O'Reilly logo

Information Security Risk Management for ISO27001/ISO27002 by Steve Watkins, Alan Calder

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

CHAPTER 15: THE GAP ANALYSIS AND RISK TREATMENT PLAN

Whilst the Statement of Applicability identifies which of the ISO27001 Appendix A controls (and which, if any, additional controls) are to be implemented, it does not prioritise implementation or provide any guidance for how implementation is to be carried out.

Of course, it would be logical for the organisation to tackle and implement controls in the order of priority (i.e. ‘very high’ first) identified through the risk assessment. The controls that are most critical for the organisation will be those that relate to the threats and vulnerabilities that it has identified, through the risk assessment process, as being most serious to its most critical systems.

Gap analysis

The reality is that ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required