If you’re responsible for or involved with Information Security in your organisation, when you’re planning for the year ahead, your risk and compliance activities likely have a prominent space on your to do list. Is it re-certification time? Do you have an audit coming up in Q2? Is it business as usual, but you’re stuck on which things to prioritise each quarter?
Sounds like you would benefit from a gap analysis.
What is a gap analysis?
A gap analysis will determine the information security needs of your organisation, against your Framework of choice, looking at how good it is already and where there are areas for improvement. Usually, it would be the first step in your certification process, but you could have one conducted in isolation so you can make an informed decision down the line.
The person conducting your gap analysis, will start by assessing the state of your current security posture, taking into account your regulatory and legal compliance requirements, evaluating your strategies and processes, any risks you may have, and your critical assets (data, networks, systems, etc). They will then compare this information to your desired state for all of these things. Most often the desired state will be the requirements for an information security framework, such as PCI DSS, ISO 27001, NIST, GDPR/DPA. Lastly, you will receive recommendations via a written report on how to get from where you are currently, to where you want to be. Some organisations also request workshops and briefings, which are useful for communicating status to leadership.
When should you get a gap analysis?
There are different reasons for an organisation to request a gap analysis. Your organisation may need one when you’re required to:
Adhere to a new version of a standard:
PCI DSS v4.0, for example, will become the defacto standard in March 2024, so you need to make sure you’re planning compliance to the new version of this standard as soon as possible. Another example is transitioning from ISO 27001 2013/17 to the 2022 version.
Prepare for an audit or review of certification:
For risk and compliance managers who have already done the hard work of setting up processes to meet the certification requirements (such as ISO 27001), but want to ensure that they are still conducting them the way they should be before their renewal/audit date for certification.
Take the first step in gaining certification:
It provides an accurate analysis of what work will need to be done by digital security experts to get your processes where they need to be; it will also provide a more accurate assessment of the work you will need to do and how much it will cost.
Align with a standard or certification (without actually certifying):
We can perform a gap assessment to a recognised standard such as ISO 27001, ISO 22301, NIST CSF and so on, even if you do not plan to gain formal certification. This way, you can provide senior management with assurance that your company is moving in the right direction in terms of industry best practice. We can also include an established maturity scale into the assessment, using our successful maturity model, to emphasise your current cyber status, and exactly what you need to do for progression.
In-house versus external consultant
When you engage with an external party to conduct a gap analysis, you’re benefiting from their broad experience with not only a wide range of frameworks, but a wide range of businesses and industries.
When they do an analysis, they can highlight processes and controls that are ‘almost there’. For example, we’re big believers in not starting from scratch if we don’t have to – if a process or document just needs a few tweaks to align it with the framework, we’ll recommend that.
Where it might take an in-house person weeks to conduct interviews and write a report—because they have to balance these activities out with their day-to-day work—an external consultant with deep knowledge of controls will very likely save you time and money because they know them so well and their sole objective is to complete the analysis.
Whether the gap analysis will be part of a bigger process or it’s just the gap analysis itself, our experts, can support you with any framework, including:
- ISO 27001
- PCI DSS
- NIST CSF
- ISO 22301
- Data Protection (GDPR/DPA)
You’ve got a gap analysis report, now what?
On completion of a gap analysis, you will be able to build an informed understanding of what the next steps will be, whether you want the full service to gain certification, or not. These processes will vary depending on the product and the specific needs of the client and service provided.
If you opt for the gap analysis in isolation, we will provide you with a full report and guidance for how to remediate against the gaps we uncovered.
We can also provide you with a Treatment Plan that can feed into your Security Strategy; and which indicates timeframes and priorities, while also taking into account quick wins, pragmatic resource needs, and longer-term efforts.
Talk to us
Getting your ‘house’ in order can be daunting, more so if there are a lot of rooms (competing responsibilities) and/or a big house (complex organisation). It doesn’t have to be – by starting off your year or any governance-related project with a gap analysis, you can benefit from a new set of eyes along with their expertise.
Our team of dedicated cyber security professionals have years of experience in helping organisations gain and maintain the certification for a multitude of Information Assurance frameworks, so you can focus on your core operations. Talk to us for more information, or to make a start on your gap analysis.
Insights
Trust & Safety: A look ahead to 2025
Working within the Trust and Safety industry, 2024 has been PGI’s busiest year to date, both in our work with clients and our participation in key conversations, particularly around the future of regulation, the human-AI interface, and child safety.
Lies, damned lies, and AI - Digital Threat Digest
At their core, artificial systems are a series of relationships between intelligence, truth, and decision making.
A pointless digital jigsaw - Digital Threat Digest
Feeding the name of a new criminal to the online OSINT community is like waving a red rag to a bull. There’s an immediate scramble to be the first to find every piece of information out there on the target, and present it back in a nice network graph (bonus points if you’re using your own network graph product and the whole thing is a thinly veiled advert for why your Ghunt code wrap with its purple-backlit-round-edged-dynamic-element CSS is better than everyone else’s).