Skip to content

gap-analysis.md

Latest commit

 

History

History
128 lines (98 loc) · 6.47 KB

gap-analysis.md

File metadata and controls

128 lines (98 loc) · 6.47 KB

Gap Analysis — ISO 27001:2022 Annex A Controls

Document ID: DOC-003 Version: 1.0 Owner: CISO / Compliance Team Assessment Date: 2025-02-01 Classification: Confidential

1. Purpose

This gap analysis identifies the delta between Pay2Go Financial Inc.'s current information security posture and the requirements of ISO/IEC 27001:2022 Annex A. Each gap is rated by severity, assigned an owner, and given a target remediation date.

2. Methodology

Controls were assessed using three inputs:

  1. Interviews with system owners and team leads
  2. Review of existing policy and configuration documentation
  3. Technical observation (system configurations, access control lists, log samples)

Maturity Scale:

Level Label Description
1 Initial No formal process. Ad hoc or nonexistent.
2 Developing Process exists but is inconsistent or undocumented.
3 Defined Documented and consistently followed, but not fully measured.
4 Managed Measured, monitored, and reviewed regularly.
5 Optimizing Continuously improved; benchmarked against industry standards.

Gap Severity:

Severity Meaning
🔴 Critical Significant risk exposure. Immediate action required.
🟠 High Meaningful gap. Must be addressed in next 90 days.
🟡 Medium Moderate gap. Address within 6 months.
🟢 Low Minor gap or documentation only. Address within 12 months.

3. Gap Summary by Domain

3.1 Organizational Controls (A.5)

Control ID Control Name Current State Maturity Gap Severity Key Gap
A.5.1 Policies for information security Draft exists; not board-approved 2 🟠 High No formal approval or distribution process
A.5.9 Inventory of assets Maintained but incomplete 3 🟡 Medium Cloud assets added late; no auto-discovery
A.5.14 Information transfer No formal data transfer agreements 1 🔴 Critical Bank partner data sharing lacks documented controls
A.5.23 Security for cloud services Partial AWS baseline applied 2 🟠 High No formal Cloud Security Policy; shared responsibility undocumented
A.5.30 ICT readiness for business continuity No tested failover plan 1 🔴 Critical RTO/RPO undefined; failover never tested

3.2 People Controls (A.6)

Control ID Control Name Current State Maturity Gap Severity Key Gap
A.6.1 Screening Background checks done; informal 4 🟢 Low Not formally documented; contractors inconsistently screened
A.6.3 Awareness training Annual training not yet launched 2 🟠 High Staff have no formal security awareness program
A.6.8 Information security event reporting No formal reporting channel 1 🔴 Critical Staff do not know how or where to report incidents

3.3 Physical Controls (A.7)

Control ID Control Name Current State Maturity Gap Severity Key Gap
A.7.1 Physical security perimeters DC perimeter controls in place 4 🟢 Low Access log review not formalized
A.7.8 Equipment siting and protection Office equipment secured 3 🟡 Medium Remote employee workstation security not audited

3.4 Technological Controls (A.8)

Control ID Control Name Current State Maturity Gap Severity Key Gap
A.8.2 Privileged access rights No PAM tool; manual review only 2 🔴 Critical Privileged accounts not regularly reviewed; no JIT access
A.8.3 Information access restriction RBAC partially implemented 2 🟠 High Role definitions outdated; access reviews irregular
A.8.5 Secure authentication MFA not enforced on all accounts 3 🟠 High Admin and cloud accounts inconsistently protected
A.8.7 Protection against malware EDR deployed on most endpoints 4 🟡 Medium 3 endpoints not yet enrolled in EDR
A.8.9 Configuration management No enforced baselines 1 🟠 High Server configs managed ad hoc; no IaC enforcement
A.8.12 Data leakage prevention No DLP tooling in place 1 🟡 Medium No detection of sensitive data exfiltration
A.8.16 Monitoring activities Logs collected but not centralized 2 🟠 High No SIEM; no automated alerting on anomalies
A.8.24 Use of cryptography AES-256 / TLS 1.3 in use 4 🟢 Low Encryption standards not formally documented
A.8.28 Secure coding No SAST in pipeline 2 🟠 High Code reviews manual; no automated security testing
A.8.34 Protection during audit No read-only audit accounts 1 🟡 Medium Auditors currently use production admin accounts

4. Gap Count by Severity

Severity Count Controls
🔴 Critical 4 A.5.14, A.5.30, A.6.8, A.8.2
🟠 High 8 A.5.1, A.5.23, A.6.3, A.8.3, A.8.5, A.8.9, A.8.16, A.8.28
🟡 Medium 5 A.5.9, A.7.8, A.8.7, A.8.12, A.8.34
🟢 Low 3 A.6.1, A.7.1, A.8.24

5. Remediation Roadmap

Immediate (0–30 days)

  • Create a formal incident reporting channel (Slack #security-incidents + runbook)
  • Begin evaluation of PAM tools (CyberArk, BeyondTrust, or HashiCorp Vault)
  • Define RTO/RPO targets for transaction processing systems
  • Enforce MFA on all AWS root and admin accounts

Short-term (30–90 days)

  • Draft and board-approve Information Security Policy
  • Sign data transfer agreements with all banking partners
  • Launch mandatory security awareness training (KnowBe4 or similar)
  • Deploy SIEM (AWS Security Hub + CloudWatch or Splunk)
  • Integrate SAST tool (Snyk or Semgrep) into CI/CD pipeline

Medium-term (90–180 days)

  • Complete access role review across all systems
  • Deploy DLP solution
  • Enforce IaC-based configuration baselines (Terraform + AWS Config rules)
  • Create dedicated read-only audit accounts
  • Audit and enroll remaining 3 endpoints in EDR

Long-term (180–365 days)

  • Test ICT failover (tabletop + technical runbook)
  • Formalize and document encryption standards policy
  • Complete cloud security policy and shared responsibility mapping
  • Achieve ISO 27001 certification readiness (pre-audit)