An ISO/IEC 27001 Scoping & Gap Assessment is much more than a prescriptive check the box engagement to determine what gaps exist and how to correct them. Rather, it’s an incredibly important exercise that yields enormous benefits to an organization when performed correctly.

What drives an organization - any organization - in terms of its business?

The people, that’s who, and more importantly, the culture of the organization. That’s why the very first step in an ISO/IEC 27001 Scoping & Gap Assessment is having a healthy dialogue on all things relating to information security, cybersecurity, and privacy. 

First Step: Why are We Here?

“Why are we here” with regards to ISO/IEC 27001 is the very first question we ask our clients. Specifically, what has brought about the need for obtaining ISO/IEC 27001 certification?  Those simple four words are all that’s needed to start the dialogue and begin to truly understand the organization’s culture, its strengths, weaknesses, and the road that lies ahead in terms of ISO/IEC 27001.  Before we even begin to discuss what an Information Security Management System (ISMS) is - and all other other aspects of ISO/IEC 27001 - we want to learn about your organization, your people, your processes - your culture.

A successful Q&A requires participation from a cross-sectional representation of personnel from various departments, allowing for a healthy discussion on the broader topics of information security, cybersecurity, privacy - and anything else that’s relevant.  There’s a time and place in the ISO/IEC 27001 Scoping & Gap Assessment for doing the prescriptive, check-the-box activities, but that comes later.  

Second Step: Assessing & Understanding Scope and an ISMS

Next, it’s critical to assess, understand, and ultimately, define scope in terms of ISO/IEC 27001.  This brings into the conversation what’s known as an information security management system (ISMS).  Specifically, an ISMS is a framework of well-written policies, procedures, processes - and other related measures and initiatives - that systematically manages information security, cybersecurity, and privacy risks throughout an organization. 

Furthermore, an ISMS includes the processes, people, technology, and procedures that are designed to protect against unauthorized access, use, disclosure, disruption, modification, or destruction of information.  Therefore, to gain ISO/IEC 27001 certification, auditors will want to examine all the various measures that constitute a sufficient ISMS in terms of its policies, procedures, processes - and other related measures and initiatives.   With MorganHill, we’ll bring you to speed on all the specifics of an ISMS.

Third Step: Understanding & Assessing ISO/IEC 27002 Annex A Controls

For the third step in the Phase I Scoping & Gap Assessment, organizations will then assess their environment against the list of 93 Annex A controls found within ISO/IEC 27001:2022 and ISO/IEC 27002:2022 and begin the process of determining which controls are deemed in scope for the ISMS, and ultimately, for working towards ISO/IEC 27001 certification.  When reviewing each of the 93 controls for scoping purposes, it’s important to assess their applicability in terms of the following three information security requirements:

1. Overall business risks
2. Legal, statutory, regulatory and contractual requirements
3. The principles, objectives, and business requirements an organization has developed to support its operations.

Just remember to start to think about what these three information security requirements really mean in terms of impacting your organization. And it’s important to note that a risk assessment should be performed during this stage for helping better understand scope, overall business risks, and for helping ensure that the SoA, (an important component which must be developed) aligns the organization’s needs.

While ISO/IEC 27001 provides no specifics on the type of risk assessment - and risk treatment process - they do provide a list of required criteria that should be included. With MorganHill, we’ve developed a highly useful and adaptable Information Security Risk Assessment Program that covers all areas as required by sections 6.1.2 and 6.1.3 of ISO/IEC 27001: 2022.

Fourth Step: Gap Assessment Findings, ISMS and Statement of Applicability (SoA)

The end result of the Phase I ISO/IEC 27001 Scoping & Gap Assessment is a formalized document detailing the initial findings and next steps in remediating all deficiencies found. Additionally, you’ll also have a solid footing in terms of being able to document your ISMS in a brief, yet detailed narrative summary.  

And lastly, you’ll be provided with what’s known as an ISO 27001 Statement of Applicability (SoA), which is a document that essentially summarizes an organization's position on each of the 93 Annex A Controls.  The SoA will be collaboratively developed - and agreed upon - by both parties involved (i.e., your organization and MorganHill). More specifically, a well-written SoA must:

• Identify which controls an organization has selected to tackle identified risks.
• Explain why these have been selected.
• State whether the organization has implemented the controls; and
• Explain why any controls have been omitted.

Begin your ISO/IEC journey today with our industry leading ISMS 27001 Scoping & Gap Assessment Workbook.  Our comprehensive, in-depth ISMS 27001 Scoping & Gap Assessment Workbook will help organizations clearly define the scope of their Information Security Management System (ISMS) as required by ISO/IEC 27001. 

This industry leading ISMS 27001 Scoping & Gap Assessment Workbook developed by MorganHill will accurately - and correctly - determine which parts of the organization - the people, processes, and technologies, will be covered by the ISO/IEC 27001 certification. Save dozens of hours and thousands of dollars with our ISMS 27001 Scoping & Gap Assessment Workbook.