What is an ISO 27001 gap analysis and how does it work?

ISO 27001, the international standard for information security, has such a broad set of uses that organisations often struggle to get the best out of it. 

That can make it difficult to build an ISMS (information security management system) that meets the Standard’s requirements and the needs of your organisation. 

That’s where an ISO 27001 gap analysis comes in. The process is an essential starting point for implementing the Standard, providing organisations with an overview of the steps they must take to achieve certification. 

What does an ISO 27001 gap analysis do? 

Conducting an ISO 27001 gap analysis enables you to evaluate the effectiveness of your existing information security measures and compare them with the Standard’s requirements. It will give you a solid understanding of: 

  • The proposed scope of your ISMS; 
  • Your internal resource requirements; and 
  • An estimated timeline for reaching certification readiness. 

An in-person gap analysis will also provide you with the evidence you need to make a business case for implementing an ISO 27001-compliant ISMS. 


The expertise required to complete a gap analysis means that most organisations would benefit from consultancy. 

Consultancy-led gap analyses usually contain two stages. First, an ISO 27001 specialist will assess the organisation’s existing information security arrangements and documentation. These will be compared against the Standard’s requirements to identify any opportunities for improvement. 

Once this is complete, the consultant will provide a gap analysis report collating their findings. This will typically contain: 

  • An assessment of the overall state and maturity of the organisation’s information security arrangements; 
  • The specific gaps between these arrangements and the requirements of ISO 27001; 
  • Options for the scope of an ISMS, explaining how each one helps meet the organisation’s business and strategic objectives; and 
  • An action plan for what the organisation must do to implement an ISO 27001-compliant ISMS. 

Get a true picture of your ISO 27001 compliance posture 

It’s hard to commit to ISO 27001 if you’re not sure how much work needs to be done, but a gap analysis from our expert consultants can take the guesswork out of compliance. 

Our ISO27001 Gap Analysis service is conducted by industry experts, who will provide you with a detailed review of your current compliance posture and explain exactly what you need to do to meet the Standard’s requirements.