What Is an ISO 27001 GAP Analysis

ISO 27001 Gap Analysis is the process organisations use to compare their current cyber security posture with the requirements set out in ISO 27001 certification. This analysis is used to determine whether a company is meeting the requirements and using its resources effectively. Gap Analysis is useful for organisations to set out a clear roadmap to obtaining ISO 27001 certification and establish the time and resources required.

What Does the GAP Analysis Report Include

The report includes in detail what changes need to be made within the organisation to reach ISO 27001 certification, here are just some of the aspects the report will cover.

  • An overview of the state and maturity of your information security arrangements;
  • A summary of the specific gaps between these arrangements and the requirements of ISO 27001;
  • Options for the scope of an ISMS, and how they help to meet your business and strategic objectives;
  • An outline action plan and indications of the level of internal management effort required to implement an ISO 27001 ISMS; and
  • A compliance status report (red/amber/green) against the management system clauses (clause-by-clause), as well as the information security controls (control-by-control) described in ISO 27001.


Our Process

The decision to undergo ISO 27001 certification must have full management support. The necessary changes will require time, but this is an investment towards compliance that will pay off in the long run for more efficient processes.


Step 1

The first step is to accurately outline and define the organisational targets towards obtaining ISO 27001, all of which need to be specific, measurable, attainable, realistic, and timely.

Step 2

In the second step, historical data is used to measure the current performance of the organization as it relates to its outlined goals.

Step 3

The third step is to analyze collected data that seeks to understand why the measured performance is below the desired levels.

Step 4

The fourth and final step is to compile a report based on the quantitative data collected and the qualitative reasons why the data is below the benchmark. The action items that are needed to achieve the organization’s ISO 27001 are identified in the report.


If you have any further questions about our ISO 27001 consultation service that are not answered below please feel free to call us on 0333 311 0121 or book a meeting with one of our cyber security experts
Is ISO 27001 Mandatory?
ISO 27001 is not mandated in many countries, but if you are doing business in certain industries, e.g. financial services, you may be required to have an ISO 27001 certification or an equivalent. To determine whether ISO 27001 is mandatory or not for your company, you should call us on 0333 311 0121
Is ISO 27001 a Framework?
Part of the ISO 27000 series, a comprehensive set of cybersecurity standards that help organisations identify and manage their risks in a standardized way. ISO 27001 is a framework that helps organisations “establish, implement, operate and maintain an ISMS”.
How Much Does ISO 27001 Cost?
Price can vary depending on the size and operation of your organisation their are many facotrs that need to be taken into account before an estimation can be given.
How Long Does a ISO 27001 Certification Valid For?
ISO 27001 is valid for 3 years as long as the ISMS is managed and maintained throughout this period.
Can You Fail an ISO 27001 Audit?
You can fail an audit if a required document is unpublished. Providing a variety of documents, such as meeting minutes and internal audit reports, can prove you have set up the systems and practices that help meet ISO 27001 standards. That includes an Information Security Management System (ISMS).
Does ISO 27001 Cover GDPR?
In short, the ISO 27001 certification will cover your GDPR data processing security requirements, from stress testing and staff training.
Is ISO 27001 Good For Employees
A big advantage of ISO 27001 is that it can dramatically reduce the risk of data breaches, which can often be brought on from employees, with the correct training and certification in place organisations can mitigate these threats.