ISO 27001

ISO 27001:2022 Gap Analysis: The Ultimate Field Guide

Name: reconn
Address: Dubai, AE
Telephone: +971-585-726-270
Price range: $$

A complete field guide to conducting ISO/IEC 27001:2022 gap analysis. Covers clauses, Annex A, real-world case studies, and an 8-step methodology from 20+ years of ISMS implementations.

SO/IEC 27001:2022 Gap Analysis Field Guide — reconn

Key Takeaways

Gap Analysis = Reconnaissance

Before any ISMS project, a structured gap analysis tells you exactly where your organisation stands against ISO/IEC 27001:2022 — clauses and Annex A both.

Evidence, Not Assumptions

Auditors accept documented proof — logs, policies, review records. "We have access control" without evidence will fail a Stage 1 audit every time.

Clauses + Annex A Both Matter

Organisations routinely over-focus on Annex A controls while ignoring Clause 5 leadership commitment or Clause 9 performance evaluation — equally auditable.

Risk-Based Prioritisation

A missing incident response plan is not the same risk as a missing clean desk policy. Rank gaps by likelihood × impact × asset value before allocating resources.

Gap Analysis Is Ongoing

Run it annually or after major changes — cloud migrations, M&A, new regulations. A one-time exercise produces a point-in-time snapshot, not a living ISMS.

Training Accelerates Results

Lead Implementer and Lead Auditor certification teaches gap analysis methodology hands-on — scoring models, reporting, remediation planning, not just theory.

An ISO/IEC 27001:2022 gap analysis is a structured assessment that compares your organisation's current information security posture against the requirements of the standard — covering both Clauses 4–10 (the management system framework) and Annex A (93 security controls). The output is a prioritised list of non-conformities, partial implementations, and missing evidence, with a remediation roadmap. It is the mandatory first step before any ISMS implementation begins.

Having led and reviewed dozens of ISO/IEC 27001 projects over the past two decades across banking, SaaS, healthcare, defence, and government, I've seen a consistent pattern. Organisations that invest in a thorough, evidence-driven gap analysis reach certification faster, avoid costly audit surprises, and build ISMS systems that hold up under scrutiny. Those that skip it tend to encounter budget overruns, major non-conformities, or paper ISMS systems that look good in binders but collapse when tested.

Think of it as reconnaissance. A military mission doesn't begin with movement — it begins with terrain analysis. The same logic applies here. You need to know where you stand, where the vulnerabilities are, and how to allocate your resources before a single policy is written.

Two examples from the field make this concrete. A fintech in Riyadh found during its gap analysis that its encryption controls were strong but supplier security management was entirely absent — a gap that would have produced a major non-conformity at audit. A SaaS company in Dubai had technically hardened cloud infrastructure but no formal information security policy — a fundamental compliance gap that would have failed Stage 1. Both were caught in time because of a structured gap analysis.

At reconn, gap analysis is both something we deliver as a service and something we teach in depth in our ISO/IEC 27001 Lead Implementer and Lead Auditor training courses. What follows is the field-proven methodology — step by step, with real examples, a downloadable Excel template, and practical guidance from two decades of audits.

ISO/IEC 27001 Lead Implementer — Online Certification

Learn gap analysis methodology the way practitioners do it — with scoring models, real-world scenarios, and remediation planning. 100% online. PECB-certified. Self-study or eLearning delivery.

View Course → LI + LA Bundle Offer

What Is an ISO/IEC 27001:2022 Gap Analysis? +

A gap analysis compares your organisation's current state of information security against the requirements of ISO/IEC 27001:2022. It tells you where you are now versus where you need to be — and why the distance between those two points matters to auditors.

Standard Reference

ISO/IEC 27003 (the implementation guidance standard for ISO/IEC 27001) treats gap analysis as the output of the "analysis of the existing system" activity — conducted after scope definition and before risk assessment. It is an explicit prerequisite to ISMS design.

Core Purpose: Establish, Spot, and Roadmap

A well-executed gap analysis does three things. It establishes a documented baseline of existing controls, policies, and processes. It spots what is missing, incomplete, or not properly evidenced. And it produces a remediation roadmap — ranked actions that bridge the gap between current state and certification readiness.

Without this baseline, ISMS projects drift. Teams spend money on tools they don't need, overlook weaknesses that matter, and fail audits because fundamental requirements were quietly missed during implementation.

Gap Analysis vs. Risk Assessment: Not the Same Thing

Many organisations confuse these two activities. Both are essential — but they answer different questions.

	Gap Analysis	Risk Assessment
Question answered	Are we compliant with the standard?	What risks threaten our information assets?
Focus	Clauses 4–10 + Annex A alignment	Threats, vulnerabilities, impact
Output	Non-conformity list + remediation plan	Risk register + Statement of Applicability
Sequence	Comes first (before ISMS design)	Follows gap analysis (Clause 6.1)

Example: a gap analysis reveals no documented incident response plan (Clause 6.1.3). The risk assessment then quantifies the consequence — if an incident occurs without a response plan, recovery time could cost the organisation significantly in downtime. The gap tells you what's missing; the risk assessment tells you how much it matters.

Why Gap Analysis Is More Than a Checklist

A mature gap analysis goes three levels deep: documentation versus practice (do policies actually guide daily behaviour?), evidence versus assumptions (can you prove compliance with logs and records?), and alignment with business risk (are gaps prioritised by real impact?). A checklist only answers the first question.

Practitioner Note

During a project with a healthcare provider in the Middle East, the gap analysis showed strong technical controls — encryption, MFA, segmented networks — but no formal risk assessment methodology. On paper, they looked secure. In practice, they could not demonstrate risk-based decision-making. That would have been a major non-conformity. Finding it eight months before audit gave them time to design and test the methodology before Stage 1.

Why Conduct a Gap Analysis? +

Gap analysis is not a formality before the "real" ISMS work begins. It is the work. Organisations that treat it seriously reach certification faster, with fewer surprises and lower remediation costs. Here are the five reasons the exercise pays for itself.

1. Build a Clear Picture of Your Security Posture

Executives often assume "we're already secure" because technical measures are in place. But ISO/IEC 27001:2022 demands more than technology — it requires documented policies, demonstrable leadership commitment, a functioning risk management process, and evidence of continual improvement. Gap analysis surfaces the difference between what leaders believe is in place and what auditors will actually find.

A SaaS provider in Dubai had hardened AWS configurations and DevSecOps pipelines. Their gap analysis revealed they had no Statement of Applicability — a mandatory ISMS deliverable. Without it, audit readiness would have collapsed despite excellent technical security.

2. Avoid Audit Surprises

ISO audits are unforgiving when evidence gaps appear unexpectedly. A gap analysis gives you the chance to spot them months before Stage 1 or Stage 2 — when fixing them is manageable rather than urgent.

A regional bank believed it was ready for certification. The gap analysis revealed no documented supplier evaluation process (Annex A.5.19 in ISO/IEC 27001:2022). That would have been a major non-conformity. Identifying and remediating it early saved significant reputational and financial exposure.

3. Prioritise Based on Risk and Business Impact

Not all gaps carry equal weight. A missing clean desk policy is a low-risk observation. A missing and untested incident response plan is a high-risk major non-conformity candidate. Gap analysis lets you rank findings by likelihood × impact × asset value, allocate resources to what matters most, and build a management-approved remediation plan with defensible prioritisation.

4. Strengthen Compliance and Stakeholder Trust

Regulators, customers, and partners want to see evidence that your ISMS is structured and evidence-driven — not assembled at the last minute. A well-documented gap analysis is itself proof of systematic risk management, and auditors notice when organisations present it with confidence.

A hospital operating under local DoH regulations and international healthcare standards used the gap analysis to align ISO/IEC 27001:2022 with its existing compliance framework. The result was a single harmonised compliance programme — reducing audit fatigue and demonstrating patient data stewardship to regulators.

5. Save Time and Budget

A rushed implementation without a gap analysis leads to over-engineering — buying tools you don't need, writing policies that duplicate existing ones, and scoping controls that don't align with actual risk. A thorough gap analysis eliminates this waste by clarifying exactly what's missing and what can be directly leveraged from existing practices.

ISO/IEC 27001 Lead Auditor — Online Certification

Understand exactly what auditors check during Stage 1 and Stage 2 — and how to evaluate ISMS compliance against ISO/IEC 27001:2022 requirements. 100% online. PECB-certified. 2× exam attempts included.

View Course → LI + LA Bundle Offer

Step-by-Step Field Guide to ISO/IEC 27001 Gap Analysis +

Eight steps, sequenced the way practitioners actually run them — not the way standards documents describe them in the abstract.

Step 1 — Define the Scope of the ISMS

The most common failure in ISO/IEC 27001 projects begins here. A scope that is too broad overwhelms teams and budgets. Too narrow, and critical assets are left unprotected — which auditors will notice and question.

Identify which business units, processes, and systems are relevant to information security. Decide whether to certify the entire organisation or a defined division. Map cloud providers, outsourced IT, and key suppliers. Document both inclusions and exclusions with written justification — auditors will ask whether scope boundaries exist to avoid compliance effort.

A financial institution initially planned to certify its entire enterprise — hundreds of branches and thousands of staff. The gap analysis showed this would be a multi-year undertaking with disproportionate cost. Instead, they scoped digital payments, ATMs, and mobile banking systems. Certification was achieved faster, and the ISMS expanded in subsequent cycles.

Step 2 — Understand the Standard's Requirements

Gap analysis compares your current state against two equally mandatory parts of ISO/IEC 27001:2022. Clauses 4–10 cover ISMS governance — context, leadership, planning, support, operation, performance evaluation, and continual improvement. Annex A contains 93 controls grouped into four themes: Organisational, People, Physical, and Technological.

For each requirement, record whether it is fully implemented, partially implemented, or absent. This becomes the input to your gap analysis tracker.

A fast-growing SaaS provider had strong technical measures — cloud firewalls, MFA, IAM, SIEM, XDR. Their gap analysis highlighted management commitment (Clause 5.1) as completely absent. There was no evidence of security objectives in board minutes. Leadership involvement is mandatory for certification, and this would have failed Stage 1.

Step 3 — Collect Documentation and Evidence

ISO auditors operate by one principle: if it isn't documented, it doesn't exist. What to collect: ISMS policy and supporting security policies (access, cryptography, acceptable use), risk assessment and treatment methodology, asset inventory and classification, Statement of Applicability, and records of incident handling, internal audits, and management reviews.

Centralise evidence in a secure repository, tag each document against its relevant clause or Annex A control, and link them directly in your tracker. During audits, this saves hours of searching.

Critical Gap

A healthcare provider claimed strong encryption practices. When asked for documentation during the gap analysis, they could only produce an outdated policy referencing SHA-1 hashing — deprecated and cryptographically broken. The gap triggered an urgent upgrade to AES-256 before certification. Documentation gaps are not administrative inconveniences; they are audit failures in waiting.

Step 4 — Assess Current Implementation Maturity

Two assessment models work in practice. The Yes/Partial/No model is a simple traffic-light system suitable for initial triage. The 1–5 maturity scale provides more granularity: 1 = non-existent, 2 = initial/ad hoc, 3 = defined and documented, 4 = managed and monitored, 5 = optimised. Assign scores for each control, record them in your tracker, and use conditional formatting to create visual heatmaps for management reporting.

A government IT ministry used the maturity scale across its full Annex A control set. 70% of controls reached Level 3 (defined/documented), but only 20% reached Level 4 (managed/monitored). The ISMS existed largely on paper. The gap analysis report reframed the conversation for leadership — from "are we compliant?" to "are we actually operating what we wrote?"

Step 5 — Identify Gaps and Associated Risks

For each missing or partial control, document: the control reference (e.g., Annex A.5.19), the gap description (e.g., "no supplier evaluation process exists"), the associated risk (likelihood and impact), and the recommended corrective action. This is where gap analysis connects to risk management — each gap maps to a business consequence.

An IT system integrator had no supplier risk assessments (Annex A.5.19). The risk: dependence on subcontractors handling classified data with no contractual security obligations. Corrective action: supplier due diligence questionnaires, annual security audits, and updated contract clauses requiring compliance with ISO/IEC 27001 controls.

Step 6 — Prioritise Gaps Using a Scoring Model

Three prioritisation approaches, from simple to rigorous. Qualitative ranking (High/Medium/Low) is fast and suitable for initial communication with leadership. Quantitative scoring (Likelihood 1–5 × Impact 1–5) adds defensibility. Weighted risk scoring (Likelihood × Impact × Asset Value) gives the most precise picture for resource allocation decisions.

Gap	Qualitative	Quantitative	Weighted Score
No incident response testing	High	4 × 5 = 20/25	4 × 5 × 3 = 60
Missing clean desk policy	Low	2 × 2 = 4/25	2 × 2 × 1 = 4
No supplier evaluation process	High	4 × 4 = 16/25	4 × 4 × 3 = 48

Step 7 — Build the Remediation Action Plan

A gap analysis without a remediation plan is a report that sits in a folder. The action plan converts findings into accountable, time-bound tasks. Each row should include: gap description, corrective action, named owner (not a department — a person), target date, budget estimate, and measurable success criteria.

A retail group had no business continuity testing (Annex A.17). Action: run a tabletop exercise and full BCP drill. Owner: Head of Operations. Deadline: 90 days. Success criterion: recovery time objective below four hours demonstrated under test conditions. That specificity is what moves remediation from intention to execution.

Step 8 — Validate and Review Progress Before Audit

Before inviting external auditors, test whether gaps are actually closed — not just documented as closed. Conduct internal audits against ISO/IEC 27001:2022 clauses. Run a management review. Update the Statement of Applicability to reflect new control status. Re-run gap analysis sections if major changes occurred since the original assessment.

A financial institution's pre-audit internal audit revealed that log monitoring — fully remediated on paper — was not being consistently performed in practice. The gap was corrected before Stage 2. That's the difference between a closed gap and a verified gap.

Gap Analysis Excel Template Walkthrough +

A gap analysis without structure becomes chaos — findings scattered across email threads, spreadsheets, and meeting notes. A centralised Excel tracker solves this. It may sound basic, but in practice Excel (or Google Sheets) remains the most effective, auditable, and universally understood format for recording and monitoring ISO/IEC 27001 readiness.

Template Structure — Seven Columns

The template covers Clauses 4–10 and all 93 Annex A controls in ISO/IEC 27001:2022. Seven columns per row:

Reference — Clause or Annex A control number
Current Status — Fully implemented / Partial / Missing
Gap Description — What is missing or weak
Risk Level — High / Medium / Low or quantitative score
Corrective Action — Specific steps to close the gap
Owner & Deadline — Named individual, not a department
Evidence / Notes — Links to policies, logs, or supporting documentation

Sample Rows (Filled Example)

Reference	Status	Gap	Risk	Action	Owner	Days
Clause 5.1	Missing	No ISMS reporting in board agenda	High	Add ISMS item to quarterly board meetings	CEO	30
A.5.19	Partial	Suppliers not evaluated annually	High	Supplier security questionnaire + annual audit	Procurement	60
A.8.24	Partial	Encryption policy references outdated ciphers	Medium	Update to AES-256 and TLS 1.3 minimum	IT Sec	45
A.5.29	Missing	No BCP testing conducted	High	Tabletop exercise + full failover drill	Ops	90
A.8.5	Partial	MFA only for IT staff, not all users	High	Extend MFA to all accounts via IAM policy	CTO	60

Note: Control references updated to ISO/IEC 27001:2022 numbering. A.8.24 = Cryptography. A.5.29 = Information security during disruption. A.8.5 = Secure authentication.

Five Practical Tips from the Field

Keep it simple. Overly complex trackers discourage updates. Stick to the seven essential columns — add more only if a specific workflow demands it.
Use conditional formatting. High-risk gaps in red, partial in amber, compliant in green. Leadership grasps this instantly without reading a single row.
Assign named owners. "IT" is not an owner. A named individual with a deadline is. Accountability accelerates remediation — vague ownership stalls it.
Link evidence directly. Hyperlink policies and logs where possible. During audits, this reduces evidence retrieval from hours to minutes.
Treat it as a living document. Review it in management meetings and internal audits. A static snapshot becomes outdated within weeks of the first remediation action.

Mini Case Study — Healthcare Provider

During an ISO/IEC 27001:2022 implementation, a healthcare provider used the structured tracker and identified 34 gaps across 93 Annex A controls. Rather than attempting to close all 34 simultaneously, the team prioritised the ten High-risk findings — incident response, supplier evaluation, and backup testing among them.

Within two months, 80% of High-risk gaps were closed. The tracker was presented directly to external auditors as part of the evidence trail. The lead auditor's observation: this was one of the most structured gap analysis presentations they had reviewed.

Auditor Lens

Presenting a structured, evidence-linked gap analysis tracker signals to auditors that the ISMS is managed — not assembled. It shifts the conversation from "can you prove compliance?" to "walk me through your approach." That framing change alone reduces audit friction significantly.

Common Challenges in Gap Analysis — and How to Fix Them +

Even with a structured methodology, gap analyses face predictable obstacles. Some are technical. Most are cultural. All of them can stall progress or produce a misleading picture if not addressed directly.

Over-Focusing on Technology

Organisations often treat ISO/IEC 27001:2022 as an IT project. They assume purchasing a SIEM, deploying firewalls, or enabling MFA constitutes an ISMS. Auditors disagree. The management system clauses — leadership commitment (Clause 5), risk management (Clause 6), and performance evaluation (Clause 9) — carry equal weight to technical controls. Technical remediation without management system evidence will not pass audit.

Fix: Allocate gap analysis effort equally between Clauses 4–10 and Annex A. Never treat the clauses as administrative background.

Conducting It As a One-Time Exercise

A gap analysis conducted once, filed, and forgotten is not a gap analysis — it is a point-in-time snapshot with a limited shelf life. Cloud migrations, mergers, new regulations, and changes in the threat landscape can invalidate findings within months. The ISMS must evolve, and so must the gap assessment that feeds it.

Fix: Schedule annual reassessments and trigger additional reviews whenever a significant change occurs — new systems in scope, material outsourcing arrangements, or regulatory changes affecting information security obligations.

Lack of Cross-Functional Input

Gap analyses run exclusively by the IT or security team miss the business context that auditors probe. HR's handling of joiners/movers/leavers (Annex A.6), procurement's supplier management practices (Annex A.5.19), and legal's regulatory obligations all fall within scope. A gap analysis conducted in a silo produces a silo result.

Fix: Involve HR, legal, procurement, and operations from the outset. Document their inputs and evidence — it demonstrates cross-functional ISMS ownership that auditors look for.

Confusing "Documented" with "Implemented"

A policy document is not evidence of an implemented control. Auditors distinguish between the existence of a written procedure and observable evidence that the procedure is followed. A change management policy filed on SharePoint but never referenced in actual change requests is not an implemented control.

Fix: For each control marked as implemented, collect operational evidence — audit logs, ticket records, meeting minutes, training completion records. If evidence cannot be produced, mark the control as partial regardless of what documentation exists.

Underestimating the Effort Required

A full ISO/IEC 27001:2022 gap analysis covering all Clauses and 93 Annex A controls typically takes a dedicated team two to four weeks to complete properly — longer for complex or multi-site organisations. Compressing this into a few days produces a superficial assessment that misses the nuances auditors probe.

Fix: Budget adequate time at the start of the ISMS project. A thorough gap analysis is the most high-leverage investment in the certification timeline — it prevents expensive corrections later.

ISO/IEC 27001 Implementation Services — reconn

Need a gap analysis conducted by practitioners — not consultants?

Our team has led ISO/IEC 27001 implementation across banking, SaaS, healthcare, and government in the Middle East and Africa. We deliver evidence-driven gap analyses, remediation roadmaps, and end-to-end ISMS implementation — fully remote.

Get a Gap Analysis → WhatsApp Shenoy

Frequently Asked Questions

How long does an ISO/IEC 27001:2022 gap analysis take?+

For a single-site organisation with a defined scope, a thorough gap analysis covering all Clauses 4–10 and 93 Annex A controls typically takes two to four weeks with a dedicated team. Multi-site or complex organisations may require six to eight weeks. Compressing this timeline produces superficial findings that create problems later — at audit, not before it.

Can we conduct the gap analysis internally, or do we need external help?+

Both approaches work — the choice depends on internal expertise. Organisations with ISO/IEC 27001 Lead Implementer or Lead Auditor-certified staff can conduct a credible internal gap analysis. Organisations without that expertise often benefit from external practitioners who know what auditors actually look for. A hybrid approach — internal team running the tracker with external review of findings — is common and effective.

Is a gap analysis required by ISO/IEC 27001:2022?+

The standard does not use the term "gap analysis" explicitly. However, Clause 4.1 (understanding the organisation), Clause 4.2 (understanding interested parties), and the planning requirements in Clause 6 collectively require organisations to assess their current state against standard requirements before designing an ISMS. In practice, this is a gap analysis. ISO/IEC 27003 — the implementation guidance document — treats it as an explicit prerequisite to ISMS design.

How does gap analysis relate to the Statement of Applicability?+

They are sequential. The gap analysis identifies which Annex A controls are implemented, partial, or absent. The risk assessment then determines which controls are necessary to treat identified risks. The Statement of Applicability (required by Clause 6.1.3) documents which controls are included and which are excluded — with justification for every exclusion. The gap analysis findings feed directly into SoA design: you cannot complete the SoA without first knowing your current control status.

What is the difference between a minor and a major non-conformity in gap analysis terms?+

A minor non-conformity is an isolated failure to meet a requirement — a single missing record, an outdated policy, or a procedure that exists but lacks evidence of consistent application. A major non-conformity is a systematic failure — an entire control area absent, a clause requirement completely unaddressed, or a pattern of failures across multiple related controls. A gap analysis should flag which findings carry major non-conformity risk so they are remediated before external audit.

How often should we repeat a gap analysis after initial certification?+

Annual reassessment is the standard practice — aligned with surveillance audit cycles. Additional reassessments should be triggered by material changes: new systems entering scope, significant outsourcing arrangements, cloud migrations, mergers and acquisitions, or regulatory changes affecting information security obligations. The ISMS is a living system; the gap analysis that informs it should be equally current.

Conclusion

A gap analysis is not a bureaucratic prerequisite to ISO/IEC 27001:2022 certification. It is the single most valuable investment you make in the entire ISMS project. Get it right and you go into implementation with a clear picture of what needs to change, in what order, and why — with management aligned and resources allocated correctly. Skip it or rush it, and you discover the same gaps later, at audit, with far less room to manoeuvre.

The eight-step methodology in this guide — scope definition, requirement analysis, evidence collection, maturity assessment, gap identification, prioritisation, remediation planning, and pre-audit validation — reflects what actually works across two decades of ISMS implementations. Use it as a field guide, not a checklist. Adapt it to your organisation's context. And treat the Excel tracker as a living document, not a file that gets archived after the first assessment.

If you are building internal capability to conduct gap analyses as part of a broader ISMS programme, the ISO/IEC 27001 Lead Implementer and Lead Auditor certifications provide the methodology, scoring frameworks, and audit perspective that make this work rigorous and defensible. If you need it done now, the reconn implementation team is ready to start.