Hi, folks!
We have a new product for you - a gap analysis template for ISO/IEC 27001:2022.
I conduct vendor assessments for a living and recently, I’ve noticed that our vendors are submitting ISO 27001:2022 certificates. Audits must be slowly moving towards the ISO 27001:2022 standard. I thought, “hey, maybe it’s a good time to make a gap analysis for this one.” Behold, our newest product.
Commonly referred to as “ISO 27001”, this is the globally recognized standard in setting up and managing an information security management system (ISMS).
Let’s break down the “ISO/IEC 27001:2022” name to better appreciate it.
ISO/IEC are the names of two organizations that created the ISO 27001 standard: the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO is a global standards organization which develops standards on industries like manufacturing, healthcare, and information technology. It is made up of standards organizations of different countries (e.g., the American National Standards Institute of the United States). The IEC is also an international standards organization focusing on electrical, electronic and related technologies - collectively referred to as “electrotechnology”.
The numbering “27001:2022” means two things. First, the ISO 27001 standard was created by the Joint Technical Committee (JTC) 1, Subcommittee (SC) 27, JTC 1 focuses on information technology, with SC 27 focusing on information security, cybersecurity, and privacy protection. Expect that the entire 27000 family of standards focuses on listed areas right above, with ISO 27001 being the first document in the family and the world’s best-known standard. Second, it means that the standard was updated last 2022 - specifically, October 25, 2022.
Now that we’ve explained a bit on the authorship of the ISO 27001 standard, let’s move on to how it’s compared to another well known information security document.
The ISO 27001 is often mentioned together with the NIST Cybersecurity Framework (NIST CSF). The two documents are significantly different in two ways:
- The NIST CSF is free while the ISO 27001 is a paid document. You have to purchase your own copy of the ISO 27001 standard in the ISO website.
- You can obtain a certification as proof of your compliance with the ISO 27001 standards. As far as I know, no one is issuing a certificate of compliance with the NIST CSF. The latter is, after all, a framework or a guide.
To further explain, “compliance” and “certified” are used differently, especially in the context of assessments.
When you say your organization is “ISO 27001 certified”, it means that an independent and qualified auditor inspected your organization’s controls and they determined that your organization’s controls are compliant with all the requirements listed in ISO 27001.
As proof of compliance, the auditor issues an ISO 27001 certificate. The certificate contains the name of your organization, the scope of the audit, the auditor, and the validity date. You can share the certificate with your existing and potential clients and partners as proof that your organization has the capacity to securely handle their data.
You can still say that you’re “ISO 27001 compliant”, “NIST CSF compliant”, or compliant to any other framework or standard you can think of. However, those statements are generally self-serving and the best proof of compliance is normally a letter of attestation, or a submission of your existing information security documents for assessment.
A word of caution on the letter of attestation though - you should be ready to show proof that your organization indeed had an assessment on ISO 27001 compliance. If an information security incident happens and your organization is unable to show proof of assessment, then, another party can claim that your organization lied in the attestation letter.
Finally, moving on to the template.
- The template contains requirements listed in Clauses 4 to 10. The ISO 27001 document itself states that an organization must comply with the requirements listed in those clauses in order to establish conformity or compliance. Clauses 1 to 3 are just introductory clauses.
- Exploratory notes are excluded in this template.
- There is a column on compliance so you’ll be able to keep track on how compliant you are to the ISO 27001 standards.
- The columns typical to a gap analysis are also found in the document: current state, desired state, gap, action items. Also included are columns on identifying who should be accountable to address the gaps.
- There is a separate pivot table so you can immediately present the numbers, in case anyone requests.
- There are requirements which are further broken down into lists. I’ve decided to separate the list items into their own separate requirements. At least you’re able to make sure that you’re indeed compliant with all the requirements.
- The product also comes with a basic Power BI dashboard just so you can easily present the results of your gap analysis. A gap analysis activity hasn’t concluded until it is presented to management for further steps (and hopefully, budget).
As a final note, the gap analysis doesn’t just end with identifying the gaps. It is used for continuous improvement. So make sure to regularly review your gap analysis document to identify points of improvement in your ISMS.
Hope this helps!