Dear Experts, how does one perform a Gap Assessment please? I need to perform a Gap assessment against a local Cybersecurity framework for an organization. What documents do I need in order to perform this assessment? Thanks in advance.
It seems that you are assessing how much the organisation has covered the cybersecurity framework, its effectiveness in each domain within framework and the residual risk for not covering domains. The short of it is "auditing" to surface the gaps.
If assuming it is on the CSF from NIST. You will need to review the areas below. CSF has descriptive outcome to achieve which you can run thru. From high level coverage, these are likely areas that you be looking into for evidence that demonstrate the organisation has achieved reasonably. It need to contextualise to the organisation profile where possible.
- Identify — Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Categories: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, Supply Chain Risk Management.
- Protect — Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Categories: Identity Management, Authentication and Access Control, Awareness & Training, Data Security, Info Protection & Procedures, Maintenance, Protective Technology.
- Detect — Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Categories: Anomalies & Events, Security Continuous Monitoring, Detection Process.
- Respond — Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Categories: Response Planning, Communications, Analysis, Mitigation, Improvements.
- Recover — Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Categories: Response Planning, Improvements, Communications.
If you are looking for guidance tool for even self assessment, you can take a look from ISACA. Taking just one example from the case of Asset management on "Physical devices and systems within the organization are inventoried", you be looking for evidences:
1. Obtain a copy of physical devices and systems inventory. Review the inventory considering the following:
- Scope of physical devices and systems is based on the organization's risk appetite (e.g., systems that contain sensitive information, allow access to the network, or are critical to business objectives)
- Completeness of inventory (e.g., location, asset number, owner)
- Inventory collection process ensures new devices are collected accurately and in a timely manner (e.g., automated software to detect and/or store the inventory)
- Frequency of inventory reviews
The Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team's (ICS-CERT) Cyber Security Evaluation Tool (CSET) is another useful tool which can be downloaded, there is fact sheet, introductory CSET video, and walkthrough video of the Cybersecurity Framework approach within CSET tool
Nonetheless, there is no one size fit all tool. The baseline is to take a risk based approach to assess the gaps wrt framework. The latter serves as an desired state though there are means to such end. So go through the risk management regime for the implementation evidence to sought risk mitigation and acceptance on residual if there are lacking identified.