ISO 27001 is the international standard for information security management systems (ISMS). It provides a framework for establishing, implementing, maintaining, and continually improving information security. Certification is increasingly required by customers, partners, and regulators worldwide.
A gap analysis is the systematic process of comparing your current security posture against ISO 27001 requirements to identify where you fall short. Whether you are pursuing certification for the first time or remediating a failed surveillance audit, the gap analysis methodology is the same.
What Is an ISO 27001 Gap Analysis?
An ISO 27001 gap analysis evaluates your organization against two dimensions: the ISMS management system requirements (Clauses 4-10) and the Annex A control objectives. It identifies what you already have in place, what is partially implemented, and what is completely missing.
Conforming
Control is fully implemented and operating effectively with evidence available
Partially Conforming
Some elements are in place but gaps exist in implementation or documentation
Non-Conforming
Control is missing or fundamentally inadequate -- requires full implementation
ISMS Management System Requirements (Clauses 4-10)
Before examining individual controls, the gap analysis must assess whether the foundational ISMS elements are in place. These clauses define the management framework that supports all security controls.
Clause 4: Context
Understanding your organization, stakeholder requirements, and ISMS scope. Many organizations fail by defining scope too narrowly or too broadly.
Clause 5: Leadership
Top management commitment, information security policy, and organizational roles and responsibilities. Without leadership commitment, the ISMS lacks authority.
Clause 6: Planning
Risk assessment and treatment methodology, information security objectives, and planning for changes. This is where the risk-based approach is defined.
Clause 7: Support
Resources, competence, awareness, communication, and documented information. The ISMS requires adequate resources and a trained workforce.
Clause 8: Operation
Operational planning, risk assessment execution, and risk treatment implementation. This is where planning meets execution.
Clause 9: Performance Evaluation
Monitoring, measurement, internal audit, and management review. You must prove the ISMS is working effectively.
Clause 10: Improvement
Nonconformity handling, corrective actions, and continual improvement. ISO 27001 requires a living, evolving system -- not a static one.
Annex A Control Domains: Common Gaps
ISO 27001:2022 organizes 93 controls into four domains. Here are the most common gaps we find in each domain during gap analysis engagements.
Conducting the Gap Analysis: Step by Step
Define the ISMS Scope
Clearly define which business processes, locations, technologies, and data types are within scope. The scope statement drives the entire gap analysis.
Inventory Assets and Data Flows
Identify all information assets within scope: systems, applications, data stores, network infrastructure, and physical locations. Map how information flows between them.
Assess Against Clauses 4-10
Evaluate your management system against each ISO 27001 clause requirement. Document what exists, what is missing, and the maturity level of each element.
Evaluate Annex A Controls
For each applicable Annex A control, determine the current implementation status. Document evidence of implementation and identify gaps.
Risk Assessment
Conduct a risk assessment aligned with your defined methodology. Identify threats, vulnerabilities, and the likelihood and impact of risks to information assets.
Statement of Applicability
Create or update your Statement of Applicability (SoA) documenting which controls are applicable, their implementation status, and justification for any exclusions.
Prioritized Remediation Plan
Develop a risk-prioritized remediation plan with clear ownership, timelines, and resource requirements for closing each identified gap.
Gap Analysis Pitfalls to Avoid
Scope creep or scope avoidance
Defining scope too broadly wastes resources. Defining it too narrowly leaves critical assets unprotected and raises auditor concerns.
Focusing only on technical controls
ISO 27001 is a management system standard. The ISMS clauses (4-10) are equally important and often where organizations have the biggest gaps.
Paper-only implementation
Writing policies without implementing them is the most common certification failure. Auditors verify implementation through interviews and evidence.
Ignoring the Statement of Applicability
The SoA is a mandatory document. Poorly constructed SoAs that do not align with your risk assessment are a major audit finding.
Key Takeaways
A gap analysis is the essential first step in any ISO 27001 certification or remediation effort
Assess both the management system requirements (Clauses 4-10) and the Annex A controls
ISO 27001:2022 organizes 93 controls into four domains with updated emphasis on technology
The Statement of Applicability is a critical document that must align with your risk assessment
Implementation must be real, not just documented -- auditors verify through evidence and interviews
A risk-prioritized remediation plan turns gap analysis findings into an actionable path to certification