Last updated: 2026-07-13 · Jurisdiction: international standard (ISO/IEC 27001:2022)
How to run an ISO 27001 gap analysis
A gap analysis is the first real piece of work on the road to ISO 27001 certification. It is where you compare what your organization already does against what the standard asks for, so you know exactly what stands between you and a certifiable management system. This is a vendor-neutral, step-by-step method: no product required to follow it, though we link our free interactive checker where it saves you time.
The short version
Fix the scope, gather what you already have, then assess yourself twice: once against the management-system clauses 4 to 10 and once against the 93 Annex A controls. The clauses all apply and cannot be excluded, so score each as conforming, partial, or not in place; for the controls, decide whether each is necessary and, if so, its implementation status. Record the evidence each item expects. Rank the gaps by risk and effort, assign owners and dates, and feed the necessity decisions into your Statement of Applicability. Re-check before the Stage 1 audit.
What a gap analysis is, and what it is not
A gap analysis is a planning tool. You run it early, before the management system is fully built, to see how far you already are and to scope the work ahead. It is deliberately informal: your own team can run it, and its only job is to produce an honest map of where you conform and where you do not.
It is not the same as three things people often confuse it with. It is not an internal audit, which the standard requires once your system is running and which must be conducted objectively and impartially (by an internal or external auditor who does not check their own work) to confirm that the system conforms and works. It is not a risk assessment, which evaluates your information-security risks against defined criteria and, through risk treatment, drives which controls you need (the two feed each other). And it is not the certification audit itself, the Stage 1 and Stage 2 assessment carried out by a certification body (choose an accredited one for the strongest recognition). Think of the gap analysis as the map you draw before the journey, not the inspection at the end of it.
What you measure against: the two halves of ISO 27001:2022
ISO/IEC 27001:2022 has two parts you assess against, and a thorough gap analysis covers both.
The management-system clauses (4 to 10)
These set out how the management system itself must work: the organization's context and interested parties, direction and ownership from senior management, risk assessment and objectives, resources and competence, documented information, running and controlling the security work, checking that it works and internal audit, and handling problems and improving. They are the requirements a Stage 1 audit leans on most, and they are mandatory: unlike the Annex A controls, you cannot declare a clause “not applicable.”
The Annex A controls (93, in four themes)
Annex A lists 93 controls grouped into four themes: organizational (37), people (8), physical (14) and technological (34). The 2022 revision reduced the count from 114 in the 2013 edition by merging overlapping controls, and added 11 new ones for areas such as threat intelligence, information security for cloud services, and data masking. Each control is either necessary (from your risk treatment or an obligation) and therefore included, or justifiably excluded, and where it is necessary, either implemented or not.
Version note: this guide is written for the 2022 (third) edition of ISO/IEC 27001, which cancels and replaces ISO/IEC 27001:2013, together with Amendment 1:2024, which adds a climate-change consideration to the context requirements in clause 4. The reference controls and their four-theme structure come from ISO/IEC 27002:2022. This page describes the requirements in our own words: it paraphrases them and does not reproduce the standard's clause titles or normative text. For the official wording, obtain the standard from your national standards body.
How to run an ISO 27001 gap analysis, step by step
- 1
Fix the scope before you measure anything
Decide which parts of the organization, which locations, which services and which information the management system covers, and write the boundary down. This is what clause 4 asks for: an understanding of the internal and external factors and the interested parties whose expectations shape the system. Since Amendment 1:2024, clause 4 also asks you to consider whether climate change is a relevant issue and whether interested parties have climate-related requirements, so note that while you scope. A gap analysis run against a fuzzy scope produces gaps you cannot act on, because you never agreed what was in and what was out.
- 2
Collect what already exists
Pull together the policies, procedures, risk records, asset inventories, supplier contracts, access-control settings and past incident notes you already have. Most organizations are further along than they assume: a gap analysis is as much a stock-take of the evidence you can already point an auditor at as it is a hunt for what is missing. Gathering this first stops you recording a gap that a document in another team already closes.
- 3
Assess the management-system clauses (4 to 10)
Work through the requirements the standard places on the management system itself, across clauses 4 to 10: the organization's context and interested parties, direction and ownership from senior management, risk assessment and security objectives, resources and competence, documented information, planning and controlling the day-to-day security work, measuring whether the system works and running an internal audit, and handling problems and improving. A certification auditor can raise nonconformities against these clauses just as readily as against the Annex A controls, so give them equal weight rather than treating them as an afterthought. Our free checker breaks these clauses into eleven self-scored areas if you want a fast first pass.
- 4
Assess the Annex A controls
Go through the 93 controls in Annex A of ISO/IEC 27001:2022, grouped into four themes: organizational (37), people (8), physical (14) and technological (34). For each control, make two separate decisions. First, is the control necessary? Necessity comes from your risk treatment (the controls you chose to address your risks) and from any legal, regulatory or contractual obligations, not from scope alone, so Annex A is a checklist you compare those decisions against rather than the starting point. Second, where a control is necessary, is it fully implemented, partly in place, or absent? Record the evidence that would demonstrate it. Keeping necessity and implementation as distinct judgements is what later lets you write a defensible Statement of Applicability.
- 5
Record every gap with a status and the evidence it expects
Capture a plain verdict for each item, but use the right scale for each half. The clauses 4 to 10 all apply and cannot be excluded, so record each as conforming, partly conforming, or not in place. For the Annex A controls, record whether the control is necessary and, where it is, its implementation status (implemented, partial, or absent). Add a one-line reason and the evidence an auditor would expect to see. The evidence note is the part teams skip and the part that makes the analysis useful: a gap recorded without what would close it is a worry, not a task. A simple spreadsheet with one row per requirement or control and these columns is enough to start.
- 6
Prioritize by risk and effort, then build a remediation plan
Rank the gaps three ways: how much risk each one exposes, whether it blocks certification, and how quickly it can be closed. Give each gap an owner and a target date. The quick, low-risk fixes clear the board and build momentum; the slow, high-risk ones need to start early. This ranked, owned list is what turns a gap analysis from a document into a remediation project with a schedule.
- 7
Feed the results into your Statement of Applicability and re-check before Stage 1
Turn the necessity decisions from step 4 into a Statement of Applicability. It records the controls you have determined are necessary (including any you use that sit outside Annex A), why each is necessary, its implementation status, and a justification for every Annex A control you leave out. That document is a certification requirement in its own right, and our free Statement of Applicability generator gives you a starting scaffold. Once remediation is under way, run the gap analysis again against the same scope, so you walk into the Stage 1 certification audit already knowing what an auditor will find.
Start with a free gap check
Before the full control-by-control analysis, get a same-day snapshot. Our free ISO 27001 Gap Checker walks the management-system clauses 4 to 10 across eleven self-scored areas and returns a maturity heatmap and a prioritised focus list. No account, and it runs entirely in your browser. It is a starting point for the method above, not a substitute for the full Annex A assessment or for a competent auditor.
Open the free ISO 27001 Gap CheckerFive mistakes that make a gap analysis useless
Skipping the clauses
Assessing only Annex A and ignoring clauses 4 to 10. The Stage 1 audit is largely a documentation review of exactly those clauses, so the gaps you skip are the ones you meet first.
Recording gaps without expected evidence
A verdict of “absent” with no note on what would close it is not actionable. Every gap needs the evidence an auditor would want to see attached to it.
Analysing against an undefined scope
If you have not agreed what the ISMS covers, every control is ambiguous. Fix the scope first, then measure against it.
Treating applicability and implementation as one question
“Does this control apply?” and “is it in place?” are separate judgements. Collapsing them produces a Statement of Applicability you cannot defend.
Doing it once and never again
A gap analysis at the start is a baseline. Re-running it after remediation, before Stage 1, is what tells you whether the work actually closed the gaps.
Where a gap analysis sits in the certification journey
| Activity | When | Who runs it | Output |
|---|---|---|---|
| Gap analysis | Early, before the ISMS is built | Your team, informally | A remediation plan and baseline |
| Internal audit | Once the ISMS is running | A competent, impartial auditor (internal or external) | Conformity findings (required by clause 9.2) |
| Certification audit (Stage 1 and 2) | When you are ready to certify | A certification body (accredited, for the strongest recognition) | The certification decision and, if satisfied, an ISO 27001 certificate |
Want the product-assisted version of this, with a per-control verdict across all 93 Annex A:2022 controls and a draft Statement of Applicability? See ISO 27001 gap analysis with ISMS Copilot. Want to see how the product supports ISO 27001? See ISMS Copilot for ISO 27001, or browse the full set of free compliance tools.
Frequently asked questions
What is an ISO 27001 gap analysis?
It is a structured comparison of your current information security practices against the requirements of ISO/IEC 27001:2022: the management-system clauses 4 to 10 and the 93 Annex A controls. The output is a list of where you already conform, where you partly conform, and where you have nothing yet, with the evidence each requirement expects. It is a planning exercise, not a certification.
Is a gap analysis the same as an internal audit?
No. A gap analysis is usually done early, to scope the work and build a remediation plan, and it can be run informally by your own team. An internal audit (required by clause 9.2 once the management system is running) is a formal check that your ISMS conforms and works in practice, conducted so as to be objective and impartial; the auditor may be an employee or an external party, as long as they do not audit their own work. The gap analysis tells you what to build; the internal audit checks that what you built holds up.
Do we need to assess the clauses, or just the Annex A controls?
Both. Annex A gets most of the attention, but certification depends on the management-system clauses 4 to 10 as well: understanding the organization and its interested parties, direction and ownership from the top, planning and handling risk, the resources and people behind the system, running the day-to-day security work, measuring whether it works, and fixing problems and improving. Organizations that only gap-analyze Annex A are the ones surprised at the Stage 1 audit, which focuses heavily on the clauses and the mandatory documented information.
How long does an ISO 27001 gap analysis take?
It depends on the scope and how much documentation already exists. A small, single-site software company with policies already in place might complete a first-pass gap analysis in a few days; a larger or multi-site scope takes longer. The free interactive checker gives you a same-day maturity snapshot of the clauses; the full control-by-control analysis against all 93 Annex A controls is a larger exercise.
How many controls are in ISO 27001:2022?
Annex A of ISO/IEC 27001:2022 lists 93 controls in four themes: 37 organizational, 8 people, 14 physical, and 34 technological. The 2022 revision reduced the count from 114 in the 2013 edition by merging overlapping controls and added 11 new controls covering areas such as threat intelligence, information security for cloud services, and data masking.
Primary sources
- ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection. Information security management systems. Requirements (third edition, cancels and replaces ISO/IEC 27001:2013). www.iso.org (checked 2026-07-13).
- ISO/IEC 27001:2022/Amd 1:2024, Climate action changes (adds climate-change consideration to the context requirements in clause 4). www.iso.org (checked 2026-07-13).
- ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection. Information security controls (the reference controls and implementation guidance that ISO/IEC 27001:2022 Annex A draws on, 93 controls in four themes). www.iso.org (checked 2026-07-13).
- ISO/IEC 27000 family, Information security management systems (overview and terminology). www.iso.org (checked 2026-07-13).
Written and maintained by the ISMS Copilot team. Our compliance content is produced by certified information security professionals, including a CISM-certified ISO 27001 Lead Implementer who still runs audits. Last reviewed 2026-07-13.
The full text of ISO standards is copyrighted and available for purchase from ISO or your national standards body. This guide paraphrases the requirements in original wording and does not reproduce clause titles or normative text. It is educational content, not legal advice or a statement of conformity; for third-party certification, the certification body makes the certification decision based on the audit evidence and its required review.
Ready to do compliance work faster?
Built for speed, accuracy, and audit-ready output.
