ISO 27001:2013

Gap analysis for your information secu

Introduction
Use this spreadsheet to record and track your progress as you implement the mandatory and discretionary claus
The main body of ISO 27001 specifies a number of mandatory requirements that you must fulfil for your inform
standard. The mandatory requirements for certification concern the management system rather than the infor
your organisation's information security risks, assess them, decide how you'll treat those risks, treat them and m
make it compulsory for you to apply specific security controls.
However, Annex A to ISO 27001 outlines a set of information security controls that your management system wo
security controls in Annex A are explained in much more detail in ISO 27002, and in various other standards, law

How to carry out your gap analysis

1. Design and implement your ISMS so it complies with all the mandatory requirements set out in the main bod
'Mandatory ISMS requirements' tab of this document to track and record your progress.

2. Identify and assess the information security risks that face those parts of your organisation you've included in
controls' tab to identify any Annex A controls that do not apply to your organisation. Note: Do not feel constrain
you decide you need other security controls to treat your information security risks and obligations (e.g. ISO 223

3. Systematically check and record your progress in implementing your security controls, and update the 'Status

4. Once your ISMS is operating normally, and you have amassed sufficient evidence ("records"), it can be formal
check that your ISMS fulfils the standard's mandatory requirements, and that your information security risks are
of your ISMS. From that point on, you should both maintain (i.e. update it when the information security risks or

Copyright
Adapted from a document provided by the ISO27k Forum at www.ISO27001security.com.
 ISO 27001 gap analysis
Clause ISO 27001 requirement Status Notes

4 Context of the organisation

4.1 Organisational context
4.1 Determine the aims of your organisation's ISMS and any issues that might affect its effectiveness Initial
4.2 Interested parties
4.2 (a) Identify interested parties including applicable laws, regulations, contracts etc. Unknown
4.2 (b) Determine those parties' information security-relevant requirements and obligations Unknown
4.3 ISMS scope
4.3 Determine and document the scope of your ISMS Managed
4.4 ISMS
4.4 Establish, implement, maintain and continually improve your ISMS according to the standard Nonexistent

5 Leadership
5.1 Leadership and commitment
5.1 Top management must demonstrate leadership and commitment to the ISMS Defined
5.2 Policy
5.2 Document the information security policy Nonexistent
5.3 Organisational roles, responsibilities and authorities
5.3 Assign and communicate information security roles and responsibilities Managed

6 Planning
6.1 Actions to address risks and opportunities
6.1.1 Design/plan the ISMS to satisfy the requirements, addressing risks and opportunities Initial
6.1.2 Define and apply an information security risk assessment process Limited
6.1.3 Document and apply an information security risk treatment process Unknown
6.2 Information security objectives and plans
6.2 Establish and document the information security objectives and plans Unknown

7 Support
7.1 Resources
7.1 Determine and allocate necessary resources for the ISMS Managed
7.2 Competence
7.2 Determine, document and make available necessary competences Limited
7.3 Awareness
7.3 Establish a security awareness program Unknown
7.4 Communication
7.4 Determine the need for internal and external communications relevant to the ISMS Unknown
7.5 Documented information
7.5.1 Provide documentation required by the standard plus that required by the organisation Unknown
7.5.2 Provide document titles, authors etc., format them consistently, and review and approve them Unknown
7.5.3 Control the documentation properly Nonexistent

8 Operation
8.1 Operational planning and control
8.1 Plan, implement, control and document ISMS processes to manage risks (i.e. a risk treatment plan) Unknown
8.2 Information security risk assessment
8.2 Reassess and document information security risks regularly and on changes Initial
8.3 Information security risk treatment
8.3 Implement the risk treatment plan (treat the risks!) and document the results Defined

9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitor, measure, analyse and evaluate the ISMS and the controls Nonexistent
9.2 Internal audit
9.2 Plan and conduct internal audits of the ISMS Defined
9.3 Management review
9.3 Undertake regular management reviews of the ISMS Unknown

10 Improvement
10.1 Nonconformity and corrective action
10.1 Identify, fix and take action to prevent nonconformities from recurring, documenting the actions Optimised
10.2 Continual improvement
10.2 Continually improve the ISMS Nonexistent
27 Number of requirements

03/24/2019 Page2 of 6
 Statement of applicability – which Annex A security controls are you applying?
Section Information security control Status Notes

A5 Information security policies

A5.1 Management direction for information security
A5.1.1 Policies for information security Unknown
A5.1.2 Review of the policies for information security Nonexistent

A6 Organisation of information security

A6.1 Internal organisation
A6.1.1 Information security roles and responsibilities Limited
A6.1.2 Segregation of duties Limited
A6.1.3 Contact with authorities Defined
A6.1.4 Contact with special interest groups Managed
A6.1.5 Information security in project management Optimised
A6.2 Mobile devices and teleworking
A6.2.1 Mobile device policy Initial
A6.2.2 Teleworking Not applicable

A7 Human resource security

A7.1 Prior to employment
A7.1.1 Screening Unknown
A7.1.2 Terms and conditions of employment Unknown
A7.2 During employment
A7.2.1 Management responsibilities Unknown
A7.2.2 Information security awareness, education and training Unknown
A7.2.3 Disciplinary process Unknown
A7.3 Termination and change of employment
A7.3.1 Termination or change of employment responsibilities Unknown

A8 Asset management
A8.1 Responsibility for assets
A8.1.1 Inventory of assets Unknown
A8.1.2 Ownership of assets Unknown
A8.1.3 Acceptable use of assets Unknown
A8.1.4 Return of assets Unknown
A8.2 Information classification
A8.2.1 Classification of information Unknown
A8.2.2 Labelling of information Unknown
A8.2.3 Handling of assets Unknown
A8.3 Media handling
A8.3.1 Management of removable media Unknown
A8.3.2 Disposal of media Unknown
A8.3.3 Physical media transfer Unknown

A9 Access control
A9.1 Business requirements of access control
A9.1.1 Access control policy Unknown
A9.1.2 Access to networks and network services Unknown
A9.2 User access management
A9.2.1 User registration and de-registration Unknown
A9.2.2 User access provisioning Unknown
A9.2.3 Management of privileged access rights Unknown
A9.2.4 Management of secret authentication information of users Unknown
A9.2.5 Review of user access rights Unknown
A9.2.6 Removal or adjustment of access rights Unknown
A9.3 User responsibilities
A9.3.1 Use of secret authentication information Unknown
A9.4 System and application access control
A9.4.1 Information access restriction Unknown
A9.4.2 Secure log-on procedures Defined
A9.4.3 Password management system Initial
A9.4.4 Use of privileged utility programs Managed
A9.4.5 Access control to program source code Unknown

A10 Cryptography
A10.1 Cryptographic controls

03/24/2019 Page 3 of 6
 Statement of applicability – which Annex A security controls are you applying?
Section Information security control Status Notes
A10.1.1 Policy on the use of cryptographic controls Unknown
A10.1.2 Key management Limited

A11 Physical and environmental security

A11.1 Secure areas
A11.1.1 Physical security perimeter Unknown
A11.1.2 Physical entry controls Unknown
A11.1.3 Securing offices, rooms and facilities Unknown
A11.1.4 Protecting against external and environmental threats Unknown
A11.1.5 Working in secure areas Unknown
A11.1.6 Delivery and loading areas Unknown
A11.2 Equipment
A11.2.1 Siting and protection of equipment Unknown
A11.2.2 Supporting utilities Unknown
A11.2.3 Cabling security Unknown
A11.2.4 Equipment maintenance Unknown
A11.2.5 Removal of assets Unknown
A11.2.6 Security of equipment and assets off-premises Unknown
A11.2.7 Secure disposal or reuse of equipment Unknown
A11.2.8 Unattended user equipment Unknown
A11.2.9 Clear desk and clear screen policy Unknown

A12 Operations security

A12.1 Operational procedures and responsibilities
A12.1.1 Documented operating procedures Unknown
A12.1.2 Change management Unknown
A12.1.3 Capacity management Unknown
A12.1.4 Separation of development, testing and operational environments Unknown
A12.2 Protection from malware
A12.2.1 Controls against malware Unknown
A12.3 Backup
A12.3.1 Information backup Unknown
A12.3 Logging and monitoring
A12.4.1 Event logging Unknown
A12.4.2 Protection of log information Unknown
A12.4.3 Administrator and operator logs Unknown
A12.4.4 Clock synchronisation Unknown
A12.5 Control of operational software
A12.5.1 Installation of software on operational systems Unknown
A12.6 Technical vulnerability management
A12.6.1 Management of technical vulnerabilities Unknown
A12.6.2 Restrictions on software installation Unknown
A12.7 Information systems audit considerations
A12.7.1 Information systems audit controls Unknown

A13 Communications security

A13.1 Network security management
A13.1.1 Network controls Unknown
A13.1.2 Security of network services Unknown
A13.1.3 Segregation in networks Unknown
A13.2 Information transfer
A13.2.1 Information transfer policies and procedures Unknown
A13.2.2 Agreements on information transfer Unknown
A13.2.3 Electronic messaging Unknown
A13.2.4 Confidentiality or nondisclosure agreements Unknown

A14 System acquisition, development and maintenance

A14.1 Security requirements of information systems
A14.1.1 Information security requirements analysis and specification Unknown
A14.1.2 Securing application services on public networks Unknown
A14.1.3 Protecting application services transactions Unknown
A14.2 Security in development and support processes
A14.2.1 Secure development policy Unknown
A14.2.2 System change control procedures Unknown
A14.2.3 Technical review of applications after operating platform changes Unknown
03/24/2019 Page 4 of 6
 Statement of applicability – which Annex A security controls are you applying?
Section Information security control Status Notes
A14.2.4 Restrictions on changes to software packages Unknown
A14.2.5 Secure system engineering principles Unknown
A14.2.6 Secure Development Environment Unknown
A14.2.7 Outsourced development Unknown
A14.2.8 System security testing Unknown
A14.2.9 System acceptance testing Unknown
A14.3 Test data
A14.3.1 Protection of test data Unknown

A15 Supplier relationships

A15.1 Information security in supplier relationships
A15.1.1 Information security policy for supplier relationships Unknown
A15.1.2 Addressing security within supplier agreements Unknown
A15.1.3 ICT supply chain Unknown
A15.2 Supplier service delivery management
A15.2.1 Monitoring and review of supplier services Unknown
A15.2.2 Managing changes to supplier services Unknown

A16 Information security incident management

A16.1 Management of information security incidents and improvements
A16.1.1 Responsibilities and procedures Unknown
A16.1.2 Reporting information security events Unknown
A16.1.3 Reporting information security weaknesses Unknown
A16.1.4 Assessment of and decision on information security events Unknown
A16.1.5 Response to information security incidents Unknown
A16.1.6 Learning from information security incidents Unknown
A16.1.7 Collection of evidence Unknown

A17 Information security aspects of business continuity management

A17.1 Information security continuity
A17.1.1 Planning information security continuity Unknown
A17.1.2 Implementing information security continuity Unknown
A17.1.3 Verify, review and evaluate information security continuity Unknown
A17.2 Redundancies
A17.2.1 Availability of information processing facilities Unknown

A18 Compliance
A18.1 Compliance with legal and contractual requirements
A18.1.1 Identification of applicable legislation and contractual requirements Unknown
A18.1.2 Intellectual property rights Unknown
A18.1.3 Protection of records Unknown
A18.1.4 Privacy and protection of personally identifiable information Unknown
A18.1.5 Regulation of cryptographic controls Unknown
A18.2 Information security reviews
A18.2.1 Independent review of information security Unknown
A18.2.2 Compliance with security policies and standards Unknown
A18.2.3 Technical compliance review Unknown
114 Number of controls

03/24/2019 Page 5 of 6
 Proportion of Proportion of
Status Progress ISMS
requirements
information
security controls How's your ISMS implementation going?

Unknown Hasn't even been checked yet 37% 89%

Nonexistent Complete lack of recognisable policy,

procedure, control etc. 19% 1% Unknown
Nonexistent
Initial
Development has barely started and will
Initial require significant work to fulfil the
requirements
11% 2% Limited
Defined
Managed
Limited Progressing nicely but not yet complete 7% 3% Optimised
Not applicable

Development is more or less complete

Defined although detail is lacking and/or it's not yet
implemented, enforced and actively supported 11% 2%
by top management

Development is complete, the process/control

Managed has been implemented and recently started
operating
11% 2%

The requirement is fully satisfied, is operating

Optimised and
fully as expected, is being actively monitored
improved, and there's substantial evidence 4% 1% Which security controls have you applied?
to prove all that to the auditors

ALL requirements in the main body of ISO/IEC

Not applicable 27001 are mandatory IF your ISMS is to be
certified. Otherwise, management can ignore 0% 1%
them.

Total 100% 100%

Unknown
Nonexistent
Initial
Limited
Defined
Managed
Optimised
Not applicable