IS0/IEC 27001 Implementation Guide
In order to help answer these questions the CertiKit ISO/IEC 27001 Toolkit provides certain resources. The ISO27001-17-18 Gap Assessment Tool is an Excel workbook (two workbooks really, see below) that breaks down the sections of the ISO/IEC 27001 standard (and separately the ISO/IEC 27017 and 18 codes of practice) and provides a way of quantifying to what extent your organization currently meets the requirements contained within them. By performing this gap assessment, you will gain a better appreciation of how much work may be involved in getting to a point where a certification audit is possible. In fact, in the Toolkit we provide a choice of two ways to perform your gap assessment; Requirements-based or Questionnaire-based. The Requirements-based gap assessment tool shows the number of requirements in each section of the standard and then allows you to specify how many of these you feel your organization currently meets. This is useful if you want to relate directly back to the requirements of the standard, but it does have the disadvantage that you have to be able to identify the requirements individually from your copy of the standard document (for copyright reasons we don’t show the full text of all of the requirements in this gap assessment). The alternative is to use the Questionnaire-based gap assessment tool. Again, this breaks the standard down by section and sub-section but this time a series of key questions are asked in order to assess how close to meeting the standard your organization is. The questions are designed to address the main requirements of the standard and a positive answer means that you are likely to be conformant. Both options include a variety of tables and charts showing an analysis of where your organization meets the standard – and where work must still be carried out. So those are the two options provided by default as part of the Toolkit. However, if you would prefer to have all of the exact requirements of the standards laid out for you without needing to refer to a copy of the standard document then we provide two further tools which are chargeable extras to the Toolkit and available via the CertiKit website. We can provide these because we have a licensing agreement with the ISO, via BSI, to include the full contents of the requirements of each standard (for which CertiKit pays a license fee). Firstly, if your interest is exclusively in the ISO/IEC 27001 standard then we have the ISO27001 Enhanced Gap Assessment Tool. This goes several steps further than the default gap assessment by breaking down the text of the ISO/IEC 27001 standard itself into individual requirements (with the full text of each requirement) and providing a more detailed analysis of your conformance. It can also be used to allocate actions against individual requirements. Secondly, if your organization prefers to assess itself against not only ISO/IEC 27001 but also the ISO/IEC 27017 and 18 codes of practice, then we offer the ISO27001-17-18 Enhanced Gap Assessment Tool. In addition to everything that’s in the ISO27001-only version, this tool includes a full breakdown of the requirements (again, with the full text of each requirement) for the codes of practice too.
www.certikit.com
Page 12 of 45