The main thing to ensure in any compliance gap analysis is that the scope is understood by both you -- the stakeholders and any other people involved in the compliance processes. To do this you'll need to establish:
- The relevant stakeholders for the analysis.
- The systems, people and processes that are going to be included in the review.
- The detailed requirements against which the gap analysis is to be performed.
One of the key problems in many gap analyses is often getting time in people's diaries for interviews. I find that it helps to first email potential interviewees with a clear statement of the purpose of the interview and the topics that will be covered.
No matter how many steps you take to prepare for the analysis, there is no substitute for knowing the requirements in detail. Also keep in mind that interviews have a habit of going in different directions, so you need to thoroughly understand the metrics being applied in order to gain the required information during the limited interview time available.
Related Q&A from Neil O'Connor
As more organisations integrate business-critical functions with Web services, the security of those services becomes of greater importance. But are ...continue reading
There are some best practices to follow when it comes to USB drive security. Learn what they are and how to protect your company from USB security ...continue reading
Expert Neil O'Connor shares a recent project that demonstrates how IP-enabled physical security may be changing the market.continue reading