Our firm needs to align with ISO 27001 standards. I've been tasked with performing a Gap Analysis to see where our current security controls fall short. Does anyone have a checklist or a specific approach for identifying technical gaps in security infrastructure?
3 answers
For ISO 27001, your Gap Analysis must revolve around the Statement of Applicability (SoA). You need to review the 114 controls in Annex A and determine which are currently implemented, partially implemented, or absent. For each gap, you must document the risk of non-compliance. I recommend using a maturity model scale (0-5) to score your current controls. This provides a quantitative view for stakeholders. Don't just look at firewalls; look at policy documentation and employee training, as these are frequent "hidden" gaps in security audits.
Great points on the maturity model! When you are scoring these controls, are you involving the IT department or strictly looking at the documentation? I’ve found that what is on paper often differs from the actual technical implementation in the server room.
Use the NIST CSF (Cybersecurity Framework) as your benchmark. Map your current tools to the Identify, Protect, Detect, Respond, and Recover categories to see where you are weak.
Totally agree. The NIST mapping makes it much easier to explain to non-technical executives why we need budget for 'Detection' tools when our 'Protection' is already strong.
Brian, you have to do both. A "Paper Gap" is a failure in policy, but a "Technical Gap" is a failure in execution. I always interview the SysAdmins and then run a vulnerability scan to verify if the documented controls actually exist.