Current practice

Gap identified

Risk/impact

Priority

Recommendation

Owner

Target date

Acceptance evidence

No formal risk methodology; ad hoc assessments; no risk register

No documented process for risk identification, analysis, evaluation, treatment, or acceptance

Unmanaged risks; weak SoA justification; audit failure risk

High

Approve risk methodology and criteria; establish risk register; run initial risk workshop; document treatment plans and residual risk acceptance

ISMS Manager

DD/MM/YY

Signed risk methodology; populated risk register; approved treatment plans

Objectives not defined or measured

No measurable security objectives aligned to business needs

No basis for performance evaluation; weak management review

Medium

Define SMART objectives (e.g., MFA coverage, MTTR, restore RTO/RPO, training coverage); link to KPIs

Executive Sponsor

DD/MM/YY

Objectives register; dashboard with baselines/targets

Ad hoc onboarding; no role‑based training plan

Low awareness; no records of periodic training

Higher human‑error risk; nonconformity in audits

Medium

Establish role‑based training plan; annual refresh; track attendance; include instructors/support staff

HR/ISMS

DD/MM/YY

Training plan; curricula; attendance records

Controls implemented inconsistently; limited procedures

Procedures missing for key controls (e.g., change, restore, access reviews)

Inconsistent execution; weak evidence trail

High

Publish minimum operating procedures (change, restore test, access review, incident, patching); enforce usage

IT/Cloud Ops

DD/MM/YY

Approved procedures; sampled records showing use

No formal vendor assessments or security clauses

Supplier risks unmanaged; no assurance

Exposure via cloud/proctoring/payment vendors

High

Implement vendor risk management: due‑diligence, contractual controls, attestations, monitoring, annual reassessment

Vendor Mgmt/Legal

DD/MM/YY

Completed DDQ; contract clauses; assurance artefacts; review logs