The Three Steps in an ISO 27001 Pre-Assessment

The Three Steps in an ISO 27001 Pre-Assessment
If your organization is thinking about pursuing an ISO 27001 certification, you may have heard mention of a gap assessment or a preassessment. A gap assessment is a preliminary step to take before an actual ISO 27001 audit. It can be conducted by a leader in your company, or you can hire a consultant to run through the assessment with your team.
There are three key facets of a gap assessment. They are identifying areas where you are not yet compliant with ISO controls, prioritizing those areas that need to be improved, and then creating a plan to fill those gaps.

Identifying Weak Spots

There are a few preparatory steps to take before looking for gaps between your ISMS (Information Security Management System) and the ISO 27001 controls. First, of course, the organization needs to have an ISMS up and running. Additionally, the documentation tied to the ISMS must be readily accessible because that is a key part of ISO 27001 compliance. It is also important to assign roles in the company so that the pre-assessment process is effective and efficient. Ideally, management and an internal audit will be executed as part of this process.

The best way to identify gaps between ISO 27001 controls and the company’s existing ISMS is to purchase a copy of the ISO 27001 standard and simply run through it like a checklist. Where is your organization already checking the boxes and where does work need to be done?

Prioritizing the Gaps

Many times, an organization will find a few areas where they need to improve. That is the advantage of doing the gap assessment in the first place. Step two in the process is to take a look at those areas and prioritize what needs to be fixed immediately and what can be put on the back burner. It is a good idea to establish POAMs (Plan of Actions and Milestones) so that the organization stays on target for compliance objectives and timelines.

Filling the Gaps

  • Creating necessary policies
  • Implementing training procedures and policies for all employees
  • Creating appropriate documentation supporting procedures and policies
  • And moreFinally, the organization needs to take the steps necessary to bring the ISMS into compliance with ISO 27001. This may include:

This stage should not simply be left in the hands of the quality manager or IT manager. There should be, as much as is possible, representation from leaders of multiple departments so that there is a coherent company-wide approach to ISO 27001 compliance.

Assessment-Ready

Once you feel you have filled all of the gaps, your organization is ready to be audited by an ANAB accredited certification body (like Smithers). It is advisable to get an assessment done shortly after you have fulfilled the objectives from your gap assessment. The further in time you move away from that work, the more possible it is that some facets will not be as strong as they should be for the official audit.

What ISO 27001 Questions Do You Have?

If your organization is weighing the pros and cons of pursuing ISO 27001 compliance, feel free to contact us with any questions you have about the certification or the audit process. We are happy to help. Additionally, whether you are seeking assistance with a pre-assessment or an official ISO 27001 audit, we can work with you in that regard as well. Contact our experts today to learn more.

Cancel
Show Policy

Download the Comparison Guide

Latest Resources

See all resources