Gap Analysis or Risk Assessment?
We are often asked ‘should I start my ISO 27001 programme with a gap analysis or is there a better starting point?’. The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when.
When it comes to determining your need for information security controls there are a couple of routes you could take. One is to undertake a gap analysis, another to conduct a risk assessment. But what is the difference, and which one should you choose?
Firstly, we need to understand what each of them is before we can determine which course of action is best suited to your needs.
The gap analysis is the more straightforward option. Simply put, you just need to take a list of ‘requirements’ and determine if you have implemented each of the items on your list. For example, you could take all the controls listed in Annex A of ISO 27001 and then check to see if you have each one implemented. Where a control is not implemented, there is a gap. You can then take measures to address that gap by implementing the control.
In terms of the pros and cons of conducting a gap analysis, the big benefit is that it is quick to perform and, therefore, cheaper to conduct.
The downside is that you are not necessarily able to determine if you need to implement each of the controls listed – some of them can be costly to implement and time consuming to operate. If a control is already in place, you might not know if it is serving a purpose, adding value to your organisation’s information security efforts or is simply costing you money with no demonstrable benefit.
The risk assessment approach is more involved than the gap analysis but essentially serves the same purpose, i.e. to determine the controls (or treatments) that need to be in place to protect your information. However, there is one big difference – the risk assessment results enable you to demonstrate why a particular control or treatment is required.
The process requires you to determine the impact on the organisation if its information assets were to be compromised, whether that compromise is related to confidentiality, integrity or availability of the information, whether deliberate or accidental.
You are also able to determine the likelihood of the compromise, as within your risk assessment you are required to determine the nature of threats that your assets face, as well as any vulnerabilities that could allow the threat to materialise.
When putting together, this information enables you to determine and quantify the risks faced by the business. The risk assessment process then uses this information to prioritise the treatment of risk by evaluating if the risk is above or below the organisation’s risk appetite. If it is above, then it should be flagged for treatment. If it is below, then it will likely be monitored for change with no extra action required.
Those risks that have been flagged for treatment may well require the same controls to be implemented that we mentioned under the gap analysis section above, i.e. the Annex A controls from ISO 27001. The big difference is that now we have some quantifiable reasons why each control should be implemented, which puts us in a much better position when putting forward a business case to the leadership team.
Which to Choose
A gap analysis has its uses. It enables an organisation to obtain a high-level view of what information security approaches and controls it has in place. If the controls are chosen from a reputable source, such as ISO 27001, then the organisation will at least be looking at controls that are best practice.
However, in some situations, the leadership team is likely to ask for a justification for releasing resources for controls to be implemented. A gap analysis is not going to give you the information you need to fulfil this request.
A risk assessment, on the other hand, will give you this information and will provide the organisation’s leadership with the assurance it requires that the resources requested are being put to good use.
It also enables the organisation to take a prioritised approach. Resources are likely to be finite and therefore the implementation of some controls may have to wait until more resources are available. The gap analysis will not provide you with the information you need in order to decide which controls to implement first, whereas the risk assessment results will.
There is another reason why a risk assessment would be preferred, and that is your ability to claim conformance with the ISO 27001 Standard. Even if you are not seeking certification, simply to claim conformance with the standard means that you are obliged to implement all the management system elements of it. This includes the requirement to conduct a formal information security risk assessment. Likewise, if you are committed to complying or securing certification, then a risk assessment not only addresses a fundamental requirement but also provides a prioritised action plan.