ISO 27002:2021 Gap Analysis
Information Security, Cybersecurity & Privacy Protection
This edition of ISO 27002 establishes the criteria for best practice in the management of Information Security, Cybersecurity & Privacy Protection, relevant to both ISO 27001 and EU-GDPR. The controls required to meet the requirements of this Standard correlate comprehensively with the legislative requirements of EU-GDPR, for appropriate technical and organizational measures, organization-wide.
For a brief introduction to this Standard an the Enable ISO Statement of Applicability (SoA), please click on the following link.
Introduction
Subsequent to our initial Scope Meeting, where we discuss the scope of the gap analysis relevant to the organization, we open our Gap Analysis engagements with 3 sessions.
Where the organization has prepared a Statement of Appicability (SoA), the initial evaluation is required so that the assigned Consultant Lead Auditor can assess the disposition of the organization relevant to the requirements of the Standard and EU-GDPR.
For organizations who are beginning their ISO journey, we amalgamate the time allocated for the initial evaluation with the Opening Session, so that the relevant aspects can be discussed to plan for an effective gap analysis.
Initial Offline Evaluation
This initial engagement includes a high level review of the organizations Statement of Applicability (SoA) along with relevant policies and records to support their compliance obligations toward information security.
This evaluation is carried out by the assigned Consultant Lead Auditor, who will then lead the gap analysis through to completion.
Time allocation: 60-90 minutes, depening on the organization.
Opening Session
A meeting to introduce the audit methodology and prepare for the scheduled sessions.
This meeting also provides an opportunity to discuss relevant Contextual Issues, including those associated with the requirements of Interested Parties.
At this stage of the analysis, stategic interests need to be considered, where they may have a portential impact on the organization's ability to effectively manage information security.
Time allocation: 60-90 minutes, depening on the organization.
Offline Internal Evaluation
Organizational documentation is evaluated by the auditor to determine requirements for evaluation throughout the engagement.
The assigned Consultant Lead Auditor will use the learnings from this evaluation to effectively prepare for the scheduled gap analysis sessions to follow.
Time allocation: 120-240 minutes, depening on the organization.
Each session looks at a number of subclauses of ISO 27002:2021, grouped by topical aspect and function. This element of the gap analysis evaluates the organizations disposition toward organizational controls required for effective information and privacy security management.
There are 6 remote sessions to be arranged of varying durations. Each session may require the participation of different management representatives, dependent on their responsibilities toward information security relevant to the analysis criteria.
Part 1: Management Responsibilities
A meeting with the leadership team to evaluate the organization's position with regard to policy requirements, management responsibilities, and how internal and external contextual issues relevant to information security are identified to inform threat intelligence.
In addition, governance with regard to project management, regardless of the type of project, is considered, where relevant to the organization.
It is expected that the nominated management representatives participating in this session will have a good understanding of how the organization currently manages these aspects.
It may be necessary for an appointed DPO to be present, where applicable.
Time allocation: 60-90 minutes, depending on the organization
Part 2: Information Asset Management & Access Control
A review of how the organization provides for inventories of systems, applications and data assets.
This session looks closely at asset classification relevant to EU-GDPR. Appropriate labelling of information assets to meet organizational requirements is also considered.
Access to information and systems is evaluated against the criteria to determine the effectiveness of current measures.
The minimum expectation is for the principle of least privilege to be the governing rule of thumb.
To achieve the best outcomes from this session, the management representatives for IT systems and Access Control need to participate.
This may require engaging with external providers as applicable to the organization.
Time allocation: 60-90 minutes, depending on the organization
Part 3: Supply Chain Security
This session addresses supplier relationships, where external providers may have an impact on information security.
Contractual arrangements come under review to determine the effectiveness of current controls and identify areas for improvement, where applicable.
The Standard Contractual Clauses or "Model Clauses", as promoted by EU-GDPR, are used as a benchmark relevant to organizational requirements.
Importantly, the management representatives responsible for managing supplier relationships need to be available to participate in this session for effective progress to be made.
Time allocation: 60-90 minutes, depending on the organization
Part 4: Incident Response
How the organization determines its incident response activities, resources and planning requirements comes under evaluation in this session.
The focus is on maintaining the confidentiality, integrity and availability of the data being processed.
This session can benefit from the participation of relevant team leaders and department heads, where they are responsible for significant data processing activities, or where there may be areas of concern relevant to incident response.
Time allocation: 45-60 minutes, depending on the organization
Part 5: Business Continuity
The primary focus of this session is to evaluate how the organization provides for business continuity management during a disruptive event.
How specific categories of events are assessed for business continuity requirements, through to testing the abilities of the organization to deliver to those needs, comes into consideration.
As with incident management, relevant personnel need to participate to achieve the best results.
Time allocation: 45-60 minutes, depending on the organization
Part 6: Compliance
Relevant to EU-GDPR and other applicable data protection legislation, the requirements of the organization are considered to determine the effectiveness of the provisions in this regard.
Where applicable, Intellectual Property management is discussed to determine relevant controls.
Internal audit functions, including technical and code reviews, where applicable, are considered.
The importance of an independent review of technical and organizational measures is discussed. (The gap analysis provides for this requirement relevant to ISO 27001 Certification).
Management representatives for compliance, data governance, IT security, etc., need to participate to achieve best outcomes.
It may be necessary for the appointed DPO to be available, where applicable.
Time allocation: 60-90 minutes, depending on the organization
The importance of appropriate organizational controls relevant to people or personnel management cannot be underestimated. Our analysis of people controls for ISO 27002:2021 considers organizational requirements for contractual arrangements, including non-disclosure, responsibilities toward the reporting of information security issues and concerns, responsibilities for information assets, etc.
People controls are evaluated through 2 remote sessions, with participation from the relevant management representatives.
Part 1: People 1
Employee contractual arrangements, training, and internal reporting and disciplinary procedures are reviewed as part of this session.
Provisions for ongoing awareness of information security policies and controls are evaluated.
Changes to terms of employment, changing roles, etc., are also considered.
Participation is required by management representatives who have authority and access to relevant documents and records, for effective progress to be made.
Time allocation: 45-75 minutes, depending on the organization
Part 2: People 2
The terms of non-disclosure relevant to organizational requirements are assessed to determine the effectiveness of established controls.
Also, the significance of information security relevant to remote working is considered to ensure appropriate controls are in place.
Importantly, formal mechanisms for the reporting of information security issues and concerns are assessed for effectiveness.
Management representatives with a full understanding of the data processing requirements of operations, need to participate in this session for good progress to be made.
Time allocation: 30-45 minutes, depending on the organization
Physical and environmental security controls are critical to the information security requirements of any organizatiion. For ISO 27002:2021, the physical controls are provided for through a number of subclauses, which we address in 3 remote sessions.
Video footage of walk-abouts at relevant locations, demonstrating good practice in areas such as perimeter security and access to premises, protection of controlled processing areas, segregated work areas, common areas, etc., can be used to support the gap analysis. In some circumstances, it may be necessary to arrange a location visit to validate specific requirements.
Part 1: Physical Security Controls
In this session we look closely at the physical security requirements for data processing facilities and workplaces.
Perimeter and internal security, protected work areas, document storage, server and comm's rooms, all come under consideration, where applicable.
Monitoring and inspections to evaluate and maintain the effectiveness of physical security controls are also considered at this stage.
To achieve the best results, management representatives with responsibilities for physical security are required to participate.
This may require some input from those with leadership responsibilities in operations, admin, and other organizational functions, as applicable.
Time allocation: 45-60 minuts, depending on the organization
Part 2: Secure Operations
Resourcing information security in operations and data processing is the main consideration for this session.
At this stage, we evaluate the effectiveness of established controls for continued suitability and effectiveness.
Siting of equipment, clear desk and clear screen controls are considered, where appropriate.
Where the organization processes or stores data at off-site or at secondary locations, information security controls are considered relevant to the needs of the organization.
Management representatives with responsibilities toward physical security, IT security and operations will be required to provide input into this session in order to achieve best outcomes.
Time allocation: 30-60 minutes, depending on the organization
Part 3: Media & Equipment Security
In this session, we evaluate the effectiveness of established information security controls for the management of data storage and repositories, cabling and routing, and the provision of utilities and other critical services necessary for effective operations.
In addition, we evaluate how the organization maintains and disposes of information assets at end-of-life or through planned purges, etc.
To achieve the best results, participation is required from management representatives with responsibilities for maintaining information systems, and the subsequent disposal of information assets, whether data or physical assets.
Time allocation: 45-60 minutes, depending on the organization
A total of 8 remote sessions are required to cover the criteria of this section of the ISO 27002:2021 Standard, which addresses the criteria for the technical measures required for the organization, relevant to both the Standard and EU-GDPR.
For each session, management representatives responsible for IT systems, access and control, are required to participate. External providers with responsibilities toward these aspects may also need to participate to achieve best outcomes.
Part 1: Endpoint Security
Reference: Information Asset Management & Access Control (Above)
In this session we review the established controls over information assets, relevant to the classification scheme adopted by the organization, and other considerations determined when we looked at Organization Controls for asset management and access control.
Allocated time: 45-60 minutes, depending on the organization
Part 2: Systems Security
Information systems protection is considered through this session, with a focus on critical controls including malware protection.
How the organization resources the monitoring of technical vulnerabilities is evaluated for suitability and effectiveness.
Allocated time: 45-60 minutes, depending on the organization
Part 3: Secure Data Management
This session looks at the specific requirements of the organization for how data is to be protected when stored and processed on relevant information systems.
Data masking, leak protection, backup and restore functions are all considered relevant to the nature of the processing.
Allocated time: 45-60 minutes, depending on the organization
Part 4: Logging & Monitoring
Systematic monitoring and logging is considered to evaluate organizational requirements and to ensure that appropriate levels of controls are established.
Clock synchronization is an important aspect, which is also addressed.
How the organization provides for the management of utility programmes and software applications is also considered in detail.
Allocated time: 45-60 minutes, depending on the organization
Part 5: Network Security Management
The management of network security is considered at this session. Segregation within networks is an important aspect which is discussed to determine the effectiveness of organizational provisions.
Network transactions are also important with regard to confidentiality, integrity and availability, and are considered relevant to the specific requirements of the organization.
Allocated time: 45-60 minutes, depending on the organization
Part 6: Filtering & Cryptographic Controls
Access to websites and other online platforms needs to be controlled to ensure effective information security management.
Integrity and availability are the control aspects of importance in this regard.
Cryptographic controls are evaluated, particularly where it is within the organization's capacity to enable endpoint encryption.
Encryption is expected to be used where available to the organization as an additional layer of security.
Allocated time: 45-60 minutes, depending on the organization
Part 7: Secure Application Development
For those organizations who carry our software development, or indeed, outsource this type of activity, this session looks at some important requirements of information security controls.
This also applies to systems development, which may not require software development, but can equally impact on the organization's ability to protect information and processing facilities.
Allocated time 60-120 minutes, depending on the organization
Part 8: Secure Test & Change Management
Testing and approval of systems changes and newly developed applications can provide many opportunities for risk to the data being processed.
In this important session, we consider the requirements of the organization with regard to the technical and organizational measures required to effectively provide for its obligations toward ISO 27002 and EU-GDPR.
Allocated time: 45-60 minutes, depending on the organization.
Once the analysis phase is complete, the assigned Consultant Lead Auditor works alone to prepare their report.
Our reporting provides a comprehensive record of all of the criteria discussed throughout the gap analysis sessions, along with professional guidance on the scope of work required to close the identified gaps.
Offline Reporting
Offline reporting documented by the project Lead Information & Privacy Security Auditor.
Allocated time: 240-360 minutes, depending on the organization
Wrap Up Session
A meeting for all participants to discuss and assign action points arising from the Information & Privacy Security Gap Analysis engagements.
Allocated time: 60-90 minutes, depending on the organization