ISO27001 Gap & Risk Assessment
ISO27001 is a global security framework developed by the International Organization for Standardization. It is beneficial if your organization adopts other ISO frameworks or does business globally. While we don’t perform “full ISO audits” (i.e., validations), our team has tremendous experience performing ISO27001 gap & risk assessment engagements. We can help you prepare for your formal ISO27001 audit or help you implement a security program designed around ISO if you don’t need or intend to undergo an actual ISO certification.
The ISO27001, and its current ISO27001:2022 version, have seven clauses (numbered 4-10) and four themes; we’ll incorporate each into the assessment:
Clauses:
Clause 4: Context of the organization
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation
Clause 10: Improvement
Themes:
People
Organizational
Technological
Physical
ISO27001 Controls
93 security controls are part of the four themes.
People – 8 controls. A handful of the critical controls are security awareness training, remote working, and screening
Organizational – 37 controls, such as policies, management responsibilities, threat intel, data classification, inventories, and access control
Technological – 34 controls, including authentication, management of vulnerabilities, malware protection, logging, monitoring, and testing
Physical – 14 controls, such as physical security, media storage, and equipment maintenance


ISO27001 Gap & Risk Assessment
A valuable security assessment of your overall information security program
- Assess 93 security controls
- Analyze security gaps, risks, and maturity levels
- Report of findings and recommendations