If you’re not familiar with ISO 27001 implementations and audits, it’s easy to confuse the gap assessment and the risk assessment. It doesn’t help that both these activities involve identifying shortcomings in your information security management system (ISMS).
Likewise, the end result of the two activities is similar:
- At the end of the gap assessment, you’ve identified which ISO 27001 controls your organization has in place, and which ones you still need to implement.
- After completing the risk assessment, you know which ISO 27001 controls you really need to implement to mitigate identified information security risks.
For most companies, the best time to do the risk assessment is at the start of the project, because it tells you what controls you need and what controls you don’t need. (ISO 27001 doesn’t mandate that you implement every control, only those that pertain to your business.) You want this information early on so you implement the right controls in the right order as you go, and so you don’t implement any controls you don’t really need.
When to do the gap assessment depends on your ISMS maturity. If your ISMS is relatively immature, it’s a good idea to do the gap assessment early on so you know upfront where you stand and how big your gap is. You’ll then know better how much work is ahead of you, whether you need to allocate additional resources and so on.
If you have basically no ISMS, you know before you even start that your gap will encompass all (or almost all) the controls your risk analysis identifies. You could therefore opt to wait and do your gap analysis nearer the midpoint of the project, so at least it’ll tell you something you don’t already know. Analogously, companies that have a pretty good ISMS in place might want to do their gap assessment at or near the end of the project, as a way to verify their success.
You could even do the two assessments at the same time. The gap assessment will tell you which ISO 27001 controls you have in place. The risk assessment is likely to pinpoint many of these as necessary controls to mitigate your identified risks; that’s why you implemented them in the first place.
The advantage of doing your risk assessment alongside or immediately after your gap assessment is that you’ll know sooner how much overlap you have between the two assessments. That tells you which controls you don’t have to worry about because they’re already done and which controls you don’t have to worry about because they don’t fit your risk profile.
In summary: a gap analysis tells you how far away from ISO 27001 compliance you are, but it doesn’t tell you which controls will address your risks. The risk assessment will tell you what controls you need, but it doesn’t tell you what controls you already have. That’s why you need both activities.
To strategize with an expert about the scope of a possible ISO 27001 implementation, what approach would be best, and/or how to begin creating a project roadmap, contact Pivot Point Security.