ISO/IEC 27001 and the infamous gap analysis

Following a quick chat with ChatGPT (Oct 2024) the AI suggested that, overall, a gap analysis is a strategic tool for any organization aiming to uphold a high standard of information security, ensuring its ISMS remains aligned with ISO/IEC 27001 requirements and best practices.

One cannot disagree that, in a lot of cases, a gap analysis is a strategic tool, but is it one that is required to be conducted to ensure that the ISMS is aligned with ISO/IEC 27001 requirements?

A gap analysis is one thing, internal audit is another (see Table 1 further on).

The reason for the question is that clauses 9.2.1 and 9.2.2 talk of internal audit in general, and the audit programme. Importantly clause 9.2.2 requires objectivity and impartiality of the audit process, among other requirements. Further, clause 9.3.2 and 9.3.3 requires management review input, and results. The input includes feedback on the information security performance, including but not exclusively, audit results and non-conformities and corrective actions. [1]

From the latter point in the above paragraph, purists might suggest that audit results and management reviews refer to the outcomes of stage 2 and surveillance audits by the organisation’s selected external accredited certifying body (CB). ISO/IEC do not suggest this, either in ISO/IEC 27001 or in its guidance document.

For clarification.[2]

1. An audit, according to ISO is, systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.

a. Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the organization itself.

b. External audits include those generally called second- and third-party audits.

i. Your contracted certifying body (CB) is an external third party.

The audit criteria in the case of ISO/IEC 27001 are the requirements in clauses 4 to 10. But let us just make sure.

2. Audit criteria, as defined by ISO is, set of requirements used as a reference against which objective evidence is compared.

3. An audit programme incidentally is, arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose. Let us say the purpose is to answer the question, does our ISMS meet the requirements of ISO/IEC 27001?

An obvious challenge is that many organisations may not have an internal audit function thus the need to outsource this activity. However, an internal audit as required by ISO/IEC 27001 can be completed by other internal parties if impartiality (presence of objectivity [3]), objectivity, and competence (ability to apply knowledge and skills to achieve intended results [4]) can be demonstrated. The same goes for an external party acting on behalf of the organisation.

Do not get bogged down with the requisites of internal and external audit functions. Ordinarily an internal audit function is financially orientated, separate from operations, and reporting into the highest levels of the organisation, such as top management or audit committees. But the scope in our context is not financial, it is ISO/IEC 27001. Who ever does the internal audit should be separate from the operations and the implementation team, provide a report for top management so that they understand what has been done, or not, and any non-conformities that must be addressed, before heading towards your stage one and stage two CB audit.

Table 1 — Adapted ChatGPT, 2024

The gap analysis allows us to see where the organisation is now compared to where it needs to be in the future to meet the requirements of ISO/IEC 27001. The output being a set of plans and actions to reach the intended objective.

Internal audit allows us to see, via a programme of planned audits, if the organisation is maintaining its ISMS as per the requirements of ISO/IEC 27001. The output provides assurance to top management, and communicates required actions to address non-conformities or, opportunities for improvement.

NRL

[1.] ISO/IEC (2022). ISO/IEC 27001:2022 Information security, cybersecurity, and privacy protection — Information security management systems — Requirements. [online] ISO. Available at: https://www.iso.org/standard/27001 [Accessed 2024]. Clause 9.2 to 9.3

[2.] ISO (2018). ISO 19011:2018 Guidelines for auditing management systems. ISO. s3.1 Audit, s3.7 Audit Criteria, s.3.4 Audit Programme.

[3.] ISO (2024). ISO/IEC 17021–1:2015(en) Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements. [online] Iso.org. Available at: https://www.iso.org/obp/ui/en/#iso:std:iso-iec:17021:-1:ed-1:v1:en [Accessed 29 Oct. 2024]. s3.2 definition of impartiality. Objectivity is noted as conflicts of interest do not exist. Objectivity is also be referred to as, independence,” “freedom from conflict of interests”, “freedom from bias”, “lack of prejudice”, “neutrality”, “fairness”, “open-mindedness”, “even-handedness”, “detachment”, “balance”.

[4.] ISO (2024). ISO/IEC 17021–1:2015(en) Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements. [online] Iso.org. Available at: https://www.iso.org/obp/ui/en/#iso:std:iso-iec:17021:-1:ed-1:v1:en [Accessed 29 Oct. 2024]. s3.7 definition of competence.