How to Conduct a Gap Analysis for ISO 27001?

Key Takeaways

• A gap analysis maps your current security practices against ISO 27001:2022 requirements before formal certification begins.
• The October 2025 transition deadline has passed — organizations still on ISO 27001:2013 need to recertify under the 2022 version now.
• The analysis covers both mandatory clauses (4 to 10) and Annex A controls (93 controls in total under the 2022 version).
• Common gaps found include missing risk management processes, weak access controls, and incomplete documentation.
• A completed gap analysis cuts audit surprises, reduces certification costs, and helps teams focus on the controls that actually matter.
• Running it manually with spreadsheets works, but Digital Security Teammates like Secure.com automate evidence collection, control mapping, and continuous compliance monitoring—cutting gap analysis time from weeks to days while maintaining audit-ready documentation.

Introduction

Most companies don’t fail ISO 27001 certification because they have bad security. They fail because they didn’t know what was missing before they walked into the audit. One mid-size company discovered three weeks before their Stage 2 audit that they had no documented risk treatment plan—a mandatory requirement. Months of work, nearly wasted.

An ISO 27001 gap analysis stops that from happening. It gives you an honest look at where you stand against the standard before any auditor does. This guide breaks down exactly what a gap analysis covers, why it matters, and how to run one that actually moves you toward certification.

What Is an ISO 27001 Gap Analysis?

Most companies going into ISO 27001 certification have some controls in place. They just don’t know which ones actually count and which ones leave them exposed. That’s the problem an ISO 27001 gap analysis is built to solve.

At its core, a gap analysis is a side-by-side comparison. You take what your organization currently does for information security, and you hold it up against every requirement in the ISO 27001 standard. Wherever your practices fall short, that’s a gap.

The ISO 27001:2022 standard covers two main areas:

• Clauses 4 to 10 (mandatory): These are the structural requirements for your Information Security Management System (ISMS), covering things like leadership commitment, risk assessment, internal audits, and management review.
• Annex A controls: 93 specific controls organized into 4 themes (organizational, people, physical, and technological). You don’t have to implement all 93, but you do need to justify which ones you skip.

One thing worth knowing: the October 2025 transition deadline has passed. If your organization was certified under ISO 27001:2013 and has not yet migrated to the 2022 version, recertification is now urgent. The gap analysis applies to the 2022 version.

A typical gap analysis report breaks findings into three categories:

• Fully compliant: The control is in place and working.
• Partially compliant: Something exists, but it’s incomplete or not documented properly.
• Non-compliant: Nothing is in place. This needs to be built from scratch.

According to industry benchmarks, a typical mid-size organization finds roughly 45% of requirements fully compliant, 35% partially compliant, and 20% non-compliant. Organizations with mature security programs (existing SIEM, documented access controls, regular risk assessments) often start at 60-70% compliance, while those building from scratch may be closer to 30-40%. Those numbers shift depending on how mature your security program is going in.

Why Running a Gap Analysis Before Certification Matters

Skipping the gap analysis and going straight into certification prep is like sitting an exam without knowing the syllabus. You might pass. But you’re probably wasting time studying the wrong things.

Here’s what a well-run gap analysis actually does for your team:

It prevents audit surprises.

Auditors will find gaps. The difference is whether you find them first. Discovering a non-conformity during the gap analysis costs you an afternoon. Discovering it during a Stage 2 audit can cost you the certification entirely.

It helps you spend in the right places.

Without a gap analysis, teams often over-invest in controls they already have and under-invest in the ones that are actually missing. Knowing exactly where the holes are means you can prioritize budget and effort where it counts.

It speeds up certification.

A prioritized action plan coming out of the gap analysis gives your team a clear, ordered project list. No more guesswork about what to tackle next. Companies that run a proper gap analysis consistently reach certification faster than those who skip it.

It builds the foundation for your Statement of Applicability.

The Statement of Applicability (SoA) is a mandatory ISO 27001 document that explains which Annex A controls apply to your organization and why. You can’t write a credible SoA without first knowing which controls are in place and which ones aren’t. The gap analysis feeds directly into it.

It demonstrates commitment to customers.

For B2B companies, showing prospects a structured gap analysis and a remediation roadmap signals that your security program is real and intentional, not just a badge you bought. That matters more than most teams realize during enterprise sales cycles.

How to Conduct an ISO 27001 Gap Analysis: Step by Step

There’s no single right way to run one, but the best gap analyses follow a clear sequence.

Here’s what it looks like in practice.

Step 1: Define your scope

Before you assess anything, decide what’s included. Are you covering the entire company, or just specific departments and systems? A software company might scope to its product development and customer support teams where sensitive data is processed. A public sector contractor might limit the analysis to departments handling regulated data.

Scope creep kills gap analyses. Be specific upfront.

Step 2: Get a copy of the ISO 27001:2022 standard

You need the actual standard in front of you, not a summary of it. Purchase ISO/IEC 27001:2022 from the ISO store or your national standards body. Read through the clauses and Annex A controls carefully. Understanding why each requirement exists makes the assessment far more honest than just ticking boxes.

Step 3: Assemble the right team

This is not an IT project. ISO 27001 touches HR processes, physical security, vendor management, legal obligations, and executive decision-making. Your gap analysis team should include:

• Someone with information security knowledge (CISO, security manager, or external consultant)
• An IT lead who knows how the actual systems work, not just what the documentation says
• An HR representative who owns people processes like onboarding, offboarding, and training
• A legal or compliance contact who can speak to regulatory obligations

Executive sponsorship matters too. Without it, the gap analysis findings tend to sit in a folder and nothing gets fixed.

Step 4: Assess your current controls against each requirement

Go through every clause (4 to 10) and every applicable Annex A control. For each one, ask:

• Is there a documented policy or procedure covering this?
• Is the control actually implemented and operating?
• Is there evidence that would satisfy an auditor?

Rate each control as fully compliant, partially compliant, or non-compliant. Be honest. Auditors are experienced at spotting wishful compliance, and an inflated gap analysis just delays the real work.

Focus closely on areas where organizations most commonly fall short:

• Access control: Who has access to what, and is it documented and regularly reviewed?
• Risk management: Is there a formal, documented risk assessment process?
• Business continuity: What happens to your ISMS if a major incident occurs?
• Supplier relationships: Are third-party vendors assessed for security risks?
• Documentation: Are policies current, version-controlled, and communicated to staff?

Step 5: Document your findings

A gap analysis that isn’t written down is just a conversation. For each non-conformity or partial gap, document what the standard requires, what you actually have, and what specifically is missing.

Your gap analysis report should include an executive summary at the top (your compliance breakdown by percentage), followed by a control-by-control assessment, and a prioritized remediation plan. This report becomes the project brief for your ISO 27001 implementation work.

Step 6: Build a remediation plan

Prioritize gaps by risk level, not by how easy they are to close. A missing access review process represents more exposure than a missing policy header. Assign owners, set realistic timelines, and get leadership sign-off before the plan goes anywhere near implementation.

The Real Challenges (And How to Work Through Them)

Running a gap analysis sounds straightforward on paper. In practice, most organizations run into a few consistent problems.

Scope creep

Without clear boundaries, the analysis expands into areas that weren’t planned for and the project stalls. Fix this by defining scope in writing before the first interview or document review.

Poor Documentation

Many organizations have controls operating informally. An access review happens every quarter, but nobody wrote it down and there’s no evidence trail. Undocumented controls are treated as non-compliant by auditors. This is where automated compliance platforms create significant value—Secure.com’s Compliance Teammate continuously collects evidence from your existing systems (IdP access logs, SIEM alerts, ticketing systems, cloud configs) and maintains an immutable audit trail. What was previously ‘we do this but can’t prove it’ becomes ‘here’s the timestamped evidence with ownership attribution.’

Misaligned Annex A mapping

Teams sometimes map internal controls to the wrong ISO 27001 controls or miss the connection entirely. This creates false confidence and leaves real gaps invisible.

Staff Resistance

People hear “ISO 27001” and think more bureaucracy and more paperwork. The gap analysis process goes better when you frame it around business outcomes, reduced breach risk, faster customer trust-building, and competitive advantage, rather than compliance checkbox language.

Third-party Complexity

Verifying that your vendors meet ISO 27001-aligned security standards introduces another layer of coordination. Build supplier assessment into the scope from the start rather than adding it as an afterthought.

On the tooling side, many teams still run gap analyses through spreadsheets. That works, but it creates manual tracking problems and leaves version control to chance. Secure.com’s Compliance Teammate automates evidence collection, control mapping, and continuous compliance monitoring across ISO 27001, SOC 2, GDPR, and other frameworks. What traditionally takes 8+ months of manual spreadsheet work can be completed in weeks, with real-time compliance dashboards and audit-ready reports generated on demand. The platform continuously tracks control effectiveness, detects drift, and maintains an immutable evidence ledger—turning point-in-time compliance into continuous compliance. For reference, Anil (CISO at Officebeacon) noted that what would have taken eight months of manual effort was completed far faster using a purpose-built compliance tool.

FAQs

Conclusion

The ISO 27001 gap analysis is not a compliance formality. It’s the clearest picture your organization will get of where your security program actually stands before you commit time and money to certification.

Done well, it tells you exactly which controls to build, which documentation to create, and which risks to address first. Done poorly or skipped entirely, it leads to failed audits, wasted effort, and controls built in the wrong order.

Start with the standard. Define your scope. Get the right people in the room. Assess honestly. Then build your remediation plan from what you actually found, not from what you hoped was already in place.