Information Security Risk Management for ISO27001/ISO27002

CHAPTER 15: THE GAP ANALYSIS AND RISK TREATMENT PLAN

Whilst the Statement of Applicability identifies which of the ISO27001 Appendix A controls (and which, if any, additional controls) are to be implemented, it does not prioritise implementation or provide any guidance for how implementation is to be carried out.

Of course, it would be logical for the organisation to tackle and implement controls in the order of priority (i.e. ‘very high’ first) identified through the risk assessment. The controls that are most critical for the organisation will be those that relate to the threats and vulnerabilities that it has identified, through the risk assessment process, as being most serious to its most critical systems.

Gap analysis

The reality is that ...

Get Information Security Risk Management for ISO27001/ISO27002 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Information Security Risk Management for ISO27001/ISO27002 by Alan Calder, Steve Watkins

CHAPTER 15: THE GAP ANALYSIS AND RISK TREATMENT PLAN

Gap analysis

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly