How to Perform an ISO 27001 Gap Analysis

Before you begin a gap analysis, you and your team must have a strong grasp of the ISO/IEC 27001:2022 standard.
It is crucial to have a clear understanding of the standard’s requirements before starting the gap analysis, as this ensures you know what “good” looks like — and that starts with understanding the standard’s expectations.

Actions:

1) Review the Provided Guides: Begin by reviewing the documentation, guides, and breakdowns of ISO 27001:2022 controls that have been shared with you. Familiarise yourself with the structure, terminology, and objectives behind each of the standard’s requirements.

2) Learn the Main Structure of ISO 27001: The standard is organised around seven key areas (ISO 27001 clauses 4–10). Each clause focuses on an essential part of the Information Security Management System (ISMS):

– Context of the Organisation: Identify internal and external factors, needs, and expectations that could impact your Information Security Management System (ISMS).
– Leadership: Understand how top management must show leadership, define responsibilities, and commit to supporting the ISMS.
– Planning: Recognise how to address information security risks and opportunities and set clear, measurable security objectives.
– Support: Learn about the requirements for resources, staff competence, awareness, internal communications, and controlled documentation.
– Operation: Know how the organisation needs to implement and manage risk assessments, risk treatments, and operational security controls.
– Performance Evaluation: Understand the need for measuring, analysing, auditing, and reviewing the ISMS’s performance.
– Improvement: See how continual improvement is expected, including managing nonconformities and corrective actions.

Tip: Think of the standard as a management cycle — it’s about continually understanding, acting, checking, and improving.

By fully understanding these areas, your gap analysis will be much more accurate. Instead of simply spotting missing documents, you’ll be able to assess whether key security practices, leadership involvement, and continual improvement activities are truly in place.

Building your gap analysis around the clauses (4–10) provides a structured, comprehensive way to assess compliance.

You’ll be better prepared to spot both technical gaps (missing policies, procedures) and management system gaps (lack of leadership commitment, poor planning, etc.).

Depending upon your organisation’s size, a gap analysis might not be a one-person job. To accurately assess your organisation’s readiness for ISO 27001:2022, you’ll need a cross-functional team input with the right knowledge and insights.

Select Team Members from Key Departments
– IT/Security: Understands technical controls, infrastructure, and cybersecurity measures.
– HR: Knows about staff training, onboarding, awareness, and internal policies affecting employees.
– Legal/Compliance: Can advise on data protection regulations (such as GDPR) and contractual obligations.
– Management/Leadership: Provides oversight of strategic objectives, risk appetite, and organisational priorities.

Choose People with Practical Knowledge
Look for individuals who are familiar with day-to-day operations, not just high-level policies.
Prioritise team members who already have some understanding of information security principles.
Relevant expertise in ISO 27001 and information security is essential to identify gaps accurately and ensure effective remediation.

Assign a Gap Analysis Lead:
Appoint someone responsible for coordinating activities, tracking progress, and making sure the findings are documented clearly

Your team will be your eyes and ears across the organisation. By gathering a diverse group, you’ll ensure your gap analysis covers technical gaps and organisational/management system gaps, not just IT issues.

Tip: Keep the team small but effective — 4 to 6 people is often ideal for a mid-sized organisation. You can consult others as needed without slowing down the core analysis work. In my experience, too many people can make it ineffective, but each organisation is unique.

Before diving into the gap analysis, it is essential to define its scope clearly. This involves deciding which parts of the organisation, processes, and systems will be evaluated, and assessing the current state of information security controls within those areas.

A well-defined scope ensures the analysis stays focused, helps save time by avoiding unnecessary assessments, and produces directly useful results. You don’t want to spend time assessing a part of the business that won’t be part of the ISO 27001 scope, and to begin with, my mantra is always ‘the smaller the better‘.

Identify Organisational Boundaries
Which departments, offices, teams, or geographic locations are included?
Example: You might choose to assess only the European offices if ISO 27001 certification is required for GDPR compliance.

Define the Information Systems and Processes
Which IT systems, software platforms, and business processes will be reviewed?
For example, only systems handling customer data may be in scope.

Understand Legal, Regulatory, or Contractual Requirements
Are there any regulations (like GDPR, HIPAA, etc.) or client contracts that influence what must be covered

Document the Scope
Write down the scope formally. It should be specific enough that someone outside your team would understand what is included (and what’s excluded).

If you don’t define the scope properly, your gap analysis might either miss critical risks or waste time reviewing irrelevant systems.
ISO 27001:2022 requires organisations to document the scope of their Information Security Management System (ISMS), so defining it early aligns your gap analysis with certification requirements.

Tip: Be realistic about what you can cover during the gap analysis. You can always expand the scope later if needed.

Once your scope is clear, the next step is to collect and review all current information security policies, procedures, and practices, while assessing your organisation’s current information security posture.

The goal is to understand what already exists, identify any gaps or outdated documents, and measure how closely your organisation’s practices align with the requirements of ISO 27001:2022.

Gather Relevant Documents
Start by collecting all security-related policies, procedures, guidelines, and records that exist within the organisation. As part of this process, review your current controls to ensure they are documented and can be evaluated against ISO 27001 Annex A controls.

Focus on key areas such as:
– Information Security Policy: Sets the overall direction for protecting information assets.
– Risk Assessment and Treatment Plans: Shows how risks are identified, evaluated, and addressed.
– Incident Response Plan: Defines how the organisation handles security incidents.
– Business Continuity Plan: Describes how critical business functions will continue during disruptive events.
– Access Control Policies: Covers how users are granted, changed, and revoked access to systems and data.

Pay particular attention to critical areas such as implementation, documentation, and controls, as these are essential for identifying compliance gaps and improving security.

Review for Completeness and Alignment
Check whether each document exists, is up to date, and is effectively implemented.
Compare the content against ISO 27001 requirements; Does it address what the standard expects?
Evaluate your current security posture to identify strengths and areas needing improvement.

Identify Missing or Weak Areas
Are there critical policies missing altogether?
Are some policies too vague, outdated, or not followed in practice?

Organise Your Findings
Keep a checklist or simple spreadsheet of what documents you have, their status (complete, incomplete, missing), and any notes for improvement.

ISO 27001:2022 expects organisations to maintain a structured, documented approach to managing information security.
Your existing policies and procedures form the backbone of your ISMS — but only if they are complete, effective, and aligned with the standard.

Tip: Pay special attention to how policies are communicated and enforced — a policy that sits on a shelf unread won’t help with ISO 27001 compliance!

After gathering and reviewing your existing policies and procedures, the next step is to systematically map them against the ISO 27001:2022 requirements.
This comparison will highlight areas where your organisation is already compliant and help in identifying gaps between your current practices and the standard’s requirements that need to be addressed.

Create a Checklist Based on ISO 27001:2022
Build or use a checklist that lists each requirement (clauses 4–10 and Annex A controls).
The checklist should allow you to mark each requirement as:
– Compliant
– Partially Compliant
– Non-Compliant
– Not Applicable

Compare Current Practices Against the Checklist
For each requirement, review your existing documents, policies, and operational practices.
Determine whether they fully meet, partially meet, or fail to meet the ISO expectations.
Note evidence (such as documents, meeting minutes, system configurations) that supports compliance. This process is essential for identifying gaps and compliance shortcomings in your current information security management system.

Identify Compliance Gaps
Highlight any missing, weak, or outdated areas.
Pay special attention to areas that are often overlooked, such as leadership involvement, continuous improvement, supplier relationships, and business continuity integration. Recognising compliance shortcomings during this mapping process is crucial for developing an effective remediation plan.

Document the Results
Use a spreadsheet, database, or gap analysis tool to organise your findings.
This mapping exercise serves as the baseline for your future action plan.

Without clear mapping, you risk missing hidden gaps that could cause issues during an ISO 27001 certification audit.
Mapping makes your strengths and weaknesses visible, giving you a structured starting point for remediation.

Documents tell part of the story — but to truly understand how information security practices are working day-to-day, you need to engage with the people involved.
Interviews and surveys with key stakeholders reveal how well policies are being followed in practice, uncover hidden issues, and help validate your gap analysis findings, and evaluate the effectiveness of security measures in place.
Actions:

Identify Key Stakeholders
Choose individuals who are responsible for, or heavily involved in, information security processes. This may include
– IT Managers
– HR Representatives
– Compliance Officers
– Department Heads
– Risk Owners
– Regular Employees (to check awareness and behaviour)

Prepare Interview Questions or Survey Forms
Focus questions on how processes are implemented, not just what is documented.

Example questions:

Information Security Awareness – Are you aware of the organisation’s Information Security Policy? Where did you first hear about it?

Incident Management – If you notice a security incident (e.g., a suspicious email or a data breach), what would you do? Who would you report it to?

Access Control – How is access to systems and sensitive information granted and reviewed in your department? Are there regular reviews?

Training and Competence – Have you received any training related to information security in the past 12 months? Was it useful for your role?

Risk Awareness – Can you describe any risks to information security you encounter in your day-to-day work? How are these risks handled?

Supplier Security – When working with third-party vendors, how do you ensure they handle information securely?

Business Continuity – In case of a major IT disruption, do you know what the continuity plan is for your role or department?

Conduct Interviews or Distribute Surveys
Interviews can be informal discussions or structured sessions.
Surveys help gather broader input across larger teams.
Assure participants that their feedback is valuable and confidential, where appropriate.

Analyse the Results
Compare the reality (“what’s happening”) to the documented policies (“what’s supposed to happen”).
Look for gaps between expectations and practice, through input from a broader range of team members

After collecting evidence from document reviews, interviews, and surveys, the next step is to identify where gaps exist between your organisation’s current practices and the ISO 27001:2022 requirements, and then prioritise them based on risk and impact.

Organisations often face challenges during this process, such as internal expertise gaps, resource constraints, documentation complexity, third-party management, and stakeholder engagement, which can make maintaining compliance and strengthening the ISMS more difficult.

Identify Compliance Gaps
Review your mapping results, interviews, and supporting evidence.
For each ISO 27001 requirement, ask: Is this fully met, partially met, or not met at all?

Categorise Each Gap
Examples of categories:
– Missing documents (e.g., no Incident Response Plan)
– Weak implementation (e.g., policy exists but is not followed)
– Lack of awareness or training
– Technical vulnerabilities (e.g., poor access controls)

Assess the Risk and Impact
Consider;
– How critical is this gap to protecting information assets?
– What would be the potential impact if this gap were exploited (e.g., data breach, regulatory fine)
– Is this a requirement that auditors or regulators often focus on?

For high-priority gaps, it is essential to implement the necessary security measures to reduce risk and achieve compliance.

Prioritise Gaps
Classify each gap as;
– High Priority — Major risk, non-compliance with core requirements.
– Medium Priority — Moderate risk, important but not critical issues.
– Low Priority — Minor issues or recommendations for improvement.

When prioritising, focus on the gaps that matter most for your organisation’s security and compliance objectives.

When prioritising, focus on the gaps that matter most for your organisation’s security and compliance objectives.
Create a Gap Register (or add a column to your checklist) to track each identified gap, its priority, and suggested corrective actions.

By prioritising, you can focus your efforts where they are most needed, address high-risk areas first, and plan remediation activities realistically — an approach fully aligned with ISO 27001’s risk-based thinking.

Once the gap analysis is complete, it’s time to prepare a comprehensive report that communicates your findings and recommendations to leadership and stakeholders.
A well-structured report will make it easier to secure support, allocate resources, and plan your path to ISO 27001:2022 compliance.

Create an Executive Summary
Provide a concise, high-level overview of the gap analysis process, key findings, and overall readiness for ISO 27001 certification.
Highlight major strengths and high-risk areas that need urgent attention.

Present Detailed Findings
List all identified gaps, mapped to the relevant ISO 27001 clauses (4–10 and Annex A controls)
Include short descriptions of how each current practice falls short of the requirement.

Show Prioritisation of Gaps
Provide a ranked list of gaps based on risk and urgency (e.g., High, Medium, Low)
This helps leadership focus their attention where it matters most.

Offer Clear Recommendations
Suggest practical actions for addressing each gap, including risk management strategies to identify, prioritise and mitigate vulnerabilities.
Where possible, group recommendations into logical phases (e.g., Immediate Actions, Short-Term Improvements, Long-Term Enhancements).

Include Supporting Appendices (Optional but Useful)
Attach your full mapping checklist, stakeholder interview summaries, or risk assessments if needed for reference.

A strong gap analysis report doesn’t just highlight problems — it provides a clear roadmap for improvement.
It also demonstrates professionalism, preparation, and risk awareness to senior management, which is crucial for gaining their support for the ISO 27001 journey.

Keep the language in your report simple and focused on action — avoid jargon so that even non-technical leaders can easily understand the importance of addressing the gaps.