Step 3 of the ISO 27001 implementation process involves conducting a gap analysis, an optional but highly recommended activity. This step evaluates the organization’s current information security practices against the desired state of a fully compliant Information Security Management System (ISMS). By identifying discrepancies, a gap analysis helps organizations understand where improvements or developments are needed, enabling efficient resource allocation and better planning for subsequent steps. While not mandated by ISO 27001, this process provides valuable insights into existing controls, policies, and processes, ensuring a more targeted and effective implementation journey.

Required Activities and Tasks

The gap analysis process consists of five key tasks designed to assess the current state, compare it with the desired state, and outline a roadmap for improvement.

The tasks are:

1. Define the Desired State: Clearly articulate the objectives of the ISMS, aligning them with ISO 27001 requirements and the organization’s business goals. This represents the ideal state of a fully implemented and effective ISMS.

2. Analyze the Current State: Assess existing information security controls, policies, technologies, and processes. This involves reviewing the organization’s security posture, including any established protocols, to understand what is already in place.

3. Compare Current and Desired States: Evaluate the differences between the current security practices and the desired ISMS state. This comparison highlights areas where the organization falls short of ISO 27001 compliance.

4. Identify Specific Gaps: Pinpoint deficiencies in policies, procedures, technical controls, or personnel training that need development or improvement to meet the desired state. This step ensures a clear understanding of what must be addressed.

5. Produce a Gap Analysis Report: Compile findings into a comprehensive report that summarizes identified gaps, provides actionable recommendations, and prioritizes areas requiring attention. This report serves as a roadmap for planning subsequent implementation steps.

These tasks can be performed at any stage of the project, offering flexibility to revisit and refine the analysis as needed.

Deliverables of This Step

The primary output of Step 3 is a single, critical deliverable that guides the ISMS implementation:

• Gap Analysis Report: A detailed document summarizing the current state, desired state, identified gaps, and prioritized recommendations for addressing deficiencies. This report provides a clear roadmap for aligning the organization’s practices with ISO 27001 requirements.

This deliverable ensures that the organization can allocate resources effectively and focus on areas needing the most attention.

Normative References

Unlike other steps, a gap analysis is not explicitly required by ISO 27001, so there are no specific clauses directly tied to this activity. However, the process aligns with the standard’s overall emphasis on understanding the organization’s current capabilities and planning for compliance. The insights gained from the gap analysis support the implementation of subsequent steps, such as developing policies (Clause 5.2) and conducting risk assessments (Clause 6.1), by providing a clear picture of existing controls and deficiencies.