ISO 27001 gap analysis: where do you stand now?
A gap analysis compares your current situation with the requirements of ISO 27001:2022. You receive a clear overview of gaps, risks and a realistic roadmap towards certification — the logical first step before you embark on an implementation or certification process.
What does a gap analysis deliver?
- An overview per standard clause: met / partially met / not met.
- Prioritisation by risk and impact.
- A roadmap with an estimate of time and effort.
- A basis for your audit checklist and SoA.
Transition to ISO 27001:2022
The standard was revised in 2022 with a new Annex A structure (93 controls across 4 themes). Our gap analysis immediately clarifies which new controls you still need to address on the way to the ISO 27001 audit.
ISO/IEC 27001 — official standard page (official source).
Frequently asked questions
Short, direct answers — written for people and for AI search functions alike.
No, a gap analysis is not mandatory, but it is strongly recommended. It gives you a realistic picture of where you stand in advance, prevents surprises during the certification audit and helps you set priorities. Many organisations ultimately save time and money with it.
A gap analysis is an upfront assessment that maps out what is still missing towards the standard; it is intended for planning and improving. An audit (internal or certification) formally assesses whether the system complies and works. The gap analysis is therefore the preparation, the audit the moment of assessment.
For most organisations a gap analysis takes one to a few days of fieldwork, depending on the size and complexity, plus the reporting. Within one to two weeks you usually have a concrete report with findings, priorities and a roadmap in hand.
Want to know whether you are audit-ready?
Schedule a no-obligation audit scan and, within a single conversation, find out where you stand and what the next step is.
