A Gap Analysis ensures your organisation and infrastructure is fully prepared to go through the ISO 27001 certification process.
ISO 27001 has become the globally-recognised standard which organisations can use to audit and certify their Information Security Management System (ISMS).
Achieving ISO 27001 accreditation demonstrates to your customers and users that you have a robust management framework and ongoing processes in place to protect the confidentiality, integrity and availability of your IT infrastructure and the data handled by it.
An ISO 27001 Gap Analysis allows you to benchmark your organisation’s policies and technical controls against the ISO/IEC 27001:2013 standard, before you apply to an ISO 27001 Certification Body to become accredited. The Gap Analysis allows you to identify areas in your organisation’s processes, policies and technical controls, which may prevent your organisation from achieving ISO 27001 accreditation – enabling you to implement the necessary control measures and be fully-prepared for the final audit.
Methodology
Through a one-day workshop (conducted at your office), one of our ISO27001 Certified Lead Auditors will cover each of the following control topics, as required by the latest ISO/IEC 27001:2013 standard:
- Information Security Policies
- Organisation of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptography
- Physical & Environmental Security
- Operations Security
- Communications Security
- System Acquisition, Development & Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security Aspects of Business Continuity Management
- Redundancies
- Compliance
Each of the above controls (and any relevant sub-controls) will be discussed throughout the workshop, to ascertain if your organisation is compliant with what is required by the standard, or if additional work is required before you initiate the accreditation process.
Prerequisites
The majority of the workshop will be focused around Information Security, so in most cases, the workshop will require only the IT Manager (or equivalent) to be present throughout the entire meeting.
In addition to the IT infrastructure, the ISO/IEC 27001:2013 standard governs several other areas of the organisation that will be covered by the Information Security Management System (ISMS). With this being the case, representatives who are responsible for the following areas of the organisation should also be available for a short meeting (approximately 30 mins) if required:
- Data Protection – Data Protection Officer (DPO)
- Human Resources – HR Manager or HR Assistant
- Supply Chain Management – Procurement Manager or Purchaser
- Legal – Company Lawyer or Legal Representative
Deliverables
Engaging SecureTeam for your ISO 27001 Gap Analysis we will provide you with the following:
Reporting
Once the Gap Analysis has been completed, you will be provided with the following:
Comprehensive Gap Analysis Report
A comprehensive report, which highlights all areas of non-compliance between your organisation and the requirements of the ISO/IEC 27001:2013 standard. Our report to you also contains an Executive Summary that can be understood by all members of your organisation – including individuals who may be in management or non-technical roles.
Implementation Guidance
Using the Implementation Guidance found in ISO/IEC 27002:2013, our report will contain specific recommendations on what actions your organisation will need to take in readiness for your final certification audit.
Action Plan
We provide you with a targeted Action Plan, that can be used by your organisation to address the areas of non-compliance before applying for your certification audit.
Secure & Encrypted Report Delivery
Due to the sensitive content which may be contained in our test reports, all test reports are delivered to our customers through a secure file delivery mechanism. All test reports are encrypted using AES-256 encryption and are secured with a strong, randomly-generated password which is delivered ‘out-of-band’ to you via SMS. The encrypted file is then delivered to you through an encrypted & expiring URL link – allowing you to download the test report securely to your workstation.
After Care
Once our consultancy engagement is complete and our final report has been delivered to you, our consultancy team remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.
We pride ourselves in partnering with our customers to provide adhoc security advice and to ensure that our engagement with you doesn’t simply end once the final report has been delivered.
We are committed to ensuring, that as our customer, you receive the utmost value out of our consultancy services and look forward to developing a long-lasting business relationship with you.
Conference Call
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation, who you feel would benefit from a more in-depth discussion of the report’s findings.
A conference call is suitable for both management and technical staff and provides you with the perfect opportunity to ensure that all vulnerabilities and their recommended course of action are fully understood by stakeholders and key-individuals in your organisation.
Find out more
If you'd like to find out more about our services or would like us to provide you with a quotation, please fill out the following form and one of our team will get in touch with you.