Please note: This sample shows only a section of the complete Gap Assessment tool.
ISO/IEC 27001 Gap Assessment Tool ISMS-FORM-00-4
Terms used ISMS: Information Security Management System
Information security management systems: Requirements AREA/SECTION
SUB-SECTION
ISO/IEC 27001 REQUIREMENTS
REQS MET? COMMENTS
4 Context of the organization 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the information security management system 4.4 Information security management system
Have the external and internal issues that affect the ISMS been determined? Have the interested parties and their requirements been identified? Has the scope of the ISMS been determined and documented?
Yes
Is an ISMS in place and being continually improved?
Yes
Totals:
Yes Yes
4
5 Leadership 5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities and authorities
Does top management demonstrate leadership and commitment to the ISMS by providing resources and communicating effectively? (see list A to H) Is a documented information security policy in place? Does it set objectives for the ISMS? Does it commit the organization to satisfying requirements and continually improving the ISMS? Is it adequately communicated? Are roles, responsibilities and authorities for the ISMS defined? Totals:
Yes
Yes Yes Yes Yes Yes
6
ACTION NEEDED TO MEET REQ
ACTION OWNER
6 Planning 6.1 Actions to address risks and opportunities
6.1.1 General
6.1.2 Information Security Risk Assessment
6.1.3 Information Security Risk Treatment
6.2 Information security objectives and planning to achieve them
6.3 Planning of changes
Does the plan for the ISMS take into account the relevant issues and requirements? Are all of the relevant risks and opportunities determined? Are actions planned to address the identified risks and opportunities? Is a documented information security risk assessment process defined and applied? Is it clear when risk assessments should be carried out?
Yes
Has a risk assessment been carried out with respect to the confidentiality, integrity and availability of the information within scope? Have risk owners been identified? Have risks been analysed, evaluated and prioritised for treatment? Is there a documented information security risk treatment process? Have appropriate risk treatment options been selected for each risk that exceeds the risk acceptance criteria?
Yes
Have necessary controls been selected for each risk that requires treatment? Has a Statement of Applicability been created? Is there a plan to implement the identified treatments?
Yes
Has the risk treatment plan been approved by risk owners? Have measurable information security objectives been established and communicated? Is there a plan to achieve the defined information security objectives? Is there a process to cater for the planning of expected and unexpected changes to the ISMS?
Yes
Totals:
Yes Yes Yes Yes
Yes Yes Yes Yes
Yes Yes
Yes Yes Yes
17
ISO/IEC 27001 Gap Assessment Tool ISMS-FORM-00-4
ISO/IEC 27001 Gap Assessment dashboard To refresh chart data, click on “Refresh All” on the Data ribbon.
Gap assessment results AREA OF STANDARD
REQS IN SECTION NO OF REQS MET PERCENTAGE CONFORMANT
4 Context of the organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance Evaluation 10 Improvement A.5 Organizational controls A.6 People controls A.7 Physical controls A.8 Technological controls Total
4 6 17 8 4 6 2 37 8 14 34 140
4 6 17 8 4 6 2 37 8 14 34 140
Percentage level of conformity to the ISO/IEC 27001 standard radar chart
100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
4 Context of the organization 100% 90%
A.8 Technological controls
5 Leadership
80% 70% 60% 50%
A.7 Physical controls
6 Planning
40% 30% 20% 10% 0%
A.6 People controls
7 Support
Level of conformity to the ISO/IEC 27001 standard NO OF REQS MET
REQS IN SECTION A.5 Organizational controls
8 Operation
4
4 Context of the organization
4
10 Improvement
9 Performance Evaluation
6
5 Leadership
6
Percentage level of conformity to the ISO/IEC 27001 standard
16
6 Planning
16 8
7 Support
8
100%
100%
100%
100%
100%
100%
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance Evaluation
100%
100%
100%
100%
100%
A.7 Physical controls
A.8 Technological controls
100% 4
8 Operation
90%
4 6
9 Performance Evaluation
80%
6
70% 2
10 Improvement
60%
2
50%
37
A.5 Organizational controls
37 40%
8
A.6 People controls
30%
8
20%
14
A.7 Physical controls
14
10% 34
A.8 Technological controls
0%
34 0
5
10
15
20
25
30
35
40
10 Improvement A.5 Organizational A.6 People controls controls