Before you build anything, you need to know what you already have. A gap analysis does exactly that: it measures your current security practices and documentation against ISO 27001’s requirements and produces a clear list of what is missing. Most companies are pleasantly surprised to find they already do more than they thought.
This guide explains what an ISO 27001 gap analysis is, how to conduct one, what it produces, and how it becomes the roadmap for your whole journey to iso 27001 certification.
What a gap analysis is
A gap analysis is a structured comparison between your organisation’s current state and the requirements of ISO 27001 — both the management-system clauses and the Annex A controls. For each requirement it asks: do we meet this, partially meet it, or not at all?
The ‘gaps’ are the requirements you do not yet meet. Collected together and prioritised, they form the work list for your certification project.
It is diagnostic, not judgmental: the goal is an honest map of where you stand, not a grade.
Why do it first
Starting a project without a gap analysis is like setting off on a journey without knowing your starting point. You cannot plan the route, estimate the effort, or budget realistically until you know how far you already are from the destination.
A gap analysis prevents two opposite errors: wasting effort rebuilding things you already have, and underestimating the work because you assumed controls existed that do not. It grounds the whole plan in reality.
It is also reassuring — most teams discover a solid foundation to build on rather than a blank slate.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
What it covers
A complete gap analysis spans both halves of the standard. On the clauses side it checks for scope, policy, a risk process, objectives, internal audit, management review, and improvement mechanisms. On the controls side it walks the Annex A themes and assesses each relevant control.
It also examines documentation: which required documents exist, which are outdated, and which are missing entirely. And it looks at evidence: whether your existing controls actually produce records of operation.
The breadth ensures nothing required is overlooked when you plan the work.
How to conduct one
A gap analysis typically proceeds requirement by requirement. You gather your existing policies, configurations, and records, then assess each ISO 27001 requirement against them, recording the status (met, partial, not met) and notes on what is needed.
Interviews help: talking to the people who run IT, HR, and operations reveals practices that are real but undocumented, and documentation that exists but is not followed. Both are gaps of different kinds.
A simple structured spreadsheet keyed to the clauses and Annex A controls is a perfectly good tool for capturing the results.
Rating the gaps
Not all gaps are equal, so rate them. A useful scheme captures both the size of the gap (missing entirely versus needs minor tweaks) and its priority (how central the requirement is, and how much effort closing it will take).
This lets you sequence the work sensibly: tackle the foundational, high-effort gaps early, and batch the quick wins. It also feeds a realistic timeline and budget for the project.
Rating turns a flat list of deficiencies into an actionable, ordered plan.
The output: a remediation roadmap
The deliverable of a gap analysis is a prioritised remediation roadmap: a concrete, ordered list of policies to write, controls to implement, processes to establish, and evidence to start collecting, each with an owner and rough effort estimate.
This roadmap is the backbone of your project plan. It transforms ‘achieve ISO 27001’ — an intimidating abstraction — into a finite, trackable set of tasks.
A good roadmap is also persuasive internally, giving leadership a clear picture of the scope and effort involved.
Common gaps companies find
Certain gaps recur across organisations. Management-system gaps are common: no formal risk methodology, no internal audit programme, no documented management review. Documentation gaps are frequent too — informal practices that work but are not written down.
On the controls side, typical gaps include incomplete access reviews, missing logging or monitoring, no formal supplier risk process, and untested backups. Technical controls often exist but lack the evidence to prove consistent operation.
Recognising these patterns helps you anticipate where your own gaps are likely to be.
Gap analysis vs readiness assessment
It is worth distinguishing the two. A gap analysis is done early, to plan the work; a readiness assessment is done late, to confirm the work is complete and you are audit-ready. The gap analysis asks ‘what must we build?’; the readiness assessment asks ‘are we ready to pass?’
Both compare you against the standard, but at opposite ends of the project with different purposes. Many organisations benefit from doing both.
Clarifying which you are commissioning avoids confusion, since providers sometimes use the terms loosely.
Doing it in-house or with help
You can run a gap analysis internally if you understand the standard well, and templates exist to structure it. The risk is blind spots — it is hard to spot a requirement you have misunderstood or a practice you wrongly assume is adequate.
An experienced external assessor brings calibration: they know what ‘good’ looks like and how auditors interpret each requirement, so their gap analysis tends to be more accurate and their roadmap more reliable.
Either way, the value is in an honest, complete picture; the worst outcome is a gap analysis that misses gaps.
Turning the roadmap into action
A gap analysis only delivers value if its roadmap is acted on. Assign owners, schedule the work, and track progress — ideally folding the roadmap into the same project plan or checklist you will use through to certification.
Revisit the roadmap as you go; closing some gaps reveals others, and priorities shift as you learn more about your environment. Treat it as a living plan rather than a one-time report.
ISpectra begins engagements with a thorough gap analysis and then drives the resulting roadmap to completion — with free VAPT and a multi-framework discount — so the diagnosis leads straight to a certificate.
The bottom line
A gap analysis is the essential first step of an ISO 27001 project: an honest comparison of your current state against the standard’s clauses and controls that produces a prioritised remediation roadmap.
It prevents wasted effort, grounds your plan and budget in reality, and usually reveals that you have more in place than you feared. Rate the gaps, build the roadmap, assign owners, and act.
Done well — in-house with templates or with an experienced assessor — the gap analysis is what turns the abstract goal of certification into a concrete, achievable plan.
A simple gap-analysis scoring example
To make the output actionable, score each requirement on a simple scale — for example 0 (not addressed), 1 (partially addressed, informal), 2 (mostly there, needs evidence), 3 (fully met with evidence). Tally the scores by clause and Annex A theme and you get an instant heat-map of where the work concentrates.
That heat-map is persuasive with leadership and useful for sequencing: themes scoring mostly 0–1 need building, while those at 2 mainly need evidence and documentation. It turns a long list into a clear picture at a glance.
Re-scoring periodically also lets you track progress visibly, which keeps momentum and demonstrates advancement to stakeholders.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.