Before you write a single policy or schedule a single training session, you need to know where you actually stand. A gap assessment — sometimes called a gap analysis or readiness assessment — maps your current security practices against the full ISO 27001 standard. It tells you what you already have, what is partially in place, and what does not exist at all. Without it, you are implementing blind.
The good news: a gap assessment does not require a consultant. A founder, IT lead, or operations manager with a few hours and the right framework can produce a working gap analysis that drives a realistic implementation plan. Here is how to do it.
What You Are Measuring Against
ISO 27001 has two parts you need to assess against. The first is the main standard — Clauses 4 through 10 — which defines what your ISMS must do: understand context, define scope, establish leadership commitment, conduct risk assessments, set objectives, build and operate the ISMS, run internal audits and management reviews, and handle nonconformities. These are mandatory. You cannot exclude any of them.
The second part is Annex A — 93 controls across four themes (Organisational, People, Physical, Technological) that address specific security risks. Unlike the main clauses, Annex A controls can be excluded from your ISMS if you have a documented justification. Your gap assessment should cover both parts.
Gap Assessment Scoring: Three Categories
For each requirement and control, assign one of three statuses. Keep it simple — over-engineering the scoring methodology wastes time.
A documented, implemented, and evidenced control exists. An auditor could test it today.
Something exists — a practice, a tool, an informal process — but it is undocumented or incomplete.
No practice, document, or control exists for this requirement. Needs to be built from scratch.
Gap Assessment Dimensions: Clauses 4–10
| Clause | Requirement | What to look for |
|---|---|---|
| 4 | Context & Interested Parties | Documented internal/external issues, stakeholder register |
| 5 | Leadership & Policy | Signed information security policy, ISMS roles assigned |
| 6 | Risk Assessment & Objectives | Risk register, methodology document, ISMS objectives |
| 7 | Support (Resources, Awareness) | Training records, competence evidence, documented info |
| 8 | Operations & Risk Treatment | Risk treatment plan, SoA, operational controls running |
| 9 | Performance Evaluation | Internal audit records, management review minutes, metrics |
| 10 | Improvement | Nonconformity log, corrective action records |
The Most Common Gaps by Category
After running gap assessments across dozens of startups and SMEs, these are the gaps that appear most consistently:
No documented risk assessment
Risk management happens informally in most organisations. There is no register, no scoring methodology, and no treatment plan. This is the single largest gap for most first-timers.
No Statement of Applicability
The SoA is a mandatory document. Almost every organisation that has never been through certification is missing it entirely.
Missing or unsigned information security policy
Some organisations have a policy buried in a handbook. It is rarely signed by top management and rarely communicated to staff with evidence of that communication.
No supplier security assessments
Annex A.5.19 requires you to manage third-party security risk. Most organisations have no formal process for reviewing SaaS tools, cloud providers, or contractors.
No access review records
Auditors always sample access control. Who has access to what, when was it last reviewed, what was revoked? If you cannot show records of periodic access reviews, this is a finding.
Turning Your Gap Results Into an Implementation Plan
Once you have scored every clause and relevant Annex A control, you have a clear picture. Count your Not Started items — these drive your workstream. Partial items are lower effort because you are completing something that already exists. Compliant items need only to be maintained and evidenced.
Prioritise in this order: first, close the gaps in Clauses 4–10 (these are all mandatory and non-negotiable). Second, implement the highest-priority Annex A controls — those linked to your highest-scored risks from your risk assessment. Third, document everything you already do. A significant portion of "Not Started" gaps are actually practices that exist but are not written down. Documenting them is faster than building new controls.
Practical tip
A gap assessment is not a one-time exercise. Run it at the start of your certification journey, then again three months before your Stage 1 audit. The second run tells you whether your implementation has landed and what still needs to be evidenced. The gap between your two assessments is the story of your ISMS coming to life — and that story is exactly what a good auditor wants to see.
Most organisations completing their first gap assessment find they are 20–40% compliant with ISO 27001. That is normal. The value of the exercise is not the score — it is the clarity about what needs to happen next, in what order, and with what effort.
If you want the gap assessment conducted by an experienced practitioner who can also guide remediation, our ISO 27001 consulting service starts with a structured gap analysis.