Are ISO 27001 Gap Assessments Worth It?

ISO 27001 gap assessments

An ISO 27001 Gap Assessment, also known as an ISO 27001 gap analysis, is performed by the business at the very beginning of its ISO 27001 certification journey.  The ISO 27001 gap assessment provides an overview of the organization’s ISMS operational status, as well as provides insight into any corrective action plans (CAPs) that must be remediated in order for the organization to achieve certification readiness.

When determining if the organization is prepared for ISO 27001 certification, a gap analysis is a key tool in deciding if your organization’s ISMS is operationally mature, operating as expected, and ready for a formal ISO 27001 audit and certification process.

(NOTE: If you’re considering an ISO 27001 gap assessment, our free tool below matches your firm with a top-rated ISO 27001 consultant that can meet your needs and budget.)

Find the Right ISO 27001 Consultant Fast

Get matched for free with top ISO consultancies that fit your budget.

Sidechannel Logo Optiv Logo

By submitting this form I acknowledge that I have read and understand the Privacy Policy and agree to the Terms of Use.

What is an ISO 27001 Gap Assessment?

An ISO 27001 gap analysis is an informal, internal audit of the organization’s information security management system (ISMS), its existing information security processes, business functions, and data security, in essence, the totality of the organization’s current security posture. It provides a high-level overview of the likeliness of the organization being prepared for certification, and/ or what steps the organization needs to take in order to improve the organization’s current security posture and achieve certification readiness.

ISO 27001 gap analysis typically last from 2-4 weeks, depending on the organization’s current security posture, its size, and the internal resource requirements/availability. Hiring a third-party auditor ensures an unbiased and professional assessment of your organization’s internal information security program, although it is not a requirement of the certification process.

To ensure your ISO 27001 gap analysis goes smoothly, management should ensure resource availability, availability of documentation, and evidence of existing information security processes, information security controls, and business functions.  Having the required documentation and personnel available assists in reducing the total time the ISO 27001 gap analysis will take, assisting the organization in achieving certification more effectively.

Internal vs External Gap Assessments

Gap assessments can be performed internally, or externally depending on the needs of the business.  An internal assessment can be performed successfully if there are resources that are not directly involved in the creation or review of the environment and its controls, nor the creation of the ISMS and supporting documentation that is seeking to gain certification – this is because you want to ensure an impartial, unbiased analysis that will provide the organization with compliance gaps and recommendations on how to remediate them. 

Often in large enterprise environments, there is an internal audit team that has the ability to provide these functions for various areas of the organization. If the organization has an internal audit team, it is of the utmost importance to ensure there are subject matter experts in the field of information security and compliance that will be able to handle the gap analysis and its specialized requirements. Having an internal financial auditor complete the ISO 27001 gap analysis is not effective and will not net the expected benefits of a gap analysis. Usually, in smaller organizations, there is some overlap of positions and duties which could make the potential for a biased assessment much higher.  In those instances, it is recommended that the organization hires a third-party reviewer or contractor to complete the ISO 2001 gap analysis.

A third-party reviewer will perform an ISO 27001 gap analysis based on the ISO 27001 certification standards.  At the conclusion of the gap analysis, you will have a detailed assessment report that outlines the organizations’ compliance gaps, also known as corrective action plans, (CAPs). Working with a third-party reviewer also gives you the option to ask clarifying questions, as well as receive recommendations for the remediation of any noncompliance so that the organization achieves certification readiness.

What’s The Benefit?

The completion of an ISO 27001 gap analysis prior to the performance of your ISO 27001 certification is not a requirement for formal certification, however, there are many benefits to completing an ISO 27001 gap assessment including ensuring the organization is mature, compliant and prepared for an ISO 27001 formal audit and certification. 

The gap analysis provides a high-level overview of the organization’s ISMS maturity and functionality. Additionally, it gives the organization insight into what will be asked by the auditors, and what type of evidence will be acceptable, and it gives the organization the ability to prepare for a formal audit in a way that nothing else can.

A gap analysis can be very detailed, it will review the organization’s change management processes, risk assessment and approval procedures, and plans to make sure that it adheres to the required ISO 27001 standards. The assessment conveys to the organization what evidence will be sufficient for the documentation portion of the formal audit, and how well the organization’s current information security management system ranks in comparison to the requirements for ISO 27001 certification. 

Akin to having access to the answers prior to an exam, if you treat the ISO 27001 gap analysis with the same seriousness that you treat the actual audit, the organization will gain invaluable insight into its current security standing and will have the necessary information to complete, test and provide evidence of any corrective action plans assigned to noncompliance that would potentially delay or hinder certification.  

The ISO 27001 Gap Assessment Process

An organization that invests in an ISO 27001 gap analysis can expect the process to be similar to the ISO 27001 formal certification audit process, it is in the best interest of the organization to treat it as though it is the actual formal audit so that it will be sufficiently prepared for the formal audit.

The assessor you select will perform a two-step gap analysis, similar to the actual ISO 27001 certification audit process. The first portion will be the documentation analysis. The assessor will collect and examine your organization’s information security management systems policies, procedures, standards, and documentation ensuring that it meets the stringent ISO 27001 requirements and is functioning as expected. At this step, the assessor may also review the available evidentiary documents that prove the information security management system is operating as reported.

The second step of the ISO 27001 gap analysis is the field review and evidence assessment. The assessor will review evidence that shows the policies in the information security management systems documentation are being followed and then observe the actual workings of the ISMS. This portion of the ISO 27001 gap analysis includes multiple undertakings such as conducting interviews with system owners, management, and staff members; performing system assessment tests in order to validate submitted evidence; and documenting the data collected in this process.

Once complete, the assessor will then analyzes the gathered data from the documentation, interviews, and site visits. Utilizing the information gained, the assessor will then create an executive summary, including the gap assessment report that lists recommended CAPs (corrective action plans) that the organization should remediate and retest prior to applying for formal ISO 27001 certification. The CAPs will be grouped together depending on the level of non-conformity. Nonconformity can be an area of improvement (AOI), minor, or major. Any major noncompliance will cause the organization to be ineligible for ISO 27001 certification, so requires remediation and retesting prior to applying for formal ISO 27001 validation.

How Long Does a Gap Assessment Take?

Performing an ISO 27001 gap analysis is likely a 2–4-week process, depending on the size of the organization, its preparedness, and available resources.  The majority of the time will be spent on interviews with internal resources, review of ISMS documentation, and clarification of any questions found during the assessment process. 

Assuming that the organization is fully prepared, available, and ready for the ISO 27001 gap assessment, it is expected that it would take about the same amount of time as the formal audit.  2-4 weeks in the evidence-gathering stage and another 3-4 weeks to receive ISO 27001 gap analysis report results.

It should be noted, it may not be in the organization’s best interest to schedule the ISO 27001 formal audit right away, as it is likely there will be remediation, corrective action plans, and retest requirements prior to the formal ISO 27001 audit.  This process could take anywhere from 30-90 days to have verifiable evidence of action plans performing as expected.

How Often is an ISO 27001 Gap Assessment Performed?

An ISO 27001 gap assessment is expected to be performed once, prior to seeking ISO 27001 formal certification.  There would be no business need to continue to perform an ISO 27001 gap assessment unless there is a new internal environment that is seeking validation. 

A consideration would be in the event the organization has multiple major noncompliances found in the ISO 27001 gap assessment that must be remediated before validation, it may make sense in that instance to perform a secondary gap analysis to ensure the organizations’ remediation efforts have been successful, and evidence of the same is available for review. However, a subject matter expert, consultant, or compliance specialist is also qualified to review those action plans and remediations, then validate them as ready for ISO 27001 certification.

How Much Does an ISO 27001 Gap Assessment Cost?

The next question an organization wants to know is, how much will this cost?  Being that an ISO 27001 gap assessment is not a requirement of ISO 27001 certification, it can be considered a discretionary expense. Considering that an ISO 27001 gap analysis can be performed in a myriad of ways, internally, and externally, with the same auditing body that will perform the final assessment – the cost can vary greatly. 

If the organization chooses to utilize internal resources, the costs to the organization will be minimized and are likely already allocated.  Resource availability for the performance and reporting of the assessment and its results would be the largest consideration should the organization choose to use internal resources only.

For the organization that chooses to hire an external assessing body to perform the ISO 27001 gap assessment, the costs can vary from $10,000 up to over $25,000 depending on the boutique chosen, its qualifications, its price point, and the level of detail the organization requests in its reporting. 

Finally, the organization can choose to purchase a package from a certified auditing body where the ISO 27001 gap assessment is included as the first step in the organization’s ISO 27001 certification journey. If the organization chooses to go this route, it is expected that the cost is rolled into the final cost of certification, often at a great discount.

Is an ISO 27001 Gap Assessment Worth It?

An ISO 27001 gap analysis is worth it in most cases.  The ISO 27001 gap analysis is a resource whose benefits cannot be understated. Any organization that is beginning its ISO 27001 certification journey should consider the ISO 27001 gap assessment a required part of achieving certification readiness.

There are a few exceptions to this rule, if the organization already holds other industry standard certifications with similar requirements to ISO 27001, or if the organization has been, or is currently ISO 27001 certified in another environment.

That organization has knowledge of what to expect, how to ensure its systems are performing as promised in the ISMS documentation, and what pieces of evidence are applicable to specific controls.  However, in the event this is the first time the organization is attempting to obtain ISO 27001 certification, having a gap assessment is a crucial step in achieving certification readiness.


Published by Denise McMillan - ISO 27001 Lead Auditor
Denise McMillan has over 10 years' experience providing IT infrastructure management, Governance and Compliance auditing management and remediation experience utilizing standards found in: ISO27001, COBIT, HITRUST, FEDRAMP, and NIST 800-53....
    
Copyright © 2022 Network Assured