internal audit iso 27001 checklist

ISO 27001 Gap Analysis – What You Need To Know

An ISO 27001 Gap Analysis (sometimes called a Compliance Assessment or Pre-Assessment) is an assessment that provides an overview of your organization’s information security posture. The analysis serves as a guide to organizations in reaching ISO 27001 certification.

Here well will discuss what ISO 27001 is and answer common questions regarding the certification process, and specifically questions around ISO 27001 Gap Analysis.

What is ISO 27001 and Why is it Important?

ISO 27001 is the internationally recognized standard for information and data security. It was developed to help all organizations, regardless of size or industry, protect their information in a systematic and cost-effective way, through adopting an Information Security Management System (or ISMS).

Not only does the adoption of an ISMS help protect key company information, it also makes businesses who are certified against ISO 27001 more desirable to work with. With ever-changing cyber-threats and risks online, many large organizations (especially at a government-level) are increasingly viewing ISO certification as a ‘bare minimum’ requirement for engaging with work. As a result, these companies that are certified, instantly become more attractive.

So how would you get started on developing an ISMS? Well the first step is to conduct a gap analysis.

What is an ISO 27001 Gap Analysis?

An ISO 27001 gap analysis is a key tool in measuring your current state of compliance against the international standard. It provides a high level overview of what needs to be done to achieve accreditation and enables organization to compare their existing security information processes against the requirements of ISO 27001.

Organizations would use a gap analysis to discover the necessary information needed to help them become compliant and prepare themselves for ISO accreditation. Typically conducting these will help reduce the number of non-conformances raised during the audit, and as a result, helping achieve accreditation quicker!

The key findings of a gap analysis should include:

  • The scope of the ISMS and how it will meet business objectives
  • The current state of information security
  • Any gaps between current practices and ISO 27001 requirements
  • The action plan to bridge these gaps and the effort required


Why is it essential to conduct an ISO 27001 gap analysis? SafeWrite ISO 27001 Gap Analysis

You wouldn’t go into an exam without studying or a sports match without practicing – conducting a gap analysis is the equivalent of training your management system and your team to being the best it can be and meeting the best practice requirements of the ISO standard.

The ISO 27001 standard has the potential to be a daunting, over empowering beast that many businesses would steer away from as the costs would seemingly outweigh the benefits. The truth is that conducting a gap analysis is a vital method used by many businesses to ensure they do not waste too much time or money unnecessarily during the certification process.


What are the steps in conducting a gap analysis?

Typically these gap analysis’s are conducted by third parties, most likely consultants or ever auditors themselves.

The first key area to address is the scope of the ISMS, i.e. what areas of the management system does this cover? This is key as it helps you hone in on the areas of the business you need to address and not directing any attention unnecessarily. Typically the project management team is responsible for implementing the ISMS, however most often it is the direct staff involved in the management system who hold the knowledge required.

Following this, a detailed analysis needs to be conducted on the gaps between your actual information security controls and those that are recommended by ISO 27001. Usually, informal interviews are conducted with key staff, and then the findings are compared with the control requirements of the standard.

Finally, they would produce a report, listing the findings and recommendations, along with a list of priorities. This should also show what work will need to be done prior to the consideration of getting certified to ISO 27001.

The typical cost for this type of gap analysis from a third party is normally between $3,000 – $5,000, a considerable chuck for many businesses, and this is just the start! Often consultants charge for additional items such as travel/transport, not to mention the time it takes for someone new to come in and learn your internal systems.


At SafeWrite, we have a solution that equips our users with an interactive self-assessment tool, fitted out with all the questions needing to be asked to ensure that you are on the right path for compliance. Upon completion, you immediately will be able to generate a professionally formatted report that identifies your scores, gaps and recommended action plan as your next steps.

These tools have been used by businesses of all sizes to prepare themselves for accreditation to open new opportunities to new or existing clients.


Mitch Kenny

Mitch has an extensive knowledge on HSEQ and compliance requirements. He has spent the last 5 years as the Product Manager for the MAUS ISO & Compliance solutions, before launching SafeWrite to further help users improve their systems and processes through leading technology and resources.