Should You Start Your ISO 27001 Programme with a Gap Analysis or a Risk Assessment?

27 Jul

The answer depends on your goals and knowledge of your current position.  This blog will look at which is best and when.

When it comes to determining your need for information security controls, there are a couple of routes you could take.  One is to undertake a gap analysis, another is to conduct a risk assessment.

What is the Difference Between a Gap Analysis and a Risk Assessment?

Firstly, you need to understand what each of them is before determining which course of action is best suited to your needs.

What is a Gap Analysis?

The gap analysis is the more straightforward option.  Simply put, you just need to take a list of ‘requirements’ and determine if you have implemented each of the items on your list.  

For example, you could take all the controls listed in Annex A of ISO 27001 and then check to see if you have implemented each one.  

Where a control is not implemented, there is a ‘gap’.  You can then take measures to address that gap by implementing the control.

In terms of the pros and cons of conducting a gap analysis, the big benefit is that it is quicker and less expensive to conduct compared to a risk assessment.

The downside is that you are not necessarily able to determine if you need to implement each of the controls listed – some of them can be costly to implement and time-consuming to operate.  

If a control is already in place, you might not know if it is serving a purpose, adding value to your organisation’s information security efforts or is simply costing you money with no demonstrable benefit.

What is a Risk Assessment?

The risk assessment approach is more involved and time-consuming than the gap analysis, but has the notable advantage of enabling you to demonstrate why a particular control or treatment is required and not just because it is in Annex A of ISO 27001.

The process requires you to determine the impact on the organisation if its information assets were to be compromised, whether that compromise is related to confidentiality, integrity or availability of the information, whether deliberate or accidental.

You are also able to determine the likelihood of the compromise, as within your risk assessment you are required to determine the nature of threats that your assets face, as well as any vulnerabilities that could allow the threat to materialise.

By considering impacts, threats and vulnerabilities, you will be able to determine and quantify the risks faced by your organisation.  

The risk assessment process then uses this information to prioritise the treatment of risk by evaluating if the risk is above or below the organisation’s risk appetite.  

If it is above, then it should be flagged for treatment.  If it is below, then it will likely be monitored for change with no extra action required.

Those risks that have been flagged for treatment may well require the same controls to be implemented that we mentioned under the gap analysis section above, i.e.  the Annex A controls from ISO 27001.  

The big difference is that now we have some justification why each control should be implemented, which puts us in a much stronger position when submitting a business case to the leadership team.

Which to Choose

A gap analysis has its uses.  It enables an organisation to obtain a high-level view of what information security approaches and controls it has in place.  

If the controls are chosen from a reputable source, such as ISO 27001, then the organisation will at least be looking at controls that are considered to be best practice.

However, in some situations, the leadership team is likely to ask for a justification for releasing resources for controls to be implemented.  

A gap analysis is not going to provide you with the information you need to deal with this request.

A risk assessment, on the other hand, will provide this information and will serve to reassure the organisation’s leadership team that the resources requested are being put to good use.

It also enables the organisation to take a prioritised approach.  Resources are likely to be finite and, therefore, the implementation of some controls may have to wait until more resources are available.  

The gap analysis will not provide you with the information you need to decide which controls to implement first, whereas the risk assessment results will.

There is another reason why a risk assessment is often preferred, and that is your ability to claim conformance with the ISO 27001 Standard.  

Even if you are not seeking certification, simply to claim conformance with the Standard means that you are obliged to implement all the mandatory management system elements.  

This includes the requirement to conduct a formal information security risk assessment.  Likewise, if you are committed to complying or securing certification, then a risk assessment not only addresses a fundamental requirement, but also provides a prioritised action plan.

Thumbnail of the Blog Illustration
Information Security
Published on
How Should You Onboard New IT Systems and Software?

This blog takes a look at onboarding information systems. When onboarding is mentioned will conclude it’s referring to people but there is a lot more to think

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
Everything You Need to Know About ISO 27001 Certification

As with all ISO standards, it has been developed by a panel of experts and provides a specification for the development of a ‘best practice" ISMS

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
5 Common Fallacies Associated with ISO 27001 Certification

There are many good reasons to implement an information security management system (ISMS) and get it certified to ISO 27001.

Read more
Without doubt, URM helped us to achieve our planned objectives a lot sooner than expected. The engagement was a huge success and couldn’t have gone any better.
Group IT Director, UK Mail
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.