Thanks to contributions by generous members of the ISO27k Forum, today we published an Excel file containing two spreadsheets: one concerns the gap between the organization's security management practices and those formally specified in ISO/IEC 27001. The other concerns which of the information security controls recommended by ISO/IEC 27002 management deems relevant to the organization's risks. If one is designing and implementing an ISO27k-compliant Information Security Management System, both aspects are of interest.
Both spreadsheets incorporate simple unweighted counts of the number of items in each category (i.e. management system requirements fully, partially or not implemented, and information security controls fully, partially or not applicable). Despite being so simplistic, these are surprisingly useful metrics for ISO27k implementation projects.
The Excel file is part of the free ISO27k Toolkit. Enjoy!