https://www.pivotpointsecurity.com/difference-between-iso-27001-gap-assessment-risk-assessment/