Where are you now, where do you want to go, which way is the best and how will you get there?
Complying with standards requires you to realise where you are now according to the standards. Gap Analysis is made on a particular standard. First thing to do when creating a new Gap Analysis is to select the appropriate standard. By doing a Gap analysis with RM Studio you will realise the status of implementation fast and systematically. Doing a Gap analysis helps you decide when and how to continue with the implementation.
In ISO 27001 context, the first step you can take is to study, where you are now? RM Studio enables you to collect, collate and study the information on the stage at which you are, at the time of analysis. ISO 27001 provides the guidelines about where your Information Security Management System should be. Once you decide your goal and have information on your current status, RM Studio, provides you with information on what can be done to close the GAP , between what is and what should be. RM Studio provides a template for security management for internationally recognized information security standards such as "ISO 27001 - Information Security Management Systems - Requirements" and the companion standard "ISO 27002 - Code of Practice for Information Security Management". RM Studio guides the clients through the cycle of evaluating their current state of information security programs against :
- best practices defined by ISO 27001 and ISO 17999
- identifying deviations in existing security controls
- defining the steps necessary for improvement.
RM Studio enabled GAP Analysis measures security processes and procedures against a number of control objectives reccommended by ISO 27001 . The controls include ;
- Security policy management
- Corporate security management
- Organisational asset management
- Human resources security management
- Physical and environmental security management
- Communications and operations management
- Information access control management
- Information systems security management
- Information security incident management
- Business continuity management
- Compliance management
How do we conduct GAP Analysis with RM Studio for ISO 27001?
As a first step, it is important to define the business requirements for security. This enables us to understand the scope and the risks. This cannot be done without commitment from the management. Management commitment is crucial for implementation of ISO 27001. In order to get their commitment, a strong business case has to prepare for ISO 27001. It is important to define the business requirement for security and to understand the scope, risks, management commitment and business drivers for implementing ISO 27001.
The next stage is selection of tools which make the exercise and the practise of ISO 27001, more understandable and time saving. This is achieved with RM Studio. Throughout the ISO 27001 implementation process, the RM Studio provides you with a ready analysis of the GAP(s) and post implementation, it helps in monitoring the risks that may emerge.
GAP Analysis starts with a high level review of existing security documentation to discover current policy and procedures to establish the accuracy and completion status of the documentation. This requires interviews with key staff to understand the actual security practices in place.
Then we use the RM Studio to conduct a GAP Analysis by comparing the findings of the above exercises with the control requirements of ISO 27001/ISO 27002.
RM Studio then helps in preparation of the report listing the findings and recommendations complete with a list of prioritised key recommendations. The report also details the work that your company will need to undertake before putting itself forward for accreditation. It will point out priority areas and help you with the next stage of planning.
