What is an ISO 27001 Gap Analysis & How Do I conduct one?
A gap analysis against ISO 27001 is crucial in identifying areas where your organisation’s current information security practices fall short of the standard’s requirements.
The process helps develop an effective implementation plan to achieve ISO 27001 certification.
Here’s a step-by-step guide on conducting an ISO 27001 gap analysis, based loosely on my own process when I go in as an ISO consultant to help organisations get ready for certification.
So, if you fancy it, you can have a go yourself, alternatively, you can always bring in external consultancy to do it for you. It can help expedite the process and give you confidence in an area that might be new to you.
How To Perform an ISO 27001 Gap Analysis
My Full ISO 27001 toolkit provides a checklist assessment to help you get started.
Purchase My Full ISO 27001 Toolkit
Every document needed for ISO 27001
How to Perform an ISO 27001 Gap Analysis
Understand ISO 27001 Requirements
Before you begin a gap analysis, you and your team must have a strong grasp of the ISO/IEC 27001:2022 standard.
Gap analysis only works if you know what “good” looks like — and that starts with understanding the standard’s expectations.
Actions:
1) Review the Provided Guides: Begin by reviewing the documentation, guides, and breakdowns of ISO 27001:2022 controls that have been shared with you. Familiarise yourself with the structure, terminology, and objectives behind each requirement.
2) Learn the Main Structure of ISO 27001: The standard is organised around seven key areas (ISO 27001 clauses 4–10). Each clause focuses on an essential part of the Information Security Management System (ISMS):
– Context of the Organisation: Identify internal and external factors, needs, and expectations that could impact your Information Security Management System (ISMS).
– Leadership: Understand how top management must show leadership, define responsibilities, and commit to supporting the ISMS.
– Planning: Recognise how to address information security risks and opportunities and set clear, measurable security objectives.
– Support: Learn about the requirements for resources, staff competence, awareness, internal communications, and controlled documentation.
– Operation: Know how the organisation needs to implement and manage risk assessments, risk treatments, and operational security controls.
– Performance Evaluation: Understand the need for measuring, analyzing, auditing, and reviewing the ISMS’s performance.
– Improvement: See how continual improvement is expected, including managing nonconformities and corrective actions.
Tip: Think of the standard as a management cycle — it’s about continually understanding, acting, checking, and improving.
By fully understanding these areas, your gap analysis will be much more accurate. Instead of simply spotting missing documents, you’ll be able to assess whether key security practices, leadership involvement, and continual improvement activities are truly in place.
Building your gap analysis around the clauses (4–10) provides a structured and comprehensive way to check compliance.
You’ll be better prepared to spot both technical gaps (missing policies, procedures) and management system gaps (lack of leadership commitment, poor planning, etc.).
Assemble a Gap Analysis Team
A gap analysis isn’t a one-person job. To accurately assess your organisation’s readiness for ISO 27001:2022, you’ll need a cross-functional team with the right knowledge and insights.
Select Team Members from Key Departments
– IT/Security: Understands technical controls, infrastructure, and cybersecurity measures.
– HR: Knows about staff training, onboarding, awareness, and internal policies affecting employees.
– Legal/Compliance: Can advise on data protection regulations (such as GDPR) and contractual obligations.
– Management/Leadership: Provides oversight of strategic objectives, risk appetite, and organisational priorities.
Choose People with Practical Knowledge
Look for individuals who are familiar with day-to-day operations, not just high-level policies.
Prioritise team members who already have some understanding of information security principles.
Assign a Gap Analysis Lead:
Appoint someone responsible for coordinating activities, tracking progress, and making sure the findings are documented clearly
Your team will be your eyes and ears across the organisation. By gathering a diverse group, you’ll ensure your gap analysis covers technical gaps and organisational/management system gaps, not just IT issues.
Tip: Keep the team small but effective — 4 to 6 people is often ideal for a mid-sized organisation. You can consult others as needed without slowing down the core analysis work. In my experience, too many people can lead to it being ineffective, but each organisation is unique.
Define the Scope of the Gap Analysis
Before diving into the gap analysis, it is essential to define its scope clearly. This involves deciding which parts of the organisation, processes, and systems will be evaluated.
A well-defined scope ensures the analysis stays focused, avoids wasting time, and produces directly useful results. You don’t want to spend time assessing a part of the business that won’t be part of the ISO 27001 scope, and to begin with, my mantra is always ‘the smaller the better‘.
Identify Organisational Boundaries
Which departments, offices, teams, or geographic locations are included?
Example: You might choose to assess only the European offices if ISO 27001 certification is required for GDPR compliance.
Define the Information Systems and Processes
Which IT systems, software platforms, and business processes will be reviewed?
For example, only systems handling customer data may be in-scope.
Understand Legal, Regulatory, or Contractual Requirements
Are there any regulations (like GDPR, HIPAA, etc.) or client contracts that influence what must be covered
Document the Scope
Write down the scope formally. It should be specific enough that someone outside your team would understand what is included (and what’s excluded).
If you don’t define the scope properly, your gap analysis might either miss critical risks or waste time reviewing irrelevant systems.
ISO 27001:2022 requires organisations to document the scope of their Information Security Management System (ISMS), so defining it early aligns your gap analysis with certification requirements.
Tip: Be realistic about what you can cover during the gap analysis. You can always expand the scope later if needed.
Review Existing Policies and Procedures
Once your scope is clear, the next step is to collect and review all current information security policies, procedures, and practices.
The goal is to understand what already exists, identify any gaps or outdated documents, and measure how closely your organisation’s practices align with the requirements of ISO 27001:2022.
Gather Relevant Documents
Start by collecting all security-related policies, procedures, guidelines, and records that exist within the organisation.
Focus on key areas such as:
– Information Security Policy: Sets the overall direction for protecting information assets.
– Risk Assessment and Treatment Plans: Shows how risks are identified, evaluated, and addressed.
– Incident Response Plan: Defines how the organisation handles security incidents.
– Business Continuity Plan: Describes how critical business functions will continue during disruptive events.
– Access Control Policies: Covers how users are granted, changed, and revoked access to systems and data.
Review for Completeness and Alignment
Check if each document exists, is up-to-date, and is effectively implemented.
Compare the content against ISO 27001 requirements; Does it address what the standard expects?
Identify Missing or Weak Areas
Are there critical policies missing altogether?
Are some policies too vague, outdated, or not followed in practice?
Organise Your Findings
Keep a checklist or simple spreadsheet of what documents you have, their status (complete, incomplete, missing), and any notes for improvement.
ISO 27001:2022 expects organisations to maintain a structured, documented approach to managing information security.
Your existing policies and procedures form the backbone of your ISMS — but only if they are complete, effective, and aligned with the standard.
Tip: Pay special attention to how policies are communicated and enforced — a policy that sits on a shelf unread won’t help with ISO 27001 compliance!
Map Current Practices to ISO 27001 Requirements
After gathering and reviewing your existing policies and procedures, the next step is to map them against the ISO 27001:2022 requirements systematically.
This comparison will highlight areas where your organisation is already compliant and identify gaps that need to be addressed.
Create a Checklist Based on ISO 27001:2022
Build or use a checklist that lists each requirement (clauses 4–10 and Annex A controls).
The checklist should allow you to mark each requirement as:
– Compliant
– Partially Compliant
– Non-Compliant
– Not Applicable
Compare Current Practices Against the Checklist
For each requirement, review your existing documents, policies, and operational practices.
Determine whether they fully meet, partially meet, or fail to meet the ISO expectations.
Note evidence (such as documents, meeting minutes, system configurations) that supports compliance.
Identify Compliance Gaps
Highlight any missing, weak, or outdated areas.
Pay special attention to areas that are often overlooked, such as leadership involvement, continuous improvement, supplier relationships, and business continuity integration.
Document the Results
Use a spreadsheet, database, or gap analysis tool to organise your findings.
This mapping exercise serves as the baseline for your future action plan.
Without clear mapping, you risk missing hidden gaps that could cause issues during an ISO 27001 certification audit.
Mapping makes your strengths and weaknesses visible, giving you a structured starting point for remediation.
Conduct Interviews and Surveys
Documents tell part of the story — but to truly understand how information security practices are working day-to-day, you need to engage with the people involved.
Interviews and surveys with key stakeholders reveal how well policies are being followed in practice, uncover hidden issues, and help validate your gap analysis findings.
Actions:
Identify Key Stakeholders
Choose individuals who are responsible for, or heavily involved in, information security processes. This may include
– IT Managers
– HR Representatives
– Compliance Officers
– Department Heads
– Risk Owners
– Regular Employees (to check awareness and behaviour)
Prepare Interview Questions or Survey Forms
Focus questions on how processes are implemented, not just what is documented
Example questions:
Information Security Awareness – Are you aware of the organisation’s Information Security Policy? Where did you first hear about it?
Incident Management – If you noticed a security incident (e.g., a suspicious email, data breach), what would you do? Who would you report it to?
Access Control – How is access to systems and sensitive information granted and reviewed in your department? Are there regular reviews?
Training and Competence – Have you received any training related to information security in the past 12 months? Was it useful for your role?
Risk Awareness – Can you describe any risks to information security you encounter in your day-to-day work? How are these risks handled?
Supplier Security – When working with third-party vendors, how do you ensure they handle information securely?
Business Continuity – In case of a major IT disruption, do you know what the continuity plan is for your role or department?
Conduct Interviews or Distribute Surveys
Interviews can be informal discussions or structured sessions.
Surveys are helpful for gathering broader input across larger teams.
Assure participants that their feedback is valuable and confidential, where appropriate.
Analyse the Results
Compare the reality (“what’s happening”) to the documented policies (“what’s supposed to happen”).
Look for gaps between expectations and practice.input from a broader range of team members
Identify & Prioritise Gaps
After collecting evidence from document reviews, interviews, and surveys, the next step is to identify where gaps exist between your organisation’s current practices and the ISO 27001:2022 requirements, and then prioritise them based on risk and impact.
Identify Compliance Gaps
Review your mapping results, interviews, and supporting evidence.
For each ISO 27001 requirement, ask: Is this fully met, partially met, or not met at all?
Categorise Each Gap
Examples of categories:
– Missing documents (e.g., no Incident Response Plan)
– Weak implementation (e.g., policy exists but is not followed)
– Lack of awareness or training
– Technical vulnerabilities (e.g., poor access controls)
Assess the Risk and Impact
Consider;
– How critical is this gap to protecting information assets?
– What would be the potential impact if this gap were exploited (e.g., data breach, regulatory fine)
– Is this a requirement that auditors or regulators often focus on?
Prioritise Gaps
Classify each gap as;
– High Priority — Major risk, non-compliance with core requirements.
– Medium Priority — Moderate risk, important but not critical issues.
– Low Priority — Minor issues or recommendations for improvement.
Document the Findings
Create a Gap Register (or add a column to your checklist) to track each identified gap, its priority, and suggested corrective actions
By prioritising, you can focus your efforts where they are most needed, address high-risk areas first, and plan remediation activities realistically — an approach fully aligned with ISO 27001’s risk-based thinking.
Develop a Gap Analysis Report
Once the gap analysis is complete, it’s time to prepare a comprehensive report that communicates your findings and recommendations to leadership and stakeholders.
A well-structured report will make it easier to secure support, allocate resources, and plan your path to ISO 27001:2022 compliance.
Create an Executive Summary
Provide a concise overview of the gap analysis process, key findings, and overall readiness for ISO 27001 certification.
Highlight major strengths and high-risk areas that need urgent attention.
Present Detailed Findings
List all identified gaps, mapped to the relevant ISO 27001 clauses (4–10 and Annex A controls)
Include short descriptions of how each current practice falls short of the requirement.
Show Prioritisation of Gaps
Provide a ranked list of gaps based on risk and urgency (e.g., High, Medium, Low)
This helps leadership focus their attention where it matters most.
Offer Clear Recommendations
Suggest practical actions for addressing each gap.
Where possible, group recommendations into logical phases (e.g., Immediate Actions, Short-Term Improvements, Long-Term Enhancements).
Include Supporting Appendices (Optional but Useful)
Attach your full mapping checklist, stakeholder interview summaries, or risk assessments if needed for reference.
A strong gap analysis report doesn’t just highlight problems — it provides a clear roadmap for improvement.
It also demonstrates professionalism, preparation, and risk awareness to senior management, which is crucial for gaining their support for the ISO 27001 journey.
Keep the language in your report simple and focused on action — avoid jargon so that even non-technical leaders can easily understand the importance of addressing the gaps.
A Simple ISO 27001 Gap Analysis Template
The following can be used to perform a very high-level ISO 27001 gap analysis. If you need to dive into more detail, consider an audit or external consultancy.
Context of the Organisation
| Section | Requirement | Assessment | Gap |
|---|---|---|---|
| Understanding the Organization and its Context | Determine external and internal issues relevant to the organisation’s purpose and its ability to achieve the intended outcomes of the ISMS. | Describe the internal and external issues affecting your organisation’s ISMS. | Identify external and internal issues relevant to the organisation’s purpose and its ability to achieve the intended outcomes of the Information Security Management System (ISMS). |
| Understanding the Needs and Expectations of Interested Parties | Identify interested parties and their requirements relevant to the ISMS. | List interested parties and their relevant requirements. | Note any unrecognised interested parties or unaddressed requirements. |
| Determining the Scope of the ISMS | Define the boundaries and applicability of the ISMS. | Describe the scope of your ISMS, including internal and external issues and requirements. | Identify any areas not covered by the ISMS scope. |
Leadership
| Section | Requirement | Assessment | Gap |
|---|---|---|---|
| Leadership and Commitment | Top management must demonstrate leadership and commitment to the ISMS. | Provide examples of top management involvement in the ISMS. | Identify areas where leadership commitment is lacking. |
| Information Security Policy | Establish an information security policy appropriate to the organisation. | Review your information security policy to ensure it aligns with organisational goals. | Identify any inconsistencies or areas for improvement in the policy. |
Planning
| Section | Requirement | Assessment | Gap |
|---|---|---|---|
| Actions to Address Risks and Opportunities | Determine and plan actions to address risks and opportunities. | List actions planned to address identified risks and opportunities. | Identify any risks or opportunities not addressed by current plans. |
| Information Security Objectives | Establish information security objectives at relevant functions and levels. | Describe the set information security objectives and how they are monitored. | Identify objectives that are not aligned or measurable. |
Support
| Section | Requirement | Assessment | Gap |
|---|---|---|---|
| Resources | Determine and provide resources needed for the ISMS. | List resources allocated for the ISMS, including personnel, tools, and budget. | Identify any gaps in resource allocation. |
| Competence | Ensure personnel are competent based on education, training, or experience. | Describe the competence requirements for ISMS-related roles and how they are fulfilled. | Identify any gaps in competence among personnel. |
| Awareness | Ensure personnel are aware of the ISMS policies and their roles. | Describe awareness programs and training provided to personnel. | Identify any gaps in awareness or training. |
| Communication | Determine the need for internal and external communications relevant to the ISMS. | List internal and external communication channels used for ISMS-related information. | Identify any gaps in communication strategies. |
| Documented Information | Control documented information required by the ISMS. | Describe the documentation process for ISMS policies, procedures, and records. | Identify any missing or uncontrolled documents. |
Operation
| Section | Requirement | Assessment | Gap |
|---|---|---|---|
| Operational Planning and Control | Plan, implement, and control the processes needed to meet ISMS requirements. | Describe the operational controls in place to manage ISMS processes. | Identify any gaps in operational controls. |
| Information Security Risk Assessment | Define and apply an information security risk assessment process. | Describe the risk assessment process, criteria, and results. | Identify any gaps in the risk assessment process or criteria. |
| Information Security Risk Treatment | Define and apply an information security risk treatment process. | Describe the risk treatment options selected and the implementation of controls. | Identify any gaps in the risk treatment process or controls. |
Performance Evaluation
| Section | Requirement | Assessment | Gap |
|---|---|---|---|
| Monitoring, Measurement, Analysis, and Evaluation | Determine what needs monitoring and measuring, including the methods, intervals, and analysis. | List metrics and KPIs used to measure ISMS performance. | Determine what needs to be monitored and measured, including the methods, intervals, and analysis. |
| Internal Audit | Internal audits should be conducted at planned intervals to provide information on the ISMS’s performance. | Describe the internal audit process, including frequency and findings. | Identify any gaps in the internal audit process or follow-up actions. |
| Management Review | Review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. | Describe the management review process, including inputs and outcomes. | Identify any gaps in the management review process. |
Improvement
| Section | Requirement | Assessment | Gap |
|---|---|---|---|
| Nonconformity and Corrective Action | Manage nonconformities and take corrective actions to eliminate the cause of nonconformities. | Describe the process for handling nonconformities and corrective actions taken. | Identify any gaps in handling nonconformities or implementing corrective actions. |
| Continual Improvement | Continually improve the suitability, adequacy, and effectiveness of the ISMS. | Describe continual improvement activities and initiatives undertaken. | Identify any areas where continual improvement is not evident. |
Related Content
For supporting information on creating an ISO 27001 gap analysis, the following articles may provide additional support;
How to build an ISO 27001 Business Case
How to write an ISO 27001 project plan
How To Write an ISO 27001 Project Plan
The ISO 27001 Clauses: Learn How They Work
ISO 27001 Annex A – Organisational Controls
