Introduction
Before embarking on any ISO 27001 certification journey, the single most valuable thing an organisation can do is conduct a thorough gap analysis. A gap analysis tells you exactly where you stand against the standard's requirements, what work lies ahead, and how long and expensive the certification journey will be. Without it, you are navigating blind.
What is an ISO 27001 Gap Analysis?
An ISO 27001 gap analysis is a systematic assessment of an organisation's current information security practices against the requirements of the ISO/IEC 27001:2022 standard. It compares the 'current state' of your ISMS (or lack thereof) against the 'required state' defined by the standard, and documents the gaps — the areas where your current practices fall short.
The output is a gap report that serves as the foundation for the entire ISO 27001 implementation project: it defines the scope of work, informs the project timeline and budget, and prioritises remediation efforts.
What Does a Gap Analysis Cover?
Mandatory Clauses (4–10)
These clauses define the ISMS management system requirements — context, leadership, planning, support, operations, performance evaluation, and improvement. Every certified organisation must fully comply with all requirements in Clauses 4–10 — there are no exclusions.
| Clause | Topic | Key Gap Areas to Assess |
|---|---|---|
| Clause 4 | Context of the Organisation | Stakeholder analysis, ISMS scope definition, documented context |
| Clause 5 | Leadership | Management commitment, information security policy, roles & responsibilities |
| Clause 6 | Planning | Risk assessment process, risk treatment plan, information security objectives |
| Clause 7 | Support | Resources, competence, awareness, communication, documented information |
| Clause 8 | Operations | Operational security controls, supplier management, change management |
| Clause 9 | Performance Evaluation | Monitoring, internal audit programme, management review |
| Clause 10 | Improvement | Nonconformity management, corrective action, continual improvement |
Annex A Controls (93 Controls Across 4 Themes)
The gap analysis must assess your organisation against all 93 Annex A controls, grouped into four themes in ISO 27001:2022:
- Organisational Controls (37 controls) — Policies, roles, threat intelligence, supplier security, incident management
- People Controls (8 controls) — Screening, employment terms, security awareness, disciplinary process
- Physical Controls (14 controls) — Physical perimeter, equipment security, clear desk/screen
- Technological Controls (34 controls) — Access control, encryption, malware protection, vulnerability management, SIEM, data masking
For each control, the gap analysis records: current implementation status (Not Implemented / Partially Implemented / Fully Implemented), the evidence reviewed, and the gap or recommendation.
Gap Analysis Outputs
- Gap Report — A detailed document listing every requirement and control assessed, the current state, the gap identified, and the recommended action. This is the primary deliverable.
- Gap Summary Dashboard — A visual summary showing overall compliance percentage by clause and Annex A theme — helping management understand the scale of the implementation effort at a glance.
- Remediation Roadmap — A prioritised action plan listing all gaps, ranked by risk impact and certification criticality, with recommended owners, timelines, and effort estimates.
- Statement of Applicability (Draft) — A draft SoA listing all 93 Annex A controls with initial inclusion/exclusion decisions and justifications.
- Implementation Timeline and Budget Estimate — A realistic estimate of the time and resources required to close all identified gaps and achieve certification.
How to Conduct a Gap Analysis
- Assemble the Assessment Team — Include IT, security, operations, HR, and legal representatives.
- Define the ISMS Scope — The gap analysis must be conducted against the systems, processes, and locations in scope for certification.
- Review Documentation — Collect existing security policies, procedures, standards, and records. Assess their adequacy against ISO 27001 requirements.
- Conduct Interviews — Interview key personnel across IT, operations, HR, and management to understand actual practices versus documented policies.
- Inspect Technical Controls — Review access control configurations, patch management records, backup logs, encryption implementations, and monitoring capabilities.
- Assess Physical Security — Review physical access controls, equipment security, and environmental controls at in-scope facilities.
- Document Findings — Record every gap against the specific clause or control it relates to.
- Prioritise and Plan — Rank gaps by risk level and certification impact.
Common Gaps Found in Indian Organisations
- Absence of a formal risk assessment process — most common critical gap
- Undocumented or incomplete information security policies
- No formal supplier/vendor security assessment process
- Inadequate patch management and vulnerability management processes
- No formal security incident management process
- Lack of documented business continuity and disaster recovery plans
- Insufficient security awareness training — awareness is present but undocumented
- No formal internal audit programme for information security
DIY vs Consultant-Led Gap Analysis
| Approach | Pros | Cons |
|---|---|---|
| DIY Internal | Lower cost, builds internal knowledge | Risk of missing gaps, no benchmarking, lacks auditor perspective |
| Consultant-Led | Experienced, objective, auditor perspective, faster | Higher upfront cost, requires internal cooperation |
| Hybrid | Best of both — consultant leads, internal team supports | Requires coordinated effort |
For organisations pursuing certification for the first time, a consultant-led gap analysis is strongly recommended. An experienced ISO 27001 consultant knows what auditors actually look for — a gap that passes internal review may fail an external audit.
How Vedtam Can Help
Vedtam conducts comprehensive ISO 27001 gap analyses for organisations across industries, delivering a clear, actionable report with a prioritised remediation roadmap. Our consultants bring audit experience that helps you understand not just what the gaps are, but what the auditors will look for when they come.
Visit vedtam.com/consulting/iso-consulting-services/ for more details.
Get your ISO 27001 Gap Analysis started.
Free consultation: vedtam.com/contact/ | +91 98915 55588
Published by Vedtam Cybersecurity Team | Vedtam Tech Solutions, Ghaziabad, India
