Last Updated on September 27, 2021
In our ISO 27001-as-a-Service practice, the single most common mistake we see with organizations prepping for ISO 27001 certification is starting off with a gap assessment.
At face value, starting with a gap assessment would seem to make sense. It tells you where you are versus where you want to be. Which tells you a lot about timelines, costs, and so on. So why not start there? What’s the problem?
To succinctly share the top 10 mistakes/misconceptions that most frequently come up for organizations prepping for ISO 27001 certification, Pivot Point Security CISO and Managing Partner, John Verry, recorded a special podcast on this critical topic in response to numerous client requests.
Mind the gap… but first mind the scope and risk
John explains that the nature of the ISO 27001 standard is the reason why a gap assessment needs to come later in the process: “ISO 27001 is not prescriptive, so it doesn’t tell you the specifics about the implementation of a control. Each control is implemented in accordance with your risk appetite and appropriate to your context or scope.”
“That’s why ISO 27001 starts with context and with understanding risk,” John continues. “Because that’s the clauses say. So that first clause, Clause 4, is context or scope. That’s about what we’re protecting, why are we protecting it, and what are we protecting it against?”
Questions to define scope and risk
Some of the questions that go into defining the scope and associated risk for your ISO 27001 information security management system (ISMS) include:
- What is the information that you’re trying to protect?
- Who are you protecting it for, and what are their expectations for security and privacy?
- What threats do you need to be concerned about?
- What are the laws and regulations that govern the operation of a given type of data (e.g., health care records or credit card payments)?
- What are your client contractual obligations regarding security and privacy?
- Where is your sensitive data stored (on-premises, in the cloud, in SaaS applications, etc.)?
- Who has access to your sensitive data, including employees, vendors, etc.?
Risk defines your controls
“All of that is what we need to understand to properly understand risk,” explains John. “And understanding risk also allows us to optimally define the set of controls that would be necessary to mitigate that risk. Then once we know what those controls should look like, then we can do a gap assessment.”
If your organization is pursuing ISO 27001 certification, you’ll find huge strategic and practical value by listening to the full podcast: EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security
Looking for some more helpful information around ISO 27001 Certification? Check out this blog post 13 Million Reasons Why You Need to Scope before You Do a Gap Assessment – Pivot Point Security