Dashboard/Gap Analysis Report

Information Security Policy v3.2

Analysed 2025-01-15

Score

68%

Critical

High

Medium

Low

ISO 27001 Controls Coverage

47 / 93

46 controls not addressed in this policy

Findings (14 total · showing top 6)

●

A.8.2No documented asset classification scheme

critical›

The policy does not define how information assets are classified by sensitivity. ISO 27001 requires a documented classification scheme with owner assignments.

Remediation

Define an information classification policy with at minimum three tiers (Public, Internal, Confidential). Assign a data owner to each asset category and document in your asset register.

●

A.5.23Cloud services security not addressed

critical›

Policy contains no controls for securing information in cloud environments. A.5.23 requires explicit controls for acquisition, use, and exit from cloud services.

Remediation

Add a cloud security addendum covering: approved cloud providers list, data residency requirements, shared responsibility matrix, and exit/data deletion procedures.

●

A.8.16Monitoring activities not defined

critical›

No requirements for network or system monitoring are documented. The policy does not address anomaly detection or log retention.

Remediation

Define minimum monitoring requirements including log retention (min. 12 months), SIEM coverage for critical systems, and escalation procedures for detected anomalies.

●

A.6.8Information security event reporting unclear

high›

The process for reporting suspected security incidents is described vaguely and lacks a defined contact point or escalation path.

Remediation

Create an incident reporting procedure document with a named security contact, reporting channels (email, ticketing system), and expected response SLAs.

●

A.8.5Privileged access review not scheduled

high›

Policy states that privileged accounts should be reviewed but does not define a review frequency or responsible party.

Remediation

Mandate quarterly privileged access reviews. Assign responsibility to IT Security and document in a formal procedure. Include service accounts and shared credentials.

●

A.7.4Physical security monitoring coverage unclear

medium›

The policy references physical access controls but does not specify monitoring requirements for server rooms or data processing areas.

Remediation

Document required physical controls for each facility tier including CCTV, access logs, and visitor management procedures.

Showing 6 of 14 findings · Export full report to see all