A gap analysis is an audit where you compare your current achievements against what you actually need. Performing a gap analysis against the controls listed in BS ISO/IEC 27002 can enable you to identify areas where your business needs to improve its cyber security.
It is worth keeping the answers you give to the questions below, because if you perform a subsequent gap analysis you can see how your responses have changed. Moreover, if you need external help to improve your cyber security, your gap analysis results will make it easier for consultants to work out what help you need and how much it will cost.
For every control in ISO/IEC 27002, answer the questions below, ideally with a “yes” or “no” and an explanation. If you don’t know and can’t find out, answer “don’t know”. You may identify additional security controls that are relevant but not in ISO/IEC 27002. If so, add them to your list.
It may take half a day or so to do the exercise properly, regardless of how big or small your business. If you have IT support, put them on standby, because you may need help to answer some questions. Most of the difficult controls to answer come in the first part of the list, so it can be easier to start in the middle of ISO/IEC 27002, work down to the end and then go back to the beginning.
Is this control applicable to you?
In some cases, a control may not be relevant to your business. In this case answer “no” and explain why. Otherwise answer “yes”. If you answer “no”, the remaining questions are not relevant, so they can be left blank.
Do you need this control?
Answer “yes” if you believe you need this control (whether you have implemented it or not). Answer “no” if you don’t. Answer “declined” if you would like to have it, but have decided not to (eg to save money). Answer “undecided” if you don’t know.
Answer the remaining questions only if you answer “yes” to this one.
Is the control documented?
Answer “yes” if how you do (or should or would) use the control is documented. Answer “no” if it is not. Add a reference to your documentation, if it exists.
Is the control implemented?
Answer “yes” if the control is in use and “no” otherwise. If the control is being implemented or is implemented in some areas but not others, answer “in progress” or “partially”.
Is the control effective?
Finally, make a value judgement as to whether you believe the control fully meets its intended purpose and answer “yes” or “no” accordingly. If there is supporting evidence (eg reports of security breaches), include a reference.
How to use the results
A lot of the benefit comes when your honest answer is “don’t know” or “undecided”. In the long run, your cyber security will be much more effective if you go away and find out the answers. If you need controls but they are not implemented, the action required is obvious. Similarly, if they exist but their documentation is inadequate.
If a control is not fully effective, it usually means your staff need further training, your security systems need upgrading or management needs to be more proactive. Do something about it.