What exactly is an ISO 27001 gap analysis, anyway?


The breadth of applicability of ISO 27001 can make it difficult for organisations to determine how to apply the Standard effectively and economically.

As a result, building an ISMS (information security management system) that meets the requirements of ISO 27001 can be challenging.

One solution is to conduct an ISO 27001 gap analysis – a process many organisations consider an important starting point when putting a prioritised plan in place.

But what is an ISO 27001 gap analysis, and what does it entail?

An ISO 27001 gap analysis provides a high-level overview of what your organisation needs to do to achieve certification.

Conducting an ISO 27001 gap analysis enables you to assess and compare your organisation’s existing information security arrangements against the Standard’s requirements, and will give you an informed assessment of:

  • The proposed scope of your ISMS;
  • Your internal resource requirements; and
  • The potential timeline to achieve certification readiness.

Additionally, an in-person gap analysis will provide you with the information necessary to develop a strong business case for implementing an ISO 27001-compliant ISMS.

Consultancy-led gap analyses typically consist of two key phases: first, an ISO 27001 specialist will assess your existing information security arrangements and documentation. These will be compared against the requirements of ISO 27001 to identify any opportunities for improvement in the existing arrangements, address shortfalls against the Standard’s requirements and mitigate the risk of data breaches.

Second, following the assessment, you will receive a gap analysis report collating the findings. It will likely detail:

  • The overall state and maturity of your information security arrangements;
  • The specific gaps between these arrangements and the requirements of ISO 27001;
  • Options for the scope of an ISMS, and how they help to meet your business and strategic objectives; and
  • An outline action plan and indications of the level of internal management effort required to implement an ISO 27001 ISMS.

Want a true picture of your ISO 27001 compliance posture? IT Governance can help

For a true picture of your ISO 27001 compliance posture you should opt for a professional consultancy service, as questionnaire-based gap analyses don’t provide the level of expert analysis and insights you get from a specialist.

Conducted by an experienced ISO 27001 specialist, IT Governance’s ISO 27001 Gap Analysis service will provide you with a detailed review of  the current state of your organisation’s compliance against the requirements of ISO 27001.

Speak to an ISO 27001 expert or contact us for a quote  today