Phase 1: ISO 27001 Gap Assessment
Orange Parachute leverages the Orange Parachute Proven Process™ for developing and implementing an ISO 27001 certifiable or conformant ISMS. Phase 1 of our Proven Process is an ISO 27001 Gap Assessment that defines the current state of your Information Security Management System (i.e. the information security management practices already in place and adopted) for the desired scope of ISO 27001 certification.

GOALS
The existing information security program/desired scope of ISMS is analyzed for the ability to manage information security through:

• Direction, based on risk AND/OR regulatory/statutory/contractual requirements
• What to do
• How to do it
• Control, or the ability to
• Monitor through visibility
• Measure through metrics
• Communication
• Extract actionable intelligence from raw data
• Reaction
• Turn actionable intelligence into preventive or corrective actions
• Monitor resultant projects to conclusion

The existing information security infrastructure elements are assessed for "re-usability" in order to:

• Not "re-invent the wheel" when developing the ISMS
• Minimize change

DELIVERABLES

1. Orange Parachute ISO 27001 Section 4-8 Assessment [Sample]
The existing information security management program within scope (or ISMS) is analyzed for the ability to manage information security.

• Provides a step by step assessment of the ISO 27001 Section 4-8 auditable requirements for certification vs. your existing information security infrastructure.
• Provides specific remarks for each applicable requirement including remediation suggestions.

2. Annex A (ISO 27002) Assessment - 133 Controls [Sample]
The existing information security controls are analyzed for risk justification and the level of monitoring and measuring (metrics).

• Maps your existing controls to ISO 27001 Annex A (ISO 27002) 133 Controls.
• Gives a high level overview of existing controls.

3. Information Security Management System Framework [Sample]
The Orange Parachute ISO 27001 Information Security Management System Framework is a visual representation of ISO 27001 requirements for certification. As part of the Gap Assessment deliverables, Orange Parachute will provide an easy to understand Executive Dashboard in a color key format (Red, Orange, Yellow & Green) of the "Current State" of your organization Information Security Management Program versus the "Desired State" required for ISO 27001 Certification.

4. Information Security Program Scope Diagram (ISMS Scope Diagram) [Sample]
The Orange Parachute Information Security Program Scope Structure is another visual representation of the existing ISMS components according to your Organizations structure (for desired scope of ISMS). These underlying components include all of the Documents, Committees, Processes, Controls, etc. as well as who "owns" them by listing all the entities (internal or external) who are Accountable and/or Responsible for preserving the Confidentiality, Integrity and Availability (CIA) of information to which the organization has been entrusted. CIA (intentional or non-intentional disclosure) is the risk basis for which all information security is measured in regards to ISO 27001. As part of the Gap Assessment deliverables, Orange Parachute will provide a Scope diagram of the "Current state" versus a "Desired State" of their Information Security Program which includes all in-scope participant groups.

5. ISO 27001 Gap Assessment Executive Summary [Sample]
The Gap Assessment deliverables include an Executive summary and a summary for each phase of PLAN, DO, CHECK, ACT specifying your organizations current state and what is required to obtain the "desired state" required for ISO 27001 certification.