Please Note: This sample shows only a small part of the complete gap assessment tool.
Terms Used
ISO/IEC 27001 Gap Assessment Tool - Questionnaire
ISMS = Information Security Management System
Information security management systems - Requirements
Area
Section
Sub-section
ISO/IEC 27001 Requirements
ISO/IEC 27001 requirements met? Action needed to meet requirement
4 Context of the organization 4.1 Understanding the organization and its context
Have the external and internal issues that affect the ISMS been determined? Have the interested parties and their requirements been identified? Has the scope of the ISMS been determined and documented? Is an ISMS in place and being continually improved?
4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the information security management system 4.4 Information security management system
Totals:
Yes Yes Yes Yes
4
5 Leadership 5.1 Leadership and commitment
Does top management demonstrate leadership and commitment to the ISMS by providing resources and communicating effectively? (see list a to h)
Yes
5.2 Policy
Is a documented information security policy in place? Does it set objectives for the ISMS? Does it commit the organization to satsifying requirements and continually improving the ISMS? Is it adequately communicated? Are roles, responsibilities and authorities for the ISMS defined?
Yes
5.3 Organizational roles, responsibilities and authorities Totals:
Yes Yes Yes Yes
6
6 Planning 6.1 Actions to address risks and opportunities
6.1.1 General
6.1.2 Information Security Risk Assessment
Does the plan for the ISMS take into account the relevant issues and requirements? Are all of the relevant risks and opportunities determined? Are actions planned to address the identified risks and opportunities? Is a documented information security risk assessment process defined and applied? Is it clear when risk assessments should be carried out? Has a risk assessment been carried out with respect to the confidentiality, integrity and availability of the information within scope? Have risk owners been identified? Have risks been analysed, evaluated and prioritised for treatment?
Yes Yes Yes Yes Yes Yes
Yes Yes
Action owner