Should You Start Your ISO 27001 Programme with a Gap Analysis or a Risk Assessment?

What is the Difference Between a Gap Analysis and a Risk Assessment?

Firstly, you need to understand what each of them is before determining which course of action is best suited to your needs.

What is a Gap Analysis?

The gap analysis is the more straightforward option.  Simply put, you just need to take a list of ‘requirements’ and determine if you have implemented each of the items on your list.  

For example, you could take all the controls listed in Annex A of ISO 27001 and then check to see if you have implemented each one.  

Where a control is not implemented, there is a ‘gap’.  You can then take measures to address that gap by implementing the control.

In terms of the pros and cons of conducting a gap analysis, the big benefit is that it is quicker and less expensive to conduct compared to a risk assessment.

The downside is that you are not necessarily able to determine if you need to implement each of the controls listed – some of them can be costly to implement and time-consuming to operate.  

If a control is already in place, you might not know if it is serving a purpose, adding value to your organisation’s information security efforts or is simply costing you money with no demonstrable benefit.

What is a Risk Assessment?

The risk assessment approach is more involved and time-consuming than the gap analysis, but has the notable advantage of enabling you to demonstrate why a particular control or treatment is required and not just because it is in Annex A of ISO 27001.

The process requires you to determine the impact on the organisation if its information assets were to be compromised, whether that compromise is related to confidentiality, integrity or availability of the information, whether deliberate or accidental.

You are also able to determine the likelihood of the compromise, as within your risk assessment you are required to determine the nature of threats that your assets face, as well as any vulnerabilities that could allow the threat to materialise.

By considering impacts, threats and vulnerabilities, you will be able to determine and quantify the risks faced by your organisation.  

The risk assessment process then uses this information to prioritise the treatment of risk by evaluating if the risk is above or below the organisation’s risk appetite.  

If it is above, then it should be flagged for treatment.  If it is below, then it will likely be monitored for change with no extra action required.

Those risks that have been flagged for treatment may well require the same controls to be implemented that we mentioned under the gap analysis section above, i.e.  the Annex A controls from ISO 27001.  

The big difference is that now we have some justification why each control should be implemented, which puts us in a much stronger position when submitting a business case to the leadership team.

Which to Choose

A gap analysis has its uses.  It enables an organisation to obtain a high-level view of what information security approaches and controls it has in place.  

If the controls are chosen from a reputable source, such as ISO 27001, then the organisation will at least be looking at controls that are considered to be best practice.

However, in some situations, the leadership team is likely to ask for a justification for releasing resources for controls to be implemented.  

A gap analysis is not going to provide you with the information you need to deal with this request.

A risk assessment, on the other hand, will provide this information and will serve to reassure the organisation’s leadership team that the resources requested are being put to good use.

It also enables the organisation to take a prioritised approach.  Resources are likely to be finite and, therefore, the implementation of some controls may have to wait until more resources are available.  

The gap analysis will not provide you with the information you need to decide which controls to implement first, whereas the risk assessment results will.

There is another reason why a risk assessment is often preferred, and that is your ability to claim conformance with the ISO 27001 Standard.  

Even if you are not seeking certification, simply to claim conformance with the Standard means that you are obliged to implement all the mandatory management system elements.  

This includes the requirement to conduct a formal information security risk assessment.  Likewise, if you are committed to complying or securing certification, then a risk assessment not only addresses a fundamental requirement, but also provides a prioritised action plan.