What Is an ISO 27001 Gap Assessment?
An ISO 27001 gap assessment is a structured evaluation of your current information security controls against the requirements of ISO/IEC 27001:2022. It tells you — before you engage a certification body and spend money on a formal audit — exactly where you stand and what you need to fix.
The output is a prioritised list of gaps, a readiness score, and a remediation roadmap. Done properly, it means you don't walk into Stage 1 of a certification audit with surprises.
Most SaaS companies approaching ISO 27001 for the first time underestimate the gap. The standard requires not just that controls exist, but that they are documented, communicated, tested, and evidenced. A gap assessment forces you to confront that reality before it costs you a failed audit.
ISO 27001:2022 vs ISO 27001:2013: What Changed
If you're looking at older resources, note that ISO 27001 was revised in 2022. The main changes:
- Annex A reduced from 114 controls across 14 domains to 93 controls across 4 themes (Organisational, People, Physical, Technological)
- 11 new controls added (including threat intelligence, cloud security, ICT readiness, data masking, web filtering)
- The core clauses (4–10) are largely unchanged in substance
- Existing ISO 27001:2013 certificates required transition by 31 October 2025
This guide focuses on ISO/IEC 27001:2022. If you were previously certified under 2013, your gap assessment should specifically evaluate the new controls and updated requirements.
The 14 Annex A Domains (ISO 27001:2022 Structure)
ISO 27001:2022 organises controls into 4 themes, but the original 14-domain structure from the 2013 standard is still widely used in gap assessments and is how most consultants and certification bodies frame the work. The domains are:
| Clause | Domain | Key Focus |
|---|---|---|
| A.5 | Information Security Policies | Policy framework, management commitment |
| A.6 | Organisation of Information Security | Roles, responsibilities, mobile/remote work |
| A.7 | Human Resource Security | Screening, training, offboarding |
| A.8 | Asset Management | Asset inventory, classification, disposal |
| A.9 | Access Control | Least privilege, MFA, user management |
| A.10 | Cryptography | Encryption policy, key management |
| A.11 | Physical & Environmental Security | Physical access, clear desk, media disposal |
| A.12 | Operations Security | Change management, patching, backups, logging |
| A.13 | Communications Security | Network controls, data transfer agreements |
| A.14 | System Acquisition, Development & Maintenance | Secure SDLC, code review, security testing |
| A.15 | Supplier Relationships | Vendor security, supply chain risk |
| A.16 | Information Security Incident Management | IRP, breach response, post-incident review |
| A.17 | Business Continuity Management | BCP, DRP, RTO/RPO testing |
| A.18 | Compliance | Legal/regulatory requirements, internal audit |
How to Score Your Gap Assessment
The standard approach is a four-level rating for each control:
- In Place: Control is documented, implemented, tested, and evidenced. Ready for audit.
- Partial: Control exists but is incomplete — perhaps documented but not tested, or implemented but not for all scope.
- Not In Place: Control does not exist. Must be remediated before certification.
- N/A: Control is not applicable to your scope (must be justified in Statement of Applicability).
A simple readiness score: (In Place + 0.5 × Partial) / (Total − N/A) × 100%
Interpretation:
- ≥80%: Strong — Stage 1 audit within 1–3 months is realistic
- 50–79%: Developing — 3–6 months of remediation typically needed
- Below 50%: Early stage — 6–12 months minimum for a realistic certification path
Critical Controls to Get Right First
Not all controls are equal. Certification bodies will fail a Stage 2 audit for fundamental gaps in these areas:
A.5.1 — Information Security Policy
A documented, management-approved information security policy is the foundation of the ISMS. Without it, nothing else hangs together. It must be reviewed at least annually and communicated to all staff.
A.9.2 / A.9.3 — Access Control & MFA
User access management (registration, de-registration, quarterly access reviews) and MFA for all privileged accounts, cloud consoles, and remote access. Auditors consistently find access control gaps. This is the most common critical finding.
A.12.3 — Backup and Recovery
Automated backups tested for restore — at minimum quarterly. Many companies have backups but have never tested recovery. Untested backups are a gap.
A.12.4 — Audit Logging
Centralised, tamper-protected logging for privileged actions and authentication events. Logs must be retained for defined periods and reviewed. A SIEM or tamper-proof log aggregator is expected.
A.16.1 — Incident Response Plan
A documented IRP that has been tested at least annually. Evidence of the test (tabletop exercise minutes, simulation report) must be retained. Many SaaS companies have an IRP document but have never run a test — this is a partial, not in-place.
A.17.1 — BCP/DRP
Business continuity and disaster recovery plan with defined RTO/RPO, tested annually. Again, the test evidence matters as much as the document.
A.18.2 — Internal Audit & Management Review
ISO 27001 requires a formal internal audit of the ISMS and a management review at least annually. These are mandatory mandatory clauses, not suggestions. You need documented evidence of both before Stage 2.
The Statement of Applicability (SoA)
One document that's unique to ISO 27001 and catches many companies off guard: the Statement of Applicability. The SoA must:
- List all ISO 27001:2022 Annex A controls
- State whether each is applicable or excluded
- Provide justification for any exclusions
- Reference the implementation status
Your gap assessment feeds directly into the SoA. Exclusions must be justified in the context of your risk assessment — you can't simply exclude A.11 (physical security) because you're cloud-native without documenting why cloud provider physical controls are sufficient for your risk profile.
ISO 27001 vs SOC 2: Control Overlap
If you already have SOC 2 Type II, you're further ahead than you think. The overlap between SOC 2 CC controls and ISO 27001 Annex A is significant:
- CC6 (logical access) → A.9 (access control)
- CC7 (system monitoring) → A.12.4 (audit logging) + A.16 (incident response)
- CC9 (risk mitigation) → A.15 (supplier relationships)
- A1 (availability) → A.17 (business continuity)
The main gaps for SOC 2-certified companies adding ISO 27001 are typically: formal ISMS documentation (risk register, SoA), internal audit programme, management review, physical security documentation, and HR security procedures (A.7). See our full comparison: ISO 27001 vs SOC 2 for SaaS.
Phased Remediation Roadmap
Based on typical SaaS gap patterns, here's a realistic phased approach:
Phase 1 (0–3 Months): Foundation
- Write and approve information security policy (A.5.1)
- Complete asset inventory with owners (A.8.1)
- Implement MFA on all production systems, cloud consoles, and remote access (A.9.3)
- Enforce quarterly access reviews (A.9.2)
- Create data classification policy (A.8.2)
- Document and test backup/recovery procedures (A.12.3)
- Implement centralised logging (A.12.4)
- Write or update IRP (A.16.1) — use ComplyKit IRP Generator
Phase 2 (3–6 Months): Operational Controls
- Establish formal change management process (A.12.1)
- Run annual pen test (A.12.2)
- Conduct security awareness training for all staff (A.7.2)
- Document secure SDLC procedures (A.14.1 / A.14.2)
- Build vendor security assessment process (A.15.1) — use Vendor Risk Assessment Generator
- Write BCP/DRP with tested RTO/RPO (A.17.1) — use BCP/DRP Generator
- Develop cryptography policy (A.10.1)
- Write data retention policy (A.8.3) — use Data Retention Policy Generator
Phase 3 (6–12 Months): Audit Readiness
- Complete Statement of Applicability (SoA)
- Run formal internal audit of ISMS
- Conduct management review with documented minutes
- Run tabletop exercise for IRP (document evidence)
- Test BCP/DRP (document evidence)
- Shortlist and contact certification bodies (BSI, Bureau Veritas, LRQA, NQA, TÜV)
- Submit for Stage 1 audit (documentation review)
What Happens at the Certification Audit
Stage 1 (Documentation Review): The certification body reviews your ISMS documentation — policy, SoA, risk assessment, procedures. Takes 1–2 days. You receive a finding report. Critical findings must be closed before Stage 2.
Stage 2 (Effectiveness Audit): Auditors verify that controls are operational. They interview staff, inspect evidence (logs, access review records, training certificates, backup test reports, management review minutes, pen test report). Takes 2–5 days depending on scope.
Certification: If no major non-conformities, you receive ISO 27001 certification. Valid for 3 years with annual surveillance audits.
Policy Documents You'll Need
ISO 27001 requires documented policies for most Annex A control areas. ComplyKit can generate AI-drafted starting points for several of them:
- Information Security Policy (A.5.1)
- Incident Response Plan (A.16.1)
- Business Continuity & Disaster Recovery Plan (A.17.1)
- Data Retention Policy (A.8.3)
- Vendor Risk Assessment Template (A.15.1)
- Data Processing Agreement (GDPR DPA) — for A.13.2 / A.18.1
- NDA Template — for supplier confidentiality requirements (A.15.1)
Use Our Free ISO 27001 Gap Assessment Tool
If you want a structured self-assessment that generates a scored gap report with remediation roadmap, try the ComplyKit ISO 27001 Gap Assessment Generator. It walks you through all 28 key controls across the 14 Annex A domains, scores your readiness, identifies critical gaps, and outputs a prioritised remediation plan — free, no account required.
⚠️ This guide is for informational purposes. ISO 27001 certification requires engagement with a UKAS/ANAB/DAkkS-accredited certification body. The gap assessment tools and templates on ComplyKit are AI-generated starting points, not formal audit outputs.