Welcome to Protify.

In accordance with cookie legislation and our privacy policy, we only place strictly necessary functional cookies. 😊

For visitor analysis, we use Google Analytics (also cookieless). May we also place some Google Analytics analytical cookies to gain a better understanding?

What is a Gap analysis for ISO 27001 certification?

Written by Tim Kemper

Informative

As an organisation, you have made the choice to get certified. You would like to understand whether your organisation is ready to start a certification project. Then the Gap analysis is a good start, whether you have opted for ISO 27001 the information security standard, EN 50518 or other management system certification. A Gap analysis is often carried out before an organisation starts a certification project to gain insight into where you stand as an organisation and with regard to certification. This way, you know where you as an organisation already meet the requirements of certification and where the (biggest) gaps are. By going through the steps of the Gap analysis, you get acquainted with the standard and gain insight into what the standard actually requires from your organisation. In this blog, we will guide you through the process of performing a Gap analysis focused on ISO 27001.

  • What are the changes in the new ISO 27001:2022?
  • What are the main changes to the Harmonised Structure and management measures?
  • What does Gap analysis involve?
  • As an organisation, how can you prepare for the transition to this updated version of the standard?
  • As an organisation, how do you transition to the revised version for the ISO 27001 standard and how can Protify help your organisation?
  • When is the best time for my organisation to switch, right now or upon recertification?
  • What is the impact for your organisation?

Purpose Gap analysis

The purpose of carrying out a Gap analysis is to determine the extent to which your organisation already meets the set requirements from the chosen ISO certification. It also determines the steps that still need to be taken to achieve a fully-fledged management system that suits the organisation and obtain certification. The Gap analysis is also the starting point (kick-off) of the project to arrive at a management system that suits the organisation and obtain its certification.

What does a Gap analysis consist of?

Gap analysis reveals what you already have as an organisation and where you still need to grow. This is done by assessing the current documentation, observing the current situation and interviewing employees. This tells you which steps you still need to take to bridge the gap between the current and the desired situation.

The Gap analysis for ISO 27001 covers the following components:

assesses how the structure of the management system’s documented information is set up. It assesses whether there is a clear explanation of how the PDCA cycle is implemented within the management system and how continuous improvement is promoted. It is assessed whether the organisation has prepared a statement of applicability (VVT) according to the requirements of the standard, which identifies which controls are explicitly declared applicable.

clarifies what you do as an organisation, what you stand for as an organisation and with which stakeholders, and looks at which laws and regulations apply to your business operations. It determines how your organisation meets the interests set by these stakeholders. Within leadership and strategy, the boundaries of the scope of the management system are determined.

establishes which processes are covered by the management system, i.e. how the work is carried out within the organisation. make the processes transparent. It also identifies how the operational planning of the management system takes place. What activities are planned to monitor the management system. In short, what are you doing as an organisation?

what hardware, software, network and facilities are used in the organisation.

How is software developed within an organisation. This is relevant only for organisations doing software development. Is there an established process regarding the development process and how changes are handled during software development. How is continuity and quality of delivered services/products guaranteed. Has a process been established within the organisation in which the impact of changes is determined in the event of changes to products and/or services?

looks at the assets that have been mapped and what risks may occur here. These risks are then assessed. This section assesses how the organisation carries out a risk inventory, assessing the identified risks in an unambiguous way so that they are assessed in the same way when reassessed. Are risk treatment plans drawn up for risks that cannot be mitigated and how are these risk treatment plans monitored.

how are you going to secure the operation of your management system, the PDCA cycle, the monthly consultations, your recurring tasks in your management system, and make that assurance demonstrable.

Difference between baseline measurement and Gap analysis?

Zero measurement shows where you are now as an organisation. The difference between a baseline measurement and a Gap analysis is that it also reveals the desired level; where you are now as an organisation and where you want to go.

Who is a Gap analysis suitable for?

As an organisation, would you like to know where you stand? So that you can prepare your organisation properly for the chosen certification? Then a Gap analysis is suitable for your organisation. IT service providers and software developers often choose the ISO 27001 standard. Any organisation that wants to be certified towards a management system can turn to Protify for this. Even if your organisation chooses ISO 9001, ISO 22301, ISO 27701 or EN 50518, it is a good starting point, so you know where you stand. For the EN 50518 standard, the Gap analysis is more extensive because here the construction of the alarm centre is also assessed.

Maturity model

The Gap analysis is presented in the maturity model, where scores are given in five levels. The one to five. At zero, the set of requirements has not yet been met at all; at five, the process runs perfectly, everything is secured, no more attention needs to be paid to it, there is continuous improvement and process optimisation is completely in order. As a baseline, a three is used to be ready for certification. This level indicates that there is standardisation, that this is demonstrable and controlled, and that there is awareness of the process, with continuous improvement taking place.

Tips for your organisation’s Gap analysis

  • Be honest and bring everything to the table, this will give you a real insight into how your organisation is doing. Bear in mind that it is not yet an audit and this means you are not being judged on anything yet.
  • The Gap analysis can be really fun as you go through your organisation’s management system in a short time. The result gives instant insight into the status of your organisation.
  • Consider the Gap analysis as part of the certification project.

Internal audit

When you start the certification process as an organisation, the internal audit will take place, this is no longer part of the Gap analysis. This section assesses how the organisation periodically assesses the performance of the management system. Do periodic evaluations and assessments take place? Are audits carried out and is there annual reflection by the management on the performance of the management system. How is the output of these evaluations and assessments secured so that they contribute to the continuous improvement of the management system?

Gap analysis as part of certification project for your organisation?

Would you like to understand the state of your organisation? Would your organisation like to implement the ISO 27001 standard? Get in touch with us.

Avatar photo

Tim Kemper

As a client-focused consultant, Tim translates legislation and regulations into practical solutions that align with the organisation’s processes. He analyses business processes, identifies risks and provides clear, pragmatic advice.

Other articles on our website

Implementation of ISMS in own ERP system at Voclarion

MPL implements integrated management system