ISO27001 Gap & Risk Assessment

ISO27001 is a global security framework developed by the International Organization for Standardization. It is beneficial if your organization adopts other ISO frameworks or does business globally. While we don’t perform “full ISO audits” (i.e., validations), our team has tremendous experience performing ISO27001 gap & risk assessment engagements. We can help you prepare for your formal ISO27001 audit or help you implement a security program designed around ISO if you don’t need or intend to undergo an actual ISO certification. 

The ISO27001, and its current ISO27001:2022 version, have seven clauses (numbered 4-10) and four themes; we’ll incorporate each into the assessment:

Clauses:

Clause 4: Context of the organization

Clause 5: Leadership

Clause 6: Planning

Clause 7: Support

Clause 8: Operation

Clause 9: Performance evaluation

Clause 10: Improvement

Themes:

People

Organizational

Technological

Physical

 

ISO27001 Controls

93 security controls are part of the four themes.

  1. People – 8 controls. A handful of the critical controls are security awareness training, remote working, and screening

  2. Organizational – 37 controls, such as policies, management responsibilities, threat intel, data classification, inventories, and access control

  3. Technological – 34 controls, including authentication, management of vulnerabilities, malware protection, logging, monitoring, and testing

  4. Physical – 14 controls, such as physical security, media storage, and equipment maintenance

iso27001 gap risk assessment

ISO27001 Gap & Risk Assessment

A valuable security assessment of your overall information security program

Security is about the Journey, not a Destination