Should You Start Your ISO 27001 Programme with a Gap Analysis or a Risk Assessment?

27 Jul

Table of Contents

The answer depends on your goals and knowledge of your current position.  This blog will look at which is best and when.

When it comes to determining your need for information security controls, there are a couple of routes you could take.  One is to undertake a gap analysis, another is to conduct a risk assessment.

What is the Difference Between a Gap Analysis and a Risk Assessment?

Firstly, you need to understand what each of them is before determining which course of action is best suited to your needs.

What is a Gap Analysis?

The gap analysis is the more straightforward option.  Simply put, you just need to take a list of ‘requirements’ and determine if you have implemented each of the items on your list.  

For example, you could take all the controls listed in Annex A of ISO 27001 and then check to see if you have implemented each one.  

Where a control is not implemented, there is a ‘gap’.  You can then take measures to address that gap by implementing the control.

In terms of the pros and cons of conducting a gap analysis, the big benefit is that it is quicker and less expensive to conduct compared to a risk assessment.

The downside is that you are not necessarily able to determine if you need to implement each of the controls listed – some of them can be costly to implement and time-consuming to operate.  

If a control is already in place, you might not know if it is serving a purpose, adding value to your organisation’s information security efforts or is simply costing you money with no demonstrable benefit.

What is a Risk Assessment?

The risk assessment approach is more involved and time-consuming than the gap analysis, but has the notable advantage of enabling you to demonstrate why a particular control or treatment is required and not just because it is in Annex A of ISO 27001.

The process requires you to determine the impact on the organisation if its information assets were to be compromised, whether that compromise is related to confidentiality, integrity or availability of the information, whether deliberate or accidental.

You are also able to determine the likelihood of the compromise, as within your risk assessment you are required to determine the nature of threats that your assets face, as well as any vulnerabilities that could allow the threat to materialise.

By considering impacts, threats and vulnerabilities, you will be able to determine and quantify the risks faced by your organisation.  

The risk assessment process then uses this information to prioritise the treatment of risk by evaluating if the risk is above or below the organisation’s risk appetite.  

If it is above, then it should be flagged for treatment.  If it is below, then it will likely be monitored for change with no extra action required.

Those risks that have been flagged for treatment may well require the same controls to be implemented that we mentioned under the gap analysis section above, i.e.  the Annex A controls from ISO 27001.  

The big difference is that now we have some justification why each control should be implemented, which puts us in a much stronger position when submitting a business case to the leadership team.

Which to Choose

A gap analysis has its uses.  It enables an organisation to obtain a high-level view of what information security approaches and controls it has in place.  

If the controls are chosen from a reputable source, such as ISO 27001, then the organisation will at least be looking at controls that are considered to be best practice.

However, in some situations, the leadership team is likely to ask for a justification for releasing resources for controls to be implemented.  

A gap analysis is not going to provide you with the information you need to deal with this request.

A risk assessment, on the other hand, will provide this information and will serve to reassure the organisation’s leadership team that the resources requested are being put to good use.

It also enables the organisation to take a prioritised approach.  Resources are likely to be finite and, therefore, the implementation of some controls may have to wait until more resources are available.  

The gap analysis will not provide you with the information you need to decide which controls to implement first, whereas the risk assessment results will.

There is another reason why a risk assessment is often preferred, and that is your ability to claim conformance with the ISO 27001 Standard.  

Even if you are not seeking certification, simply to claim conformance with the Standard means that you are obliged to implement all the mandatory management system elements.  

This includes the requirement to conduct a formal information security risk assessment.  Likewise, if you are committed to complying or securing certification, then a risk assessment not only addresses a fundamental requirement, but also provides a prioritised action plan.

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
ISO/IEC 27001:2022 Key Changes

Following the publication of ISO/IEC 27001:2022 on 25 October 2022, this blog will provide you with our high-level analysis of the key changes.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
How do You Develop and Implement an Incident Management Plan?

Due to the increased use of technologies and the ‘human’ involvement, it is inevitable we are all going to face more and more information security incidents.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
Asset identification within RA

A question which comes up time and time again is ‘How do I approach asset identification within my information security risk assessment’.

Read more
The webinar 'was very engaging and informative - thank you!
Webinar 'How to Achieve ISO 27001 Certification'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.