During a recent discussion, a customer asked John Verry what the differences are between an ISO 27002 Gap Assessment and a BITS Shared Assessment. As usual, we decided to educate our blog readers with the answer to that question.
ISO 27002 Gap Assessment
An ISO 27002 Gap Assessment provides an assessment of an organization’s implementation of ISO 27002 control recommendations. The gap analysis is a good step toward understanding the effectiveness of the control environment and is a potential starting point for eventual Information Security Management System (ISMS) certification. It results in a gap analysis that clearly identifies the remediation steps required to achieve alignment with ISO 27002.
BITS Shared Assessment
A BITS Shared Assessment provides an assessment of an organization’s implementation of its controls using a standardized questionnaire which is based on the ISO 27002 standard, with additional input from Shared Assessments Program members. The approach is more rigidly defined (e.g., answers are Yes, No, or N/A, making the completed SIG easy to read by machine. The original idea was that service providers could complete the SIG just once, and then provide the completed SIG to multiple clients.
In short, the BITS Shared Assessment cost is a little more and is a little less flexible – but it provides a higher level of interim attestation in return.