ISO 27001 Gap Analysis - Score Clauses & Annex A Controls
Run a free ISO 27001 gap analysis against every ISO 27001:2022 clause and Annex A control. Score documentation and evidence, then turn each gap into a tracked action with an owner, evidence requirement, and target date before Stage 1 or Stage 2.
A scoring model that reflects audit reality
Auditors don't only ask "do you have it?" - they ask "can you prove it?". Each requirement is scored from 0 to 3 so documentation and evidence are graded separately.
Not implemented
No process, document, or control exists for this requirement.
Partially documented
Some written guidance exists but it is incomplete or not approved.
Implemented but weak evidence
The control runs in practice, but evidence is thin, inconsistent, or hard to retrieve.
Implemented and evidenced
Control is operating, documented, and supported by repeatable evidence an auditor can sample.
From gap to closed action
A gap is only useful if it leads to a tracked change. This is the path each finding follows once it leaves the assessment.
Sample gap log
Each requirement is captured with the current score, the underlying gap, and the action needed to close it - including who owns it and what evidence will satisfy an auditor.
| Requirement | Score | Gap | Action | Owner | Evidence needed | Target |
|---|---|---|---|---|---|---|
| Clause 6.1.2 - Risk assessment process | 1 | Methodology drafted but not approved; criteria for likelihood and impact missing. | Finalize and approve risk methodology with defined scales. | ISMS Manager | Signed methodology document | Week 2 |
| A.5.15 - Access control | 2 | Access reviews happen ad-hoc; no record of who reviewed what. | Implement quarterly access review with sign-off log. | IT Lead | Quarterly access review records | Week 4 |
| A.8.16 - Monitoring activities | 0 | No centralized logging or alerting in place. | Enable log collection and define alert thresholds. | Security Engineer | Logging policy + sample alerts | Week 6 |
| Clause 9.2 - Internal audit | 0 | No internal audit has been performed against the ISMS. | Plan and run first internal audit covering all clauses. | Internal Auditor | Audit plan, report, findings log | Week 8 |
| Clause 9.3 - Management review | 1 | Leadership discussions happen but no formal minutes against the required inputs. | Hold management review meeting using the required inputs/outputs. | ISMS Sponsor | Signed management review minutes | Week 9 |
Gaps become tracked tasks in Audit Room
The Gap Analysis tool gives you a prioritised list. Audit Room is where those items live as tracked tasks with owners, due dates, evidence requirements, and status against ISO 27001:2022 clauses and Annex A controls.
Findings exported
Open gaps move into Audit Room as actionable items, grouped by clause and control.
Owners and dates
Each item gets an owner, target date, and evidence requirement so nothing drifts.
Audit-ready status
Track open / in progress / closed and surface the same data in management review.
The Gap Analysis tool helps you structure, score, and prioritise work against ISO 27001:2022. It does not guarantee certification, replace internal audit, or replace your certification body's Stage 1 or Stage 2 assessment.
Gap analysis questions
Start gap analysis
Score each requirement, capture the gap, assign the owner, and define the evidence an auditor will accept.
Start gap analysis