ISO IEC 27001 2005

INFORMATION SECURITY

GAP ANALYSIS TOOL

ISO 27001 Gap Analysis Tool

Our Gap Analysis Tool will tell you what  you need to do to comply with
the ISO 27001 2005 information security management standard. Our tool
will pinpoint the GAPS that exist between the new standard and your
current security practices.  Once you know exactly where your gaps are,
you can take steps to fill them. By using this approach, you will not only
comply with the new ISO 27001 standard, but you will also improve the
performance of your information security management system (ISMS).

Our Gap Analysis Tool assumes that your organization already has an
information security management system (ISMS) and that all you need
to do is make incremental changes in order to ensure that it complies
with the new ISO IEC 27001 2005 standard.

ISO 27001 is made up of security management requirements.
It contains two kinds of information security requirements:

  1. Methodological requirements

  2. Security control requirements

Sections 4 to 8 of ISO IEC 27001 contain methodological requirements.
We refer to them as methodological requirements because they tell you
how to develop and manage an information security management system
(without telling you what kind of controls ought to make up the system).
According to ISO 27001, you must meet each one of these methodological
requirements if you wish to claim that your ISMS complies with the new
standard. Since these methodological requirements tell you how to reach
your destination (an ISMS), you can think of them as a general roadmap.

ISO 27001 Annex A contains two kinds of security control requirements:
control objectives and security controls. These control requirements were
copied directly from ISO 27002 2005 (sections 5 to 15). We refer to them
as security control requirements because they pinpoint the controls
that ought to make up an information security management system.
Since these security control requirements tell you what your ISMS
should look like, you can think of them as a general blueprint.

According to ISO IEC 27001, you may exclude or ignore Annex A
control objectives and controls whenever they address risks that
you can live with and whenever doing so will not impair your ability
or obligation to meet all relevant legal and security requirements.

Since the ISO 27001 standard has two kinds of requirements,
our Gap Analysis Tool performs two kinds of analysis:

  1. A methodological gap analysis

  2. A security control gap analysis

This also means that two kinds of gaps will be identified:

  1. Methodological gaps

  2. Security control gaps

Since you must meet all methodological requirements, our methodological
gap analysis questions allow you to choose from two possible answers:
Yes or No. While Yes answers mean that you’re in compliance,
No answers identify methodological gaps. In order to comply with
the ISO 27001 standard, you must fill each one of these gaps.

Since you may exclude or ignore selected security control requirements,
our security control gap analysis questions allow you to choose from three
possible answers: Yes, No, or N/A (not applicable). While Yes answers
mean that you’re in compliance, No answers identify security control gaps.
N/A answers, on the other hand, identify areas that do not apply in your
situation. These are the areas that can be excluded from your ISMS if
you can justify and explain why an exclusion decision is warranted.

More precisely, No answers identify the gaps in your ISMS control
objectives and controls. Use these gaps to update your Statement 
of Applicability and improve your risk treatment plan. (A Statement
of Applicability is a document that lists your organization’s information
security control objectives and controls.) Once you’ve implemented
your new risk treatment plan, your ISMS will comply with all
relevant security control requirements.

These methodological and security control gaps identify the areas
that fall short of the standard, the areas that need your attention.
Once you know where to focus your attention, you can begin to make
the changes that are needed to comply with the ISO IEC 27001 standard.
And once you comply with the standard, you’ll not only be eligible for
certification, you’ll also know that you’ve done everything you can
to protect your organization’s information.

ISO IEC 27001 2005 Gap Analysis Tool

PART

 TITLE 36 TABLE OF CONTENTS

PAGE

1

Profile of Gap Analysis Project

3

2

Explanation of Gap Analysis Process

4

3

Information Security Management Definitions

7

4

ISMS Development Gap Analysis Questionnaire

13

5

ISMS Management Gap Analysis Questionnaire

34

6

ISMS Internal Audit Gap Analysis Questionnaire

40

7

ISMS Management Review Gap Analysis Questionnaire pdf

< SAMPLE

8

ISMS Improvement Gap Analysis Questionnaire

50

9

Objectives and Controls Gap Analysis Questionnaire

54

10

Legal and Contact Information

111
JUN 2006 COPYRIGHT Ó PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. VER. 1.0

ISO 27001 Gap Analysis Tool

Now that you know what our Gap Analysis
Tool looks like, please consider purchasing
   Title 36: ISO IEC 27001 2005 Gap Analysis Tool.
 Check our Prices Place an Order.
 Contact Praxiom Research.

COPYRIGHT AUTHORIZATION
 If you purchase our ISO 27001 Gap Analysis Tool,
you may make as many copies as you need for use
at one site or location within your own organization!

If you purchase our ISO 27001 2005 Gap Analysis Tool, you'll find
that it's integrated, detailed, exhaustive, and easy to understand.
You'll find that we've worked hard to create a high quality
product. In fact, we guarantee the quality!

ISO 27001 Gaps

ISO 27001 NAVIGATION GUIDE

       
Home Page Table of Contents Alphabetical Index Site Map
       
How to Order Our Products Our Prices Our Guarantee
       
OTHER ISO 27001 INFORMATION SECURITY WEB PAGES

Introduction to the ISO 27001 2005 Security Standard

Overview of ISO 27001 2005 Information Security Standard

ISO IEC 27001 Plain English Information Security Definitions

Comparison of ISO 27001 2005 and ISO 27002 2005 Standards

ISO IEC 27001 2005 Security Standard Translated into Plain English

Complete List of Plain English Information Security Control Objectives

ISO IEC 27001 Plain English Security Standard - Section 8 (pdf sample)

ISO IEC 27001 Information Security Management Gap Analysis Tool

ISO 27001 Security Gap Analysis Tool - Section 7 (pdf sample)

ISO IEC 27001 2005 in Plain English - Table of Contents

Our Plain English Approach to ISO IEC 27001 2005

Our Plain English Product License Agreement
ISO 27002 INFORMATION SECURITY WEB PAGES

Introduction to ISO 27002 2005 Information Security Standard

Overview of the ISO 27002 2005 Information Security Standard

ISO 27002 2005 Information Security Management Definitions

ISO 27002 2005 Security Standard Translated into Plain English

ISO 27002 Information Security Incident Management - Section 13 (pdf)

Complete List of ISO 27002 2005 Information Security Control Objectives

ISO 27002 2005 Plain English Information Security Management Audit Tool

ISO 27002 Organizational Asset Management Audit - Section 7 (pdf)

ISO 27002 Physical and Environmental Security Audit - Section 9 (pdf)
OTHER GAP ANALYSIS TOOLS

ISO 22000 Food Safety Gap Analysis Tool

OHSAS 18001 2007 OH&S Gap Analysis Tool

ISO 9001 2000 Quality Management Gap Analysis Tool

ISO 14001 2004 Environmental Management Gap Analysis Tool

ISO 13485 2003 Medical Device Quality Management Gap Analysis Tool
 

Praxiom Research Group Limited

 
CONTACT INFORMATION
 
Praxiom Research Group Limited
9619 - 100A Street, Edmonton,
Alberta, T5K 0V7, Canada
Phone: (780)461-4514
 info@praxiom.com
 

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and developing 
this electronic publication. We make no representation or warranties with respect to
 accuracy or completeness of the contents of this publication and specifically disclaim 
any implied warranties or merchantability or fitness for any particular purpose and shall 
in no event be liable for any loss of profit or any other commercial damage, including 
but not limited to special, incidental, consequential, or other damages.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use.   But, you are not
 legally authorized to print or produce additional copies, or to copy and paste
 any of our material onto another web site.  If you would like to purchase our
 material, please contact our Sales Desk. Our staff would be very pleased to
 take your order or to answer any questions you might have.

© 2005 - 2008 by Praxiom Research Group Limited. All Rights Reserved.

On the Web since May 25, 1997
This web page was updated on March 12, 2008