GAP Analysis of the Information System and ISO/IEC 27001/27002 Standard
NEED (The Customer problem/need resolved with this solution)
Information security management during the information lifecycle inside the organizational information system is a complex and demanding process, almost entirely dependent on specific guidelines provided by renowned professional organizations and legislative regulations. The Croatian standard for information security management systems, HRN ISO/IEC 27001:2006, is a replica of the international standard under the same name, which in fact includes a set of rules to provide organizations with information security guidelines. Whether in the context of an initial introduction of the security system or a certificate audit (carried out to establish compliance with the standard and thus provide the organization with a respectable international business reference), the process of GAP analysis determines the gap between the targets and current opportunities, verifies the implemented security procedures and measures of information protection, and compares them with the guidelines in the above mentioned national standard (its Annex A is more thoroughly elaborated in the ISO/IEC 27002 standard).
SOLUTION (What does the solution offer?)
The HRN ISO/IEC 27001:2006 standard consists of two crucial sections: the wording of the standard and Annex A. The first section includes general rules for the establishment, implementation, control and enhancement of the information security management systems, whereas Annex A contains 134 security controls. The compliance with these controls covers a majority of requirements in the first section. Since compliance with the above mentioned becomes an organizational obligation when the organization applies for the security system certificate according to the ISO 27001 standard, the fundamental tool of the GAP analysis is a comprehensive list of all requirements and verification of their respective fulfillment. In addition to complete compliance as the best result of each specific application, the procedure also offers a possibility to enter the reasons for incompliance with a specific requirement, i.e. useful comments that provide guidelines for modifications and potential system enhancements.
BENEFIT (What benefits does the Customer obtain from this solution?)
The organizations that have opted for independent implementation of information security management systems, i.e. which have engaged competent third Parties to take over the concern for information protection, can have a dual benefit from this business solution. Since this project is a comprehensive project that requires the engagement of specialists, it is difficult to evaluate and provide sufficient resources (staff, technical equipment, funds and time) for its implementation without accurate data about current information systems and work practices and their comparison with the requirements of the standard. The GAP analysis thus imposes itself as an optimum solution (in terms of time and funds), and its results are used as inputs for the planning process.
On the other hand, in the final phase of the security system implementation, most commonly due to motivation for the official certificate in compliance with the ISO 27001 standard, the service of the independent audit of the implemented security controls and the GAP analysis procedure provide a reasonable final guarantee to the Management Board concerning the quality of the information security achieved inside the organization and foster effective forthcoming certification application.
OUR ADVANTAGES (Why to use our solution?)
Highly skilled RECRO information security specialists, as verified by international certificates they are holders of, provide a competent analysis of the Customers’ technical security controls and other measures of protection, and potential recommendation for best-practice methodologies to enhance information security management systems. As a company active in a variety of IT domains and in addition to its consulting IT services, RECRO also has substantial know-how and practical experience with implementation and maintenance of solutions of the leading global providers of IT equipment and software support.
REQUIREMENTS (What requirements should the Customer fulfill?)
An information confidentiality agreement. A complete access to configurations and all device data included in the security audit.
PRODUCTS AND SERVICES (What products and services does the solution require and contain?)
- Analysis of compliance with the ISO/IEC 27001:2005 requirements,
- A comprehensive report on system deficiencies,
- Presentation for the Board Members,
- Presentation for the technical staff.