GAP ANALYSIS: DETERMINE THE SUCCESS
In planning the ISMS implementation in the organization, we should do the analysis about existing and expected security condition which is called gap analysis.
Gap analysis is activities that is used to quantitatively assess the actual condition compared with possibility to achieved optimum performance in information security context. It is also necessary step to be taken in order to move further from its current state to its desired, future state.
The assessment result will show us about current information security condition compared to expected condition according to ISO/IEC 27001 standard. Gap analysis could be used as a basis to determine investment requirements, such as time, resources, and cost for establishing information security. In conducting gap analysis, top management and security officer as coordinator have to be involved in order to obtain valid results in gap analysis process.
Methods that are being used during gap analysis are the desk assessment and field assessment. A desk-based assessment involves gathering applicable documents such as written, graphic, photographic and electronic information that already exists, while field based assessment is observing and examining information security implementation in the field.
The result from both assessment methods will be used as basis for determining gap. Gap analysis gives an overview about existing conditions so efforts and priorities can be taken into account by management.
The gap analysis needs to be perform and reviewed continually before starting ISMS project and before conducting certification audit.
No comments:
Post a Comment