How to complete an ISO 27001 Gap Analysis

The Purpose of ISO 27001

ISO 27001:2013 provides organizations with guidance on how to manage information security risks, with the ultimate goal being to preserve the confidentiality, integrity, and availability of information by applying a risk management process and give confidence to interested parties that risks are adequately managed.

The ISO 27001 Gap Analysis

A gap analysis provides a high-level overview of what needs to be done to achieve ISO 27001 certification. It allows the organisation to assess and compare its’ existing information security arrangements against the requirements of the ISO 27001:2013 standard.

The ISO 27001 standard provides 114 controls against which compliance may be measured. Additionally, there are a further set of 156 Clauses, divided into 7 key sections. Compliance with many of the Clauses being mandatory. The 7 key sections found within the standard are transcribed as follows:

4 Context of the Organization
5 Leadership


7 Support
8 Operation
9 Performance Evaluation
10 Improvement


Implementation of a Control or Clause also requires supporting documentation, policies, evidence etc, to be provided and referenced. These are all subject to audit by a Certification Body or regulatory authority. Consequently, with so many Controls and Clauses and their associated documentation, achieving compliance can be detailed, arduous, costly and resource heavy.

When to do an ISO 27001 Gap Analysis

When conducting a gap analysis depends on the progress made with implementing an ISMS. If the organization lacks an ISMS, it will be apparent that it will be missing most, if not all of the controls necessary for the risk assessment. In this case, it may be prudent to leave the gap analysis until further into the ISMS’s implementation.

If the implementation has recently begun, the analysis will still show lots of gaps, but there will be a clear understanding of how much work lies ahead. If an established system in place, the gap analysis can determine the strength of the system. Thus, the Gap Analysis might best be undertaken towards the end of the ISMS implementation.

ISO 27001 Gap Analysis tools

Traditionally, a Gap Analysis is undertaken using a range of spreadsheets to measure and report against compliance with the Controls and Clauses found within the standard. This work captures the information security position of the business, alongside referenced, supporting documentation held in both paper and electronic format. This methodology tends to be complex and prone to error, especially when updating “work in progress” and maintaining document version control. Inevitably, mistakes are made which may lead to non-conformances in the process, increased costs and delays to certification. This approach is not recommended, since software solutions offer a cost effective and superior approach.

Achieve ISO 27001 first time with the 27k1 ISMS

A feature rich, integrated Gap Analysis module is a key element of the 27k1 ISMS software, since for many organisations, this process will be the starting point of their ISO 27001 certification journey.

Once the software is installed, the module is readily accessed from the “Home” page. The software has been developed according to the guidelines of the ISO standard. Hence the 114 Annex A controls are separated into the same 14 sections as found in the standard, starting with A5 – Information Security Controls and running through to A18 – Compliance Controls. Moreover, the 156 Clauses that are set out in the 27k1 ISMS software relate to the standard in a similar way. In this way, consultants and implementers can easily select particular Controls and Clauses, nominating one or more of the following reasons for the selection: Legal, Regulatory, Business and Contractual.

Having selected the Control or Clause, its “Status” may be determined, which can range from “No plan To Implement” through to “Implemented and Audited”. When the software is installed, the status of each Control and Clause is set at “No Plan To Implement”, allowing the user to determine the future status of each. The software captures the status of the Control or Clause and enables supporting documentation to be added.

Further fields within the Gap Analysis software allow resources, notes, actions and justification to be applied. A full history of activity against each Control or Clause’s status and its implementation activity is provided, with all data being fed through to comprehensive, dashboard style reports.

How to complete an ISO 27001 Gap Analysis 1

The Statement of Applicability

Having selected the Controls and determined their status, reasons for selection and associated documents, this work is captured in full and may be copied across to the Control Manager module of the 27k1 ISMS software, where it may be used as the basis for the Statement of Applicability. In the same way, the Clause data may be captured and copied across in full to the Document Manager module:

How to complete an ISO 27001 Gap Analysis 2

Full, dashboard style, ISO 27001 Reports

The feature rich reports allow both the Implementer and Auditor to accurately assess the progress being made towards the completion of the Gap Analysis. This will provide a full picture of the level of compliance against the standard and leaves the organisation with full knowledge of any further work required to achieve compliance and certification.

How to complete an ISO 27001 Gap Analysis 3