ISO 27001 gap analysis – what it is & its benefits

March 7th, 2023 Posted in ISO 27001

What is an ISO 27001 Gap Analysis?

An ISO 27001 Gap Analysis (or a Benchmark Assessment as we refer to it) is a good way to start your ISO 27001 implementation project, or indeed any ISO implementation project. It will establish your level of compliance against the requirements of the standard, whilst at the same time giving your external consultant – if you decide to use one – the opportunity to learn about your organisation.

Most of all, it provides a clear picture of any opportunities for improvement that may strengthen your current posture, similar to a risk assessment and informs of any gaps that need to be addressed to achieve compliance with the requirements of ISO 27001 and, ultimately, successfully go through the certification process. 

The benefits of a benchmark assessment

Allowing time for an external ISO 27001 consultant to learn about your organisation should bring considerable benefits. It would help them understand your business functions such as drivers and priorities, your deliverables and deadlines, and your commitments to your external stakeholders such as your customers and suppliers, as well as your internal stakeholders such as your staff. In doing so, a consultant should be able to bring context to the various requirements of the standard, make recommendations with regard to the approach and the expected duration of the implementation and tailor a certification roadmap accordingly. Not only does this process help build more robust working practices internally, but also can help with data protection and mitigate data breaches. 

Learn more from our post on the business benefits of certifying to ISO 27001.

The Gap Analysis process

To successfully conduct an ISO 27001 Gap Analysis, a consultant should typically want to meet with heads of function, or indeed with resources that have an in-depth knowledge of their area of responsibility and are allowed to speak on behalf of the organisation.

Through a series of discovery interviews with your nominated resources, a consultant should then be able to get a good understanding of your ISMS (information security management system); what policies and processes are already in place, how you ‘do things’, and get a feel for your organisation and its culture. It is therefore important that the interviewees are frank and open in these conversations: a consultant is not there to criticise or judge… they are very much there to help you!

In fact, the discovery interviews are an ideal opportunity to build close relationships between the consultant and your representatives: after all, they will be working together for some months! 

Once the discovery interviews are complete, a consultant should prepare and deliver the ISO 27001 Gap Analysis report which should summarise their findings… the good, the bad and the ugly!

Good practices should be acknowledged, opportunities for improvement highlighted, and gaps in compliance clearly stated. The report should be accompanied by a roadmap that suggests actionable recommendations on how to close all gaps. These actions may be as simple as formalising existing practices, conversely, they may lead to changes to your working practices to reinforce compliance. 

How long should it take?

Unless your organisation is particularly complex in its structure, expect a typical ISO 27001 Gap Analysis covering all aspects of the standard (clauses 4-10 as well as the Annex A controls) to take approximately 5 working days.

These may be consecutive days or may be spread over 1 to 3 weeks, depending on the availability of your interviewees. In all cases, a consultant should work at your speed and limit their time with your interviewees to minimise disruption. In fact, to help with scheduling, the consultant should agree on the duration of each interview and the topics to be covered with you beforehand whenever possible. The 5 days should include the formalisation of the documented report and roadmap, and these should normally be delivered to you within 5 working days of the last interview unless agreed otherwise. 

Once the report and accompanying roadmap are delivered you will have a clear view of: 

  • Your current posture against the requirements of the standard; 
  • What improvements you should consider, to strengthen your current position; 
  • What gaps must be addressed before attempting certification; 
  • What actions must be completed to implement improvements and fill in gaps; 
  • Who in your organisation will be involved in the implementation; 
  • How long the implementation is likely to take

Want to know more? 

If you are thinking of gaining ISO 27001 certification, or want to know more about integrating ISO 27001 & ISO 9001 into one system, we’re here to help wherever you are on your decision path. We can also help with guiding you on the next steps according to the security controls changes in the new iteration of ISO 27001:2022. We can help with an initial workshop, carry out a full gap analysis, support your ISO project or manage your management system for you. Learn about our ISO consultancy solutions here. 

If you’d like to understand more about our ISO 27001 standards services, we’d be delighted to hear from you. Learn more about our ISO Consultancy Services or contact us using the form below. You can also download our free Guide to ISO 27001 for further understanding of the standard.

  • This field is for validation purposes and should be left unchanged.

Image by storyset on Freepik
Daniel Djiann Evalian Limited 250x250

Written by Daniel Djiann

Daniel consults on ISO 27001, ISO 22301, ISO 9001 and business continuity. He has specialised in organisational resilience for much of his career, working as a consultant and in-house for multi-national organisations. He is also Head of our ISO & Business Continuity Practice. He is an ISO 27001 and ISO 22301 Lead Auditor and a Member of the Business Continuity Institute, MBCI.