In this ever changing world the security controls that worked for an organisation yesterday may no longer be sufficient today. Cyber attacks happen every second of every day, involving disparate companies that don't seem to have anything in common.  A security breach can result in the loss of  confidential information, potentially leading to financial penalties and a damaged reputation.

An ICT gap analysis allows organisations to learn areas of weakness within their network security controls to ensure that, after remediation, the network is robust and effective. The security gap analysis shows what an organisation should be doing by comparing the policies and procedures in place against industry best practices, and offers insights into how an organisation can put the correct structure and controls in place. You can reap a lot of benefits from performing an information security gap analysis, but only when it’s being done correctly, by someone who knows the current threats.

What is an information security gap analysis?
An in-depth review is undertaken to understand the status of the cybersecurity risks and vulnerabilities in an organisation so remediation can be undertaken, based on identified priorities.

4 steps for conducting an information security gap analysis

1. Select an industry-standard security framework
   By selecting an industry-standard security framework, you will have the baseline best practices that you can measure and compare against your own security program. In Australia the Government standard is the Information Security Manual (ISM), released, and updated quarterly by the Australian Signals Directorate (ASD). This particular framework provides best practices on information security management, covering key security areas such as user assessment, access control, physical security, change management, and more.  The standard provides a great framework to compare security policies and network controls against.
2. Evaluate your staff and processes
   This normally involves a review of policies used by the organisation and the staff understanding of what these policies mean.  It typically covers ICT Security Awareness Training, HR Processes, System Monitoring and Incident Reporting
3. Gather data
   This step involves gathering evidence to support the existing implementation and how it ACTUALLY works.
4. Analyse your security program
   Finally there is analysis that determines the 'gap' between existing and optimal, and generally plots a path forward.