Cyber Security

How to use Gap Analysis to improve Cybersecurity compliance for NIST or ISO standards?

K Asked by Karen Bennett · 22-09-2023
0 upvotes 15,072 views 0 comments
The question

Our firm needs to align with ISO 27001 standards. I've been tasked with performing a Gap Analysis to see where our current security controls fall short. Does anyone have a checklist or a specific approach for identifying technical gaps in security infrastructure? 

3 answers

0
ME
Answered on 25-09-2023

For ISO 27001, your Gap Analysis must revolve around the Statement of Applicability (SoA). You need to review the 114 controls in Annex A and determine which are currently implemented, partially implemented, or absent. For each gap, you must document the risk of non-compliance. I recommend using a maturity model scale (0-5) to score your current controls. This provides a quantitative view for stakeholders. Don't just look at firewalls; look at policy documentation and employee training, as these are frequent "hidden" gaps in security audits. 

0
BR
Answered on 27-09-2023

Great points on the maturity model! When you are scoring these controls, are you involving the IT department or strictly looking at the documentation? I’ve found that what is on paper often differs from the actual technical implementation in the server room. 

ST 28-09-2023

Brian, you have to do both. A "Paper Gap" is a failure in policy, but a "Technical Gap" is a failure in execution. I always interview the SysAdmins and then run a vulnerability scan to verify if the documented controls actually exist.

0
J
Answered on 29-09-2023

Use the NIST CSF (Cybersecurity Framework) as your benchmark. Map your current tools to the Identify, Protect, Detect, Respond, and Recover categories to see where you are weak. 

KA 30-09-2023

Totally agree. The NIST mapping makes it much easier to explain to non-technical executives why we need budget for 'Detection' tools when our 'Protection' is already strong.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

World globe icon Country: Hong Kong

Book Free Session