Please
note:
This sample shows only a section of the complete Gap Assessment tool.
Informationsecurity managementsystems: Requirements
4 Context of the organization
4.1Understandingthe organizationand itscontext
4.2Understandingthe needsand expectationsof interestedparties
4.3Determiningthe scope of the informationsecuritymanagement system
4.4Informationsecuritymanagement system
Have the external andinternal issuesthataffectthe ISMSbeendetermined?
Have the interestedpartiesandtheirrequirements beenidentified?
Hasthe scope of the ISMSbeendeterminedand documented?
IsanISMSinplace andbeingcontinuallyimproved?
5 Leadership
5.1Leadershipandcommitment
5.2Policy
5.3Organizational roles,responsibilities andauthorities
Doestopmanagementdemonstrate leadershipand commitmenttothe ISMSbyprovidingresourcesand communicatingeffectively?(see listAtoH)
Isadocumentedinformationsecuritypolicyinplace?
Doesitsetobjectivesforthe ISMS?
Doesitcommitthe organizationtosatisfying requirementsandcontinuallyimprovingthe ISMS?
Isitadequatelycommunicated?
Are roles,responsibilitiesandauthoritiesforthe ISMS defined?
6.1Actionstoaddressrisksand opportunities
6.1.1General
6.2Informationsecurityobjectivesand planningtoachieve them
6.3Planningof changes
Doesthe planforthe ISMStake intoaccountthe relevantissuesandrequirements?
Are all of the relevantrisksandopportunities determined?
Are actionsplannedtoaddressthe identifiedrisksand opportunities?
6.1.2InformationSecurityRiskAssessment Isadocumentedinformationsecurityriskassessment processdefinedandapplied?
Isitclearwhenriskassessmentsshouldbe carriedout?
Hasariskassessmentbeencarriedoutwithrespectto the confidentiality,integrityandavailabilityof the informationwithinscope?
Have riskownersbeenidentified?
Have risksbeenanalysed,evaluatedandprioritisedfor treatment?
6.1.3InformationSecurityRiskTreatment Isthere adocumentedinformationsecurityrisk treatmentprocess?
Have appropriate risktreatmentoptionsbeenselected foreachriskthatexceedsthe riskacceptance criteria?
Have necessarycontrolsbeenselectedforeachriskthat requirestreatment?
HasaStatementof Applicabilitybeencreated?
Isthere aplantoimplementthe identifiedtreatments?
Hasthe risktreatmentplanbeenapprovedbyrisk owners?
Have measurable informationsecurityobjectivesbeen establishedandcommunicated?
Isthere aplantoachieve the definedinformation securityobjectives?
Isthere aprocesstocaterforthe planningof expected andunexpectedchangestothe ISMS?
Totals: 17
ISO/IEC27001GapAssessmentdashboard
Torefreshchartdata,clickon“RefreshAll”ontheDataribbon.
Gapassessmentresults
ISO/IEC 27001 GapAssessmentTool
ISMS-FORM-00-4
A.8Technologicalcontrols
A.7Physicalcontrols
A.6Peoplecontrols