What Is an ISO 27001 Gap Analysis?
A gap analysis compares your organization's current information security practices against the requirements of ISO 27001:2022. It identifies where you already comply, where you partially comply, and where you have significant gaps that need to be addressed before certification.
Think of it as a diagnostic - you need to know your starting point before you can plan the journey to certification.
When Should You Conduct a Gap Analysis?
Before starting implementation. The gap analysis informs your project plan, resource allocation, and timeline. Without it, you are estimating effort blindly.
After significant organizational changes. Mergers, new products, new locations, or major technology changes can create new gaps.
Before your certification audit. A pre-audit gap analysis helps you identify and fix issues before the external auditor finds them.
Annually as part of continual improvement. Regular gap analysis ensures you maintain compliance and identify emerging gaps.
Gap Analysis Methodology
Step 1: Define Assessment Scope
Your gap analysis should cover the same scope as your planned ISMS:
- ISO 27001 Clauses 4-10 (management system requirements)
- All 93 Annex A controls (to identify applicable controls and their implementation status)
Step 2: Establish Assessment Criteria
For each requirement, assess using a consistent maturity scale:
| Level | Status | Description |
|---|---|---|
| 0 | Not Started | No awareness or activity |
| 1 | Initial | Ad hoc, undocumented practices |
| 2 | Developing | Partially documented, inconsistently applied |
| 3 | Defined | Documented, communicated, generally followed |
| 4 | Managed | Monitored, measured, and consistently applied |
| 5 | Optimized | Continually improved based on metrics |
For certification, most requirements need to be at Level 3 or above.
Step 3: Assess Clause Requirements
Work through each ISO 27001 clause systematically:
Clause 4 - Context of the Organization
- Have you identified external and internal issues affecting the ISMS?
- Have you identified interested parties and their requirements?
- Is the ISMS scope documented?
Clause 5 - Leadership
- Has top management demonstrated commitment?
- Is there an information security policy?
- Are roles and responsibilities assigned?
Clause 6 - Planning
- Is there a risk assessment methodology?
- Has a risk assessment been conducted?
- Are information security objectives defined?
Clause 7 - Support
- Are adequate resources allocated?
- Is competence documented?
- Is there a security awareness program?
- Is documented information controlled?
Clause 8 - Operation
- Are operational planning and control processes in place?
- Have risk assessments been performed?
- Have risk treatment plans been implemented?
Clause 9 - Performance Evaluation
- Is monitoring and measurement in place?
- Has an internal audit been conducted?
- Has a management review been conducted?
Clause 10 - Improvement
- Is there a process for handling nonconformities?
- Are corrective actions tracked?
- Is there evidence of continual improvement?
Step 4: Assess Annex A Controls
For each of the 93 Annex A controls, assess:
- Applicability: Is this control relevant to your organization?
- Implementation status: Using the maturity scale above
- Evidence: What evidence supports your assessment?
- Gap description: If not fully implemented, what specifically is missing?
- Priority: How urgently does this gap need to be addressed?
Step 5: Prioritize Gaps
Not all gaps are equally important. Prioritize based on:
Risk-based priority:
- Gaps that expose the organization to high or critical risks - address first
- Gaps in controls that protect the most sensitive assets - address first
- Gaps that affect multiple areas or processes - address first
Audit-based priority:
- Mandatory clause requirements (Clauses 4-10) - must be addressed
- Controls marked as applicable in your SoA - must be addressed
- Areas auditors commonly focus on (access control, incident management, risk assessment) - address early
Effort-based priority:
- Quick wins (low effort, high impact) - do immediately
- Major projects (high effort, high impact) - plan and resource properly
- Nice-to-haves (low effort, low impact) - schedule when convenient
Step 6: Build the Action Plan
For each identified gap, document:
| Field | Description |
|---|---|
| Gap ID | Unique reference |
| Requirement | ISO 27001 clause or Annex A control |
| Current Status | Maturity level assessment |
| Target Status | Required maturity level |
| Action Required | Specific steps to close the gap |
| Owner | Person responsible for the action |
| Priority | Critical, High, Medium, Low |
| Target Date | When the gap should be closed |
| Resources Needed | Budget, tools, external support |
What Auditors Look For
When reviewing your gap analysis (or conducting their own Stage 1 assessment), auditors specifically check:
- Completeness: Have you assessed all clauses and applicable Annex A controls?
- Objectivity: Are your assessments realistic, or have you overstated compliance?
- Evidence: Can you demonstrate the status you have assessed?
- Action planning: For identified gaps, do you have a realistic remediation plan?
- Progress tracking: Are you monitoring progress against the plan?
Common Mistakes
Being too optimistic. Rating a control as "Managed" when you have a policy document but no evidence it is followed. Be honest - it is better to identify gaps now than during the certification audit.
Assessing in isolation. The gap analysis should involve department heads and process owners, not just the security team. They know the reality of how processes actually work.
Not documenting evidence. For each assessment, note what evidence supports your rating. This prepares you for the auditor's evidence requests.
Skipping the action plan. A gap analysis without an action plan is just a list of problems. The value is in the prioritized remediation plan.
Conduct Your Gap Analysis Today
The Gap Analysis tool on iso27001kit.com guides you through every ISO 27001 clause and Annex A control with a structured assessment workflow. It generates a prioritized gap report with recommendations and an exportable action plan.
Combined with the Implementation Roadmap tool, you can turn your gap analysis results into a phased project plan with realistic timelines and milestones.
Start your gap analysis now - free
Found this article helpful?
Share it with your colleagues.
