Professional Documents
Culture Documents
The purpose of this gap analysis checklist is to assess your organization's overall conformance with current processes
against ISO/IEC 27001 requirements and controls.
Gap analysis is typically conducted in the early stages; however, organizations may perform subsequent analyses as part
of ongoing monitoring and improvement activities. To make the most of the gap analysis process when setting up an
Information Security Management System (ISMS), it's essential to follow the step-by-step approach below:
Step 1. Identify Key Stakeholders: Engage in identifying key stakeholders, including internal and external parties such
as employees, customers, suppliers, regulators, and executive management. This active involvement ensures that
understanding their needs and expectations shapes the ISMS, aligning it with organizational goals and compliance
requirements.
Step 2. Define the ISMS Scope: Take the initiative to define the ISMS scope by outlining the boundaries and applicability
within the organization. Actively specify included and excluded assets, processes, and activities. This proactive approach
aligns the scope with the organization's business objectives and considers the needs and expectations of relevant
interested parties.
Step 3. Conduct a Preliminary Risk Assessment: Initiate a preliminary risk assessment before the detailed process to
systematically identify and prioritize potential risks to information security. This proactive step provides a comprehensive,
high-level overview of the organization's risk landscape, actively considering both internal and external factors that could
impact the confidentiality, integrity, and availability of information.
Step 4. Perform the Gap Analysis: Conduct a proactive gap analysis to understand the organization's existing
information security practices and identify areas of non-compliance with ISO/IEC 27001. This analysis actively pinpoints
areas of adherence and areas requiring improvement, forming the foundation for a well-defined roadmap to implement,
validate or maintain the ISMS.
1
1 ISMS FRAMEWORK
2
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
4 4.4: Has the organization created, implemented, maintained,
and continuously improved an Information Security
Management System (ISMS), encompassing the necessary
processes and their interactions?
3
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
7 5.3: Has the organization's top management assigned and
communicated responsibilities and authorities for roles
relevant to information security, including ensuring ISMS
conformity to standards and reporting on its performance to
top management?
4
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
10 6.1 (6.1.3): Has the organization established and
implemented an information security risk treatment process
that involves selecting suitable risk treatment options based
on risk assessment results, determining necessary controls,
comparing them with Annex A controls, producing a
Statement of Applicability with justifications for
inclusion/exclusion and implementation status, formulating a
risk treatment plan, and obtaining risk owners' approval for
the plan and acceptance of residual information security
risks?
11 6.2: Has the organization established information security
objectives at relevant functions and levels, ensuring they are
consistent with the information security policy, measurable (if
practicable), aligned with applicable requirements, and
monitored, communicated, and updated as appropriate, with
retention of documented information? Additionally, when
planning to achieve these objectives, has the organization
determined the actions, resources, responsibilities, timeline,
and evaluation methods?
5
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
13 7.1: Has the organization determined and provided the
necessary resources for the establishment, implementation,
maintenance, and continual improvement of the Information
Security Management System (ISMS)?
6
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
16 7.4: Has the organization assessed the need for internal and
external communications relevant to the ISMS, specifying
what to communicate, when to communicate, with whom to
communicate, and how to communicate?
7
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
19 7.5 (7.5.3): Has the organization controlled documented
information required by the ISMS and the standard to ensure
its availability and suitability for use when and where needed,
as well as to provide adequate protection against issues such
as loss of confidentiality, improper use, or loss of integrity?
Additionally, has the organization addressed distribution,
access, retrieval, use, storage, preservation (including
legibility), changes (e.g., version control), retention, and
disposition activities, as applicable? Moreover, has
documented information of external origin deemed necessary
for the planning and operation of the ISMS been appropriately
identified and controlled?
20 8.1: Has the organization planned, implemented, and
controlled processes to meet requirements and execute
actions determined in Clause 6 by establishing process
criteria and implementing process controls in accordance with
the established criteria?
8
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
23 9.1: Has the organization determined what needs to be
monitored and measured, including information security
processes and controls? Additionally, has the organization
selected methods for monitoring and measurement that
ensure valid, comparable, and reproducible results?
Moreover, has the organization specified when and who shall
perform the monitoring, and established criteria for the
analysis and evaluation of results, while assigning
responsibilities for these activities?
24 9.2 (9.2.1): Has the organization conducted internal audits at
planned intervals to assess whether the ISMS conforms to
both the organization's own requirements and the standard's
requirements, and to evaluate the effective implementation
and maintenance of the ISMS?
9
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
27 9.3 (9.3.2 & 9.3.3): In the management review process, has
the organization considered the status of previous actions,
changes in relevant external and internal issues, shifts in the
needs and expectations of interested parties, feedback on
information security performance, input from interested
parties, results of risk assessment, and the status of the risk
treatment plan, as well as opportunities for continual
improvement?
10
2 ISMS CONTROLS
11
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
5 5.5: Has the organization established and maintained ❑ Yes
contact with relevant authorities as part of its information ❑ No
security practices?
12
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
10 5.10: Have rules for acceptable use and procedures for ❑ Yes
handling information and associated assets been ❑ No
identified, documented, and implemented?
13
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
14 5.14: Are there established rules, procedures, or ❑ Yes
agreements for information transfer within the ❑ No
organization and with other parties?
14
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
19 5.19: Have processes and procedures been defined and ❑ Yes
implemented to manage the information security risks ❑ No
associated with the use of supplier’s products or
services?
15
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
24 5.24: Has the organization planned and prepared for ❑ Yes
managing information security incidents by defining, ❑ No
establishing, and communicating information security
incident management processes, roles, and
responsibilities?
16
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
29 5.29: Has the organization planned how to maintain ❑ Yes
information security at an appropriate level during ❑ No
disruption?
17
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
33 5.33: Are records protected from loss, destruction, ❑ Yes
unauthorized access, and unauthorized release? ❑ No
18
2.2 People Controls
19
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
5 6.5: Are information security responsibilities and duties ❑ Yes
that remain valid after termination or change of ❑ No
employment defined, enforced, and communicated to
relevant personnel and other interested parties?
20
2.3 Physical Controls
3 7.3: Has physical security for offices, rooms, and facilities ❑ Yes
been designed and implemented? ❑ No
21
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
5 7.5: Has protection against physical and environmental ❑ Yes
threats, including natural disasters and intentional or ❑ No
unintentional threats to infrastructure, been designed, and
implemented?
7 7.7: Have clear desk rules for papers and removable ❑ Yes
storage media, as well as clear screen rules for ❑ No
information processing facilities, been defined and
appropriately enforced?
22
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
9 7.9: Have off-site assets been adequately protected? ❑ Yes
❑ No
23
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
13 7.13: Is equipment maintained correctly to ensure the ❑ Yes
availability, integrity, and confidentiality of information? ❑ No
24
2.4 Technological Controls
2 8.2: Are the allocation and use of privileged access rights ❑ Yes
restricted and managed? ❑ No
25
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
5 8.5: Have secure authentication technologies and ❑ Yes
procedures been implemented based on information ❑ No
access restrictions and the topic-specific policy on access
control?
26
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
9 8.9: Have configurations, including security ❑ Yes
configurations, of hardware, software, services, and ❑ No
networks been established, documented, implemented,
monitored, and reviewed?
27
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
13 8.13: Are backup copies of information, software, and ❑ Yes
systems maintained and regularly tested in accordance ❑ No
with the agreed topic-specific policy on backup?
28
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
17 8.17: Are the clocks of information processing systems ❑ Yes
used by the organization synchronized to approved time ❑ No
sources?
29
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
21 8.21: Have security mechanisms, service levels, and ❑ Yes
service requirements of network services been identified, ❑ No
implemented, and monitored?
30
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
25 8.25: Have rules for the secure development of software ❑ Yes
and systems been established and applied? ❑ No
31
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
29 8.29: Have security testing processes been defined and ❑ Yes
implemented in the development life cycle? ❑ No
32
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
33 8.33: Is test information appropriately selected, protected, ❑ Yes
and managed? ❑ No
33