ISO 27001 Gap Analysis: How to Assess Your Readiness
Quick Answer
An ISO 27001 gap analysis systematically compares your current security posture against ISO 27001 requirements to identify what you already have in place and what needs to be implemented. It covers both the ISMS management clauses (4-10) and the 93 Annex A controls.
What Is an ISO 27001 Gap Analysis?
A gap analysis is the first step in most ISO 27001 certification projects. It gives you a clear picture of where you stand today vs where you need to be, helping you plan your implementation timeline, budget, and resource allocation accurately.
Key Takeaways
- Assess both ISMS clauses (4-10) and all 93 Annex A controls
- Categorize each requirement as: fully met, partially met, or not met
- Results drive your implementation plan, timeline, and budget
- Most organizations find they already meet 30-60% of requirements
- Can be done internally, by a consultant, or using a compliance platform's assessment module
Gap Analysis Process
Conducting an ISO 27001 Gap Analysis
Define the scope
Determine what will be in scope for your ISMS certification. The gap analysis should cover the same scope. This includes: business units, locations, systems, processes, and data types.
Review ISMS clause requirements
Assess your current state against Clauses 4-10: Do you have a defined scope? Security policy? Risk assessment process? Internal audit program? Management review? Document each as met, partial, or not met.
Assess Annex A controls
Go through each of the 93 Annex A controls. For each: Is there an existing control? Is it documented? Is it effective? Note: not all controls will apply to your scope — but assess them all to inform your SoA.
Interview key stakeholders
Talk to IT, security, HR, operations, and management. Understanding actual practices often reveals controls that exist informally but aren't documented, or documented policies that aren't actually followed.
Review existing documentation
Catalog existing policies, procedures, and records. Many organizations have security documentation that partially satisfies ISO 27001. Identify what can be adapted vs what needs to be created from scratch.
Score and prioritize gaps
Rate each gap by severity and effort to close. Create a prioritized remediation plan with: gap description, required actions, responsible person, estimated effort, and timeline.
Typical Gap Analysis Results
| Area | SaaS/Tech Startup | Traditional Mid-Size | Enterprise |
|---|---|---|---|
| Technical Controls | Usually strong (60-80% met) | Mixed (40-60% met) | Usually strong (70-90% met) |
| Policy Documentation | Weak (20-40% met) | Mixed (40-60% met) | Usually exists (60-80% met) |
| Risk Management | Rarely formal (10-30% met) | Sometimes partial (30-50% met) | Often established (50-70% met) |
| ISMS Governance | Rarely exists (0-20% met) | Sometimes partial (20-40% met) | May exist (40-60% met) |
| Internal Audit | Rarely exists (0-10% met) | Rarely formal (10-30% met) | Often exists (50-70% met) |
| Training & Awareness | Informal (20-40% met) | Sometimes formal (30-50% met) | Usually formal (60-80% met) |
ℹ️ Informal Controls Count
Many organizations have security controls that aren't formally documented. During the gap analysis, capture these — they represent real security measures that just need documentation. For example, if you already enforce MFA for all employees but don't have a formal access control policy, the gap is documentation, not implementation.
From Gap Analysis to Action Plan
Gap Analysis to Certification Path
How gap analysis results drive your implementation plan
Gap Analysis
Assess current state vs ISO 27001 requirements
Prioritized Gap List
Ranked by severity, effort, and dependency
Implementation Plan
Timeline, resources, milestones for closing gaps
Implementation
Close gaps, build ISMS, collect evidence
Certification Audit
Stage 1 + Stage 2 with confidence
30-60%
Already Met
Typical starting point for most orgs
1-2 weeks
Analysis Duration
For small to mid-size organizations
93 + 7
Items to Assess
93 Annex A controls + 7 ISMS clauses
First Step
In Certification Journey
Always start with gap analysis
Should we do the gap analysis ourselves or hire someone?
Both approaches work. Internal gap analysis costs less and builds knowledge. External consultants bring objectivity and ISO 27001 expertise. Compliance platforms often include gap assessment tools that guide you through the process. For a first certification, a mix (platform + targeted consultant input) is often optimal.
How long does a gap analysis take?
For a small organization (under 50 employees): 1-2 weeks. Mid-size (50-250): 2-4 weeks. Large enterprise: 4-8 weeks. This includes stakeholder interviews, documentation review, and report preparation. Using a compliance platform's assessment module can accelerate the process.
What if the gap analysis reveals we're not ready?
That's the whole point — better to discover gaps now than during a certification audit. Use the results to create a realistic implementation plan. If gaps are extensive, plan for a longer timeline (12-18 months) and consider phased implementation focusing on high-risk areas first.
Can we use the gap analysis for the risk assessment?
The gap analysis informs the risk assessment but doesn't replace it. The gap analysis identifies what controls you have and don't have. The risk assessment identifies what risks exist and which controls are needed. They complement each other and are typically done in parallel or sequentially.
Assess Your ISO 27001 Readiness
Compare platforms with built-in gap analysis tools, readiness assessments, and guided implementation plans.
Browse ISO 27001 Tools