ISO27001KIT

    ISO 27001 Gap Analysis Tool

    Assess your current security posture against ISO 27001 requirements

    How the Quick Scan works

    Answer 12 yes/partial/no questions, one per ISO 27001 domain. We weight each answer (Not Started = 0%, In Progress = 50%, Implemented = 100%) and average them into an overall readiness score with a domain-by-domain breakdown. Takes around 2 minutes - no signup required.

    Quick Scan - 12 questions
    0 / 12

    1
    Information Security Policies

    Do you have approved, documented information security policies that are reviewed regularly?

    Why it matters: ISO 27001 Clause 5.2 and A.5.1 require a policy set approved by leadership, communicated to staff, and reviewed at planned intervals (typically annually).

    2
    Roles & Responsibilities

    Are information security roles and responsibilities clearly defined and assigned?

    Why it matters: Clause 5.3 and A.5.2 expect named owners for the ISMS, controls, and incident response, usually captured in a RACI or job descriptions.

    3
    Risk Management

    Do you run a documented information security risk assessment and treatment process?

    Why it matters: Clauses 6.1.2 and 6.1.3 require a repeatable methodology, a maintained risk register, and documented treatment decisions linked to Annex A controls.

    4
    Access Control

    Do you enforce least-privilege access, MFA, and periodic access reviews?

    Why it matters: Annex A.5.15 to A.5.18 cover access policy, user lifecycle (joiner/mover/leaver), privileged access, and review of access rights.

    5
    Cryptography

    Do you have a cryptographic policy covering keys, algorithms, and data at rest/in transit?

    Why it matters: Annex A.8.24 requires rules for the use of cryptography, including approved algorithms, key lifecycle and protection of keys.

    6
    Physical Security

    Are physical perimeters, entry controls and equipment protected against unauthorised access?

    Why it matters: Annex A.7 covers physical perimeters, entry controls, secure areas, equipment siting, and secure disposal of media and devices.

    7
    Incident Management

    Do you have a tested incident response process with logging and reporting?

    Why it matters: Annex A.5.24 to A.5.28 require planning, reporting, assessing, responding to, and learning from information security incidents, supported by event logging (A.8.15).

    8
    Business Continuity

    Do you have tested business continuity and disaster recovery plans for critical services?

    Why it matters: Annex A.5.29 and A.5.30 require ICT continuity plans with defined RTO/RPO that are tested on a regular schedule.

    9
    Supplier Security

    Do you assess and monitor the security of suppliers handling your data?

    Why it matters: Annex A.5.19 to A.5.23 require supplier inventories, security clauses in agreements, monitoring, and managing changes for ICT and cloud providers.

    10
    Compliance

    Do you track legal, regulatory and contractual security obligations applicable to you?

    Why it matters: Annex A.5.31 to A.5.36 require identifying legal/regulatory requirements (e.g. GDPR), protecting records, and running independent reviews of information security.

    11
    Asset Management

    Do you maintain an inventory of information assets with owners and classification?

    Why it matters: Annex A.5.9 to A.5.13 require inventories of information and associated assets, ownership, acceptable use, classification and handling rules.

    12
    Security Awareness

    Do staff receive regular security awareness training and phishing simulations?

    Why it matters: Clause 7.2/7.3 and Annex A.6.3 require staff to be competent and aware of the ISMS, the policies that apply to them, and their security responsibilities.

    Unlock Full Results & All 11 Tools

    Export complete reports, remove limits, and access every ISO 27001 tool plus Risk Copilot. Includes ISO 27001 AI Assistant Plus (150 messages/day) at no extra cost.

    What Is an ISO 27001 Gap Analysis?

    An ISO 27001 gap analysis is a structured assessment that compares your organization's current information security management practices against the requirements of the ISO 27001:2022 standard. The purpose is to identify "gaps" — areas where your existing policies, controls, and processes fall short of what the standard demands. By performing a thorough gap assessment, you gain a clear picture of your compliance posture and can plan a realistic path toward certification or continual improvement.

    A gap analysis is typically the first step in any ISO 27001 implementation project. Whether you are pursuing certification for the first time, transitioning from the 2013 version, or performing an annual review, a well-executed ISO 27001 gap analyse tells you exactly what work remains, how much effort and budget to allocate, and where to focus your team's attention.

    Why Do Organizations Need an ISO 27001 Gap Analysis?

    Without a baseline assessment, most organizations vastly underestimate the scope of an ISO 27001 implementation. A gap assessment delivers several critical benefits:

    • Clear visibility into compliance status: Instead of guessing, you know precisely which clauses and Annex A controls are already met and which require remediation.
    • Informed budgeting and planning: Management can allocate resources accurately when they can see the volume and complexity of remaining work.
    • Risk-based prioritization: Not every gap carries the same level of risk. A proper ISO 27001 gap analysis checklist helps you rank remediation tasks by business impact and likelihood of exploitation.
    • Stakeholder buy-in: A professional gap assessment report gives leadership concrete data to support the business case for certification.
    • Audit readiness: External auditors expect to see evidence that you assessed your starting point. A documented gap analysis is often the first artifact they review.

    These same principles apply to related standards. For example, organizations pursuing business continuity certification often run a parallel ISO 22301 gap analysis using the same methodology to identify shortfalls in their continuity management system.

    How to Use This ISO 27001 Gap Analysis Tool

    Our free ISO 27001 gap analysis tool is designed to guide you through a complete assessment in minutes, not days. Here is how to get the most out of it:

    1. Enter your organization details: Start by providing your organization name, the scope of the assessment (e.g., "All IT operations" or "London HQ only"), and the assessor's name. This information populates your final report automatically.
    2. Assess each control: Work through every ISO 27001:2022 clause and all 93 Annex A controls. For each one, select a compliance status — Fully Implemented, Partially Implemented, Not Implemented, or Not Applicable. Add notes and evidence references where relevant.
    3. Review your compliance score: As you rate controls, the tool calculates your overall compliance percentage and breaks it down by category. Visual indicators highlight the areas that need the most attention.
    4. Prioritize remediation: Each gap is automatically assigned a priority level based on its compliance status. Focus on high-priority items first to close the most critical gaps quickly.
    5. Export your report: Download a professional gap assessment report in Excel, PDF, or HTML format. These reports are audit-ready and suitable for management review or submission to certification bodies.

    What to Do With Your Gap Analysis Results

    Once you have completed your ISO 27001 gap analysis, the results become the foundation for your entire implementation project. Here is how to turn findings into action:

    • Build a remediation plan: Group gaps by priority and assign owners, deadlines, and resource estimates to each one. Our Implementation Roadmap tool can help structure this plan.
    • Update your risk register: Gaps often correspond to unmitigated risks. Map each gap to your risk assessment to ensure nothing is overlooked.
    • Develop or update policies: Many gaps stem from missing or outdated documentation. Use the gap analysis output to determine which policies and procedures need to be created or revised.
    • Present to management: The exported report provides a clear, data-driven summary that leadership can use to approve budgets and timelines.
    • Re-assess periodically: A gap analysis is not a one-time activity. Run it annually — or after significant organizational changes — to track progress and maintain compliance.

    How This Tool Maps to ISO 27001:2022 Clauses and Annex A Controls

    The ISO 27001 gap analysis tool is fully aligned with the latest ISO 27001:2022 structure. It covers:

    • Mandatory clauses 4–10: Context of the organization, leadership, planning, support, operation, performance evaluation, and improvement — every requirement that an ISMS must satisfy.
    • All 93 Annex A controls: Organized across the four themes introduced in the 2022 revision — Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls).
    • ISO 27001 gap analysis checklist format: Each control is presented as a checklist item with clear compliance options, making it easy to work through systematically — even for teams new to the standard.

    This comprehensive mapping ensures that your gap assessment leaves no blind spots. Whether you are a small business running your first ISO 27001 gap analyse or an enterprise maintaining an existing certification, the tool adapts to your context and produces actionable, auditor-ready output.