Gap analysis and pre-certification support the development of the information security management system before the actual certification. They help with identifying possible defects and development needs. They also show the maturity level of the information security management system and its readiness for certification. They also make it possible to achieve cost benefits through the smooth development, deployment and certification of the information security management system.
When is the right time for a company to carry out a gap analysis and pre-certification?
A gap analysis should be carried out when most of the processes and procedures of the information security management system have been created and documented.
The pre-certification should be done after the gap analysis, but before the actual certification audit. At that time, the system has been documented and deployed, and sufficient evidence has been gathered about the operation of the information security management system.
Gap analysis prepares for preliminary assessment
The gap analysis assesses the documentation and records of the information security management system in relation to the requirements of the ISO 27001 standard. The gap analysis report gives a good overview of the documented processes and procedures of the information security management system. The analysis maps the potential defects, faults or weaknesses that require measures to be taken before the pre-certification. The report on the results is delivered to the customer to support the development of the system.
Preliminary assessment gives an introduction to the audit process
The pre-certification assesses how well the information security management system meets the requirements of the ISO 27001 standard. The assessment includes an independent review of the scope of application, the Statement of Applicability (SoA) and the information security risk management plan.
The organisation will receive an overview on the parts of the system that fulfil the requirements of the standard and where clear defects and development needs in the documentation or practical implementation are found. Pre-certification identifies the issues that need further development before the actual certification assessment.
Pre-certification is also a good way to learn about the audit process and its formal details. In the final Closing meeting of the assessment, the auditor reviews the observations made during the pre-certification. A pre-certification report is also delivered to the customer; the observations, possible defects and development opportunities are recorded in the report.
Benefits of pre-certification and gap analysis
- An expert assessment on the information security management system and its deployment
- An assessment by an independent third party
- Information about the maturity level of the system and its readiness for certification
- Information about the possible defects and potential development targets discovered
- Cost savings, because the creation of unnecessary costs can be prevented
- Review of the scope of application of the information security management system
VTT Expert Services as an ISO 27001 certifier
We carry out gap analyses, preliminary assessments, assessments and certifications of information security management systems in accordance with the ISO 27001 standard. Our experienced assessors will help your company in matters related to the certification of an information security management system.