ISO 27001:2022 Gap Analysis

    ISO 27001 Gap Analysis - Score Clauses & Annex A Controls

    Run a free ISO 27001 gap analysis against every ISO 27001:2022 clause and Annex A control. Score documentation and evidence, then turn each gap into a tracked action with an owner, evidence requirement, and target date before Stage 1 or Stage 2.

    A scoring model that reflects audit reality

    Auditors don't only ask "do you have it?" - they ask "can you prove it?". Each requirement is scored from 0 to 3 so documentation and evidence are graded separately.

    0

    Not implemented

    No process, document, or control exists for this requirement.

    1

    Partially documented

    Some written guidance exists but it is incomplete or not approved.

    2

    Implemented but weak evidence

    The control runs in practice, but evidence is thin, inconsistent, or hard to retrieve.

    3

    Implemented and evidenced

    Control is operating, documented, and supported by repeatable evidence an auditor can sample.

    From gap to closed action

    A gap is only useful if it leads to a tracked change. This is the path each finding follows once it leaves the assessment.

    Gap found
    Action created
    Owner assigned
    Evidence defined
    Risk / SoA updated
    Internal audit checked
    Management review informed

    Sample gap log

    Each requirement is captured with the current score, the underlying gap, and the action needed to close it - including who owns it and what evidence will satisfy an auditor.

    RequirementScoreGapActionOwnerEvidence neededTarget
    Clause 6.1.2 - Risk assessment process1Methodology drafted but not approved; criteria for likelihood and impact missing.Finalize and approve risk methodology with defined scales.ISMS ManagerSigned methodology documentWeek 2
    A.5.15 - Access control2Access reviews happen ad-hoc; no record of who reviewed what.Implement quarterly access review with sign-off log.IT LeadQuarterly access review recordsWeek 4
    A.8.16 - Monitoring activities0No centralized logging or alerting in place.Enable log collection and define alert thresholds.Security EngineerLogging policy + sample alertsWeek 6
    Clause 9.2 - Internal audit0No internal audit has been performed against the ISMS.Plan and run first internal audit covering all clauses.Internal AuditorAudit plan, report, findings logWeek 8
    Clause 9.3 - Management review1Leadership discussions happen but no formal minutes against the required inputs.Hold management review meeting using the required inputs/outputs.ISMS SponsorSigned management review minutesWeek 9

    Gaps become tracked tasks in Audit Room

    The Gap Analysis tool gives you a prioritised list. Audit Room is where those items live as tracked tasks with owners, due dates, evidence requirements, and status against ISO 27001:2022 clauses and Annex A controls.

    Findings exported

    Open gaps move into Audit Room as actionable items, grouped by clause and control.

    Owners and dates

    Each item gets an owner, target date, and evidence requirement so nothing drifts.

    Audit-ready status

    Track open / in progress / closed and surface the same data in management review.

    The Gap Analysis tool helps you structure, score, and prioritise work against ISO 27001:2022. It does not guarantee certification, replace internal audit, or replace your certification body's Stage 1 or Stage 2 assessment.

    Gap analysis questions

    Start gap analysis

    Score each requirement, capture the gap, assign the owner, and define the evidence an auditor will accept.

    Start gap analysis