security” – also available on Amazon. The book explains briefly and concisely what you have to do to prepare your company for ISO 27001 certification and how to avoid resistance in your own organization.
Alternatively, you can take part in one of our lecture series, workshops or online courses. These events take place monthly or quarterly in English or German. The speakers are experienced lead auditors who work for various certification bodies in the UK, Germany, USA, Turkey, Netherlands and Poland. The workshops are aimed at board members, project managers, ISMS implementers and internal auditors. The online courses, on the other hand, are available for aspiring implementation experts and as employee training. The ISO 27001 implementation courses are largely in English as people from several countries take part. Employee training is for employees who deal with personal data or other vulnerable data in their daily work.