Login 
Gap analysis checks control coverage. Risk assessment evaluates threats and impacts.
ISO 27001 gap analysis guide
Introduction
Spot gaps, take action, and get ISO-ready—without the guesswork.
An ISO 27001 gap analysis is your first step towards understanding where your information security stands today. It helps you spot what needs improving to meet the Standard and protect what matters most: your data, your clients, and your reputation. It’s like a health check for your information security—giving you a clear picture of where you are now, what you’re missing, and how to get up to scratch with one of the world’s most respected security standards.
Data breaches are more common than ever – and for many UK businesses, they come with serious financial and reputational consequences. The British Airways incident, for example, led to a proposed £183 million GDPR fine. But you don’t need to be a global airline to feel the impact. For most SMEs, just one security lapse can be enough to damage client relationships and delay growth.
This guide will walk you through how to identify the weak spots in your setup, and how to fix them. We’ve broken it down into steps, added real-world examples, and included tips that are especially relevant for UK businesses.
Gap analysis at a glance
- Standard: ISO/IEC 27001:2022
- Purpose: Compare your current information security practices to ISO 27001’s requirements
- Key focus: Clauses 4–10 + Annex A (93 controls)
- Core steps: Typically involves defining scope, assessing your setup, reporting findings, and creating an action plan
- UK relevance: Supports compliance with GDPR
- Typical duration: 1–4 weeks, depending on your organisation’s size and complexity
- Common tools: Spreadsheets, detailed checklists, software
What is an ISO 27001 gap analysis?
An ISO 27001 gap analysis measures how close your current setup is to meeting the requirements of the ISO 27001:2022 Standard. The aim is to spot the gaps. What’s already working, what needs improvement, and what’s missing all together? This will set the foundation for developing your information security management system (ISMS).
The analysis covers the full scope of the Standard, including the mandatory clauses (clauses 4-10) and the crucial Annex A controls, which are the practical safeguards you need to implement. It also informs your Statement of Applicability (SoA), the document that explains which controls are relevant to your business and why.
How it differs from a risk assessment
While they’re both essential, they serve different purposes. A gap analysis is your compliance checklist, while a risk assessment is your threat-hunting expedition. You need both—but starting with a gap analysis gives you the clearest picture of where you stand.
- Gap analysis: Checks if you have the required controls in place. The question is, “Are we doing what the Standard says we should be doing?” “What’s missing?”
- Risk assessment: Identifies potential threats to your information and prioritises them based on impact and likelihood. The question is, “What could go wrong, and how bad would it be?”
Why do an ISO 27001 gap analysis?
If you’re wondering whether a gap analysis is genuinely worth your time, the short answer is yes, absolutely. It’s a practical and powerful way to find out where you stand right now—and what you actually need to get certification-ready.
You don’t want to be guessing your way through the process or pouring time and money into areas that don’t really need it. Armed with the findings from a gap analysis, you’ll have a clear, focused plan—making every step towards ISO 27001 more manageable and less stressful.
Here’s what a gap analysis helps you do:
- Prioritise fixes before your audit: A completed gap analysis and action plan helps you prepare for external audits or certification.
- Avoid unnecessary spending or duplication: Pinpoints where the gaps are, so you don’t waste time and money on unnecessary tasks. Focus your implementation efforts.
- Align with legal requirements: Helps support compliance by mapping your controls to GDPR and NIS2 obligations
- Identify quick wins and critical risks: Uncovers weak spots and lets you respond before they become risks, helping reduce the chance of serious data breaches and the risk of ICO fines. The average cost of a cyber breach to a UK micro or small business is £7960.(BBC)
For UK businesses that tender for public contracts or manage sensitive data, a gap analysis is a useful tool to identify what your business needs to do to meet the Standard.
When to do it:
- Before starting ISO 27001 implementation
- As part of maintaining compliance with ISO 27001:2022. If your certification hasn’t been updated post the October 31 2025 deadline, prioritise urgent recertification to avoid compliance risks.
- As part of annual ISMS reviews
- After significant changes to your organisation or its services
Step-by-step ISO 27001 gap analysis process
Breaking down a gap analysis into clear, manageable steps takes the stress out of the process. Follow these six steps and you’ll be well on your way.
Here’s how it works:
-
Define the scope
Set the boundaries of your analysis. This means agreeing what parts of your organisation the gap analysis will cover—locations, departments, systems, services, even specific suppliers if needed. If you try to analyse everything, you risk wasting time and diluting your efforts. A clear scope keeps your assessment focused and relevant.
Example one: A software company might choose to focus on its product development and support departments, where sensitive customer data is processed.
Example two: A public sector contractor scopes its analysis to include only departments handling citizen data, aligning with government tender requirements.
Tip: Your scope should reflect any legal, regulatory, or contractual obligations—especially if you handle personal data under GDPR or bid for public sector contracts.
-
Gather existing documentation
Before you identify what’s missing, you need to know what’s already in place. Start collecting all relevant information security documentation. Include:
– Information Security Policy
– Risk assessments
– Asset registers
– Access logs and control procedures
– Business continuity or disaster recovery plans
– Supplier agreements
Example one: You may find your Data Protection Policy exists—but hasn’t been reviewed in over two years. That’s a likely non-conformance.
Example two: A law firm gathers evidence of DPIAs and Subject Access Request logs to meet both ISO 27001 and UK GDPR requirements.
Tip: Check that you have GDPR-relevant documents like DPIAs and records of Subject Access Requests.
-
Assess your setup against the Standard
Now compare your policies, processes, and evidence against the requirements of:
– Clauses 4 to 10 of the Standard (e.g. context, leadership, planning)
– The 93 controls in Annex A (e.g. access control, encryption, logging)
Use a checklist or template to track:
– Compliant
– Partially compliant
– Not compliant
Example one: For Annex A.5.15 (Access Control), you might be enforcing passwords but lack a formal written policy—mark it as ‘Partially compliant’.
Example two: A healthcare provider may map Annex A.5.1 (Policies for Information Security) to GDPR Article 32 to ensure secure processing of patient data—highlighting gaps in outdated procedures.
Tip: Use Article 32 of the UK GDPR (Security of Processing) to cross-check your technical and organisational controls.
-
Identify the gaps
Highlight every area where your existing setup doesn’t fully meet the standard. For each gap, note:
– The clause/control affected
– What’s missing
– The potential impact or risk
Example one: You don’t have an incident management plan (Annex A.5.23). That’s a gap—and a risk if you can’t respond quickly to security breaches.
Example two: A retailer finds its outsourced payment provider lacks adequate data retention controls—posing risks under both ISO 27001 and the Data Protection Act 2018.
Tip: Technology is only part of the picture. Most gaps come from people and process issues—like unclear responsibilities, lack of awareness, or missing records.
-
Report your findings
Pull together your assessment results in a structured, clear gap analysis report. Include:
– Executive summary
– Clause-by-clause breakdown
– Evidence used for rating
– Compliance status
– A visual dashboard or RAG (red, amber, green )status if possible
Example one: You might end up with 20 compliant areas (green), 12 partial (amber), and 5 critical gaps (red). That’s your starting point.
Example two: Include a section highlighting how gaps relate to GDPR Article 30 (records of processing activities) to support audit readiness.
Tip: Highlight gaps that could cause GDPR or NIS2 compliance issues—like missing audit trails or access control weaknesses.
-
Build your action plan
Now, take the gaps you’ve identified and turn them into an improvement plan that’s realistic, phased, and achievable.
Plan should include:
– What needs to be done
– Who’s responsible
– When it will be done
– Resource requirements
– Priority level
Example one: You decide to:
– Draft and approve an access control policy (Annex A.5.15) by next month.
– Roll out security training to all staff (Annex A.6.3) in the next quarter
– Create an incident response plan within 30 days.
Example two: A marketing agency prioritises encryption policies and training for staff handling personal data, tying improvements to Article 32 of the UK GDPR.
Tip: Tackle high-risk, high-impact items first. Quick wins (like updating policies) can build momentum and stakeholder buy-in.
ISO 27001 gap analysis tools and templates
Whether you’re DIY-ing your gap analysis or want expert help, there’s no single right way to approach it—it all depends on your time, expertise, and appetite for rolling up your sleeves. Some organisations prefer to take a hands-on approach, using practical tools or templates to review their current state against the Standard. Others opt for more comprehensive support, especially when time is tight or compliance risks are high.
DIY tools and templates
If you’d like to do it yourself, there’re plenty of tools and platforms on the market to help you complete a gap analysis. Some are free and useful for self-assessments, while others are part of broader ISMS software packages.
A structured Excel checklist is often a great starting point: simply list out all ISO 27001:2022 clauses and Annex A controls, mark your level of compliance, note the evidence you have, and highlight actions for improvement. This approach gives you flexibility and a clear, visual log of your assessment journey.
Prefer expert support? Most SMEs want clarity, guidance, and confidence they’re doing things right. So if you’d prefer to skip the spreadsheets, we include your gap analysis when you partner with us for certification—guided by real consultants.
Expert guidance and hands-on support
If you’d rather have some support or a sense-check along the way, working with professionals can save you time and offer peace of mind. Our team provides a hands-on, tailored gap analysis service designed to suit your organisation. You benefit from expert guidance, clear tailored reporting, and ongoing support to close those gaps—without the jargon.
When you choose Citation ISO Certification to support your ISO 27001 certification, your gap analysis is included as part of the process. You’ll get:
- A dedicated consultant to walk you through the process
- A structured gap analysis report you can act on
- A bespoke management system built around your needs
- Access to our smart compliance platform, Atlas
No matter which route you choose, the end goal is the same: a clear understanding of where you stand and the steps you need to take next What matters is choosing the one that suits your business size, resources, expertise and goals.
How do the tools stack up?
| Manual (spreadsheet) | Software tool | Expert support (Citation ISO) | |
|---|---|---|---|
| Cost | Low or free | Varies (subscription-based) | Included with certification service |
| Setup time | Immediate | May require onboarding | Immediate with consultant guidance |
| Customisation | High flexibility | May be fixed format | Fully tailored to your organisation |
| Best for | Small teams with in-house expertise | Larger orgs or complex ISMS projects | SMEs looking for support and speed |
| Support level | None – fully DIY | Medium – limited platform support | High – real consultants walk you through it |
Scroll
Gap Analysis vs Risk Assessment
It’s a common question, and one that causes a fair bit of head-scratching: “What’s the difference between a gap analysis and a risk assessment?” It’s easy to see why they get mixed up – both are crucial parts of your ISO 27001 journey, but they play very different roles. Think of it like building a house: a gap analysis is like checking your architect’s blueprints against the building regulations, while a risk assessment is like surveying the land for flood risks or weak ground.
A gap analysis is fundamentally a compliance check. You take the ISO 27001 Standard as your blueprint and compare your existing security practices against it, line by line. Its main job is to answer the question: “Where do we fall short of the Standard’s requirements?” It’s a methodical, list-driven process that gives you a clear to-do list for achieving compliance.
A risk assessment, on the other hand, is a threat-hunting exercise. It’s a deeper, more investigative process where you identify potential threats to your information assets, analyse your vulnerabilities, and then evaluate the potential impact on your business. It helps you answer the question: “What could go wrong, and how bad would it be?” This is essential for justifying and prioritising the security controls you choose to implement. In the UK, a robust risk assessment is also a key component when reporting to the Information Commissioner’s Office (ICO) in the event of a breach.
So, when should you use each? It’s not a case of one or the other; it’s about doing them in the right order. You should always start with a gap analysis to get a baseline understanding of your compliance posture. This initial review gives you a high-level roadmap. Following that, a risk assessment provides the detailed, risk-based justification you need to select the most appropriate controls from Annex A and satisfy the core requirements of ISO 27001.
| Gap Analysis | Risk Assessment | |
|---|---|---|
| Primary goal | To identify non-compliance with ISO 27001 requirements. | To identify, analyse, and evaluate information security risks. |
| Focus | Where is the business not meeting the Standard? | What are our biggest threats and vulnerabilities? |
| Output | A report detailing gaps against specific clauses and controls. | A risk register and risk treatment plan. |
| Driver | The ISO 27001 Standard’s list of requirements. | Your organisation’s specific threat landscape and business context. |
| Timing | Often the first step in an ISO 27001 project to create a roadmap. | After gap analysis. A continuous process, but essential for selecting appropriate controls. |
| UK tie in | Prepares for GDPR/NIS2 | Supports ICO reporting, DPIAs |
Scroll
Common challenges in ISO 27001 gap analysis
Even with the best intentions and a solid plan, a gap analysis can sometimes hit a few bumps in the road. It’s a detailed process, and knowing where the common tripwires are can help you sidestep them. The good news is that for every potential challenge, there’s a practical solution waiting.
Here are a few common hurdles you might face and how to clear them with confidence.
-
Scope creep
Your well-defined scope starts to expand, pulling in more departments, systems, or processes than you originally planned. This can quickly drain your resources and derail your timeline.
Example: A UK facilities management firm initially scoped their analysis to operational IT systems, but project stakeholders later added marketing and HR—delaying the project by 4 weeks.
Fix: Be clear on what’s in an out. Get senior leadership buy-in on your scope right from the start. A formally signed-off scope document acts as your north star, keeping everyone focused and providing a clear reference point if things start to wander. If you’re bidding for public contracts or handling personal data, align the scope with GDPR and tender requirements.
-
Limited resources
You’re juggling the gap analysis alongside your day job, and there just aren’t enough hours or people to get it done efficiently. It’s easy for the project to lose momentum.
Example: A London-based marketing agency underestimated the workload. With only one part-time compliance lead, they struggled to complete their self-assessment until they brought in external support.
Fix: Plan realistically with staff input. Do you need extra help? Consider bringing in an expert to guide you through the process and handle the heavy lifting. This frees you up to focus on the strategic decisions.
-
Confusion around 2022 updates
The latest version of the standard introduced new controls and restructured others. If you’re working from an old checklist or are unfamiliar with the changes, you might miss key requirements.
Example: An organisation uses a pre-2022 checklist and misses new controls related to threat intelligence and cloud service security.
Fix: Make sure you’re working with the ISO/IEC 27001:2022 version of the standard from the outset. Use up-to-date templates and checklists that reflect the new control set (all 93 of them) and the four new themes.
-
Missing or weak Statement of Applicability (SoA)
Your SoA is a critical part of ISO 27001—it shows which controls apply, and why. It’s also one of the first things auditors look at. But it’s often incomplete or skipped entirely in early assessments.
Example: A fintech startup provides only generic SoA coverage in their draft audit pack—prompting a major pre-audit rework.
Fix: Start documenting your SoA as part of the gap analysis. For each control, record whether it’s applicable, why, and what evidence supports its use.
-
Lack of leadership engagement
If management sees ISO 27001 as “just an IT thing,” the project can stall. Key decisions get delayed and staff aren’t motivated to engage.
Example: A manufacturing firm saw little director-level engagement until a failed bid due to lack of ISO 27001 certification forced leadership to prioritise compliance.
Fix: Bring leadership into the process early. Explain the business case—fewer data breaches, smoother tenders, better client trust—and make sure action plans have director-level backing.
-
Fragmented evidence or missing documentation
Many businesses store security policies, logs, and records across multiple systems (or inboxes). This makes it hard to find evidence during the gap analysis—or prove compliance during audit.
Example: A professional services firm lost time trying to track down GDPR logs during a client audit request.
Fix: Use a central repository, like our online platform Atlas, to manage your documents and policies. Consistency is key.
Benefits of ISO 27001 gap analysis benefits
A gap analysis doesn’t just highlight what’s missing, it gives you a smarter, more focused route to ISO 27001 certification with many benefits. Whether you’re aiming to improve your security, meet legal obligations, or win new business, it’s one of the most useful exercises you can do early in your compliance journey.
Here’s how it helps:
🚀 Faster certification: A gap analysis gives you a clear, prioritised project plan. Knowing exactly what to do and in what order means you can get to the finish line faster, without wasting time on guesswork or backtracking. It’s the most direct route to certification.
💷 Smarter spend: By pinpointing exactly where your resources are needed most, you avoid spending money on unnecessary controls or costly last-minute fixes. You can focus your budget on what matters.
🛡️ Stronger information security: Highlight weak spots in your processes, tech, and team knowledge—then fix them before they become a problem. Getting to grips with your gaps and implementing the ISO 27001 framework will reduce the likelihood and severity of attacks. In fact, ISO 27001 certified companies reduced breach lifecycles by an average of 88 days (Forbes 2025).
📉 Lower risk of data breaches: The UK Government’s Cyber Security Breaches Survey 2025 found that 43% of UK businesses identified cyber breaches in the past 12 months. A gap analysis helps you tighten your defences before you’re one of them.
🤝 Build trust with clients and stakeholders: Showing you proactively assess your security against a world-class standard speaks volumes. Especially useful for tenders, frameworks, and regulated sectors.