Table of contents
ISO 27001 Gap Analysis
An ISO 27001 Gap Analysis assesses your compliance to ISO 27001, the international standard for information security.
ISO 27001 is a management system that is comprised of 114 management controls.
In addition it includes Annex A controls which are often referred to as ISO 27002. Annex A is made up of 114 business controls.
You can see the difference between ISO 27001 and ISO 27002.
The number of controls changed in 2022.
What is an ISO 27001 Gap Analysis?
To know where you are going it makes sense to know where you are. A gap analysis is a review of how close you are to meeting the standard, the gaps and what you must do to close those gaps.
ISO 27001 Gap Analysis Template
The ISO 27001 Gap Analysis Template and ISO 27001 Checklist will fast track your ISO 27001 Gap Analysis.
How to perform an ISO 27001 Gap Analysis
For each of the ISO 27001 controls, read the clause and analyse if that is requirements is already implemented in your organisation. The implementation will be on a sliding scale from does not exist to fully implemented. You can either do it yourself with an ISO 27001 Gap Analysis template or tool, or you can get specialist consulting help.
Time needed: 1 day
How to perform an ISO 27001 Gap Analysis
- Get a copy of the ISO 27001 standard
Purchase a copy of the ISO 27001 standard from a reputable source
- Download a copy of the ISO 27001 gap analysis tool
Download a copy of the ISO 27001 gap analysis tool.
- Asses your business against the controls
For each control assess if, and to what extent, your business has implemented the controls
- Draw up a plan to close the gaps
Where your business has not implemented, or only partially implemented, the required controls you should draw up an implementation plan to close the gaps.
- Consider specialist help
Getting a specialist to help you perform the gap analysis brings experience and guidance on what to do next. Consider getting consulting help: https://hightable.io/consulting/
ISO 27001 Gap Analysis FAQ
On average an ISO 27001 gap analysis with a consulting firm will take 5 to 10 days. It actually only takes 2 days for someone that knows what they are doing and how to do it. If you are doing it yourself it can take up to a month.
On average an ISO 27001 gap analysis with a consulting firm will cost around £8,000. With High Table it costs £2,500.
You can download an ISO 27001 gap analysis template.
It is a list of the required controls that you complete to assess how and if you have implemented the required controls. It includes what you need to do to close the gaps.
The benefits of an ISO 27001 Gap Analysis are that it allows you to see how close you are currently to meeting the standard and how much work you must do to close any gaps. It will then allow you to plan the controls implementation and plan and schedule your certification audit. There is no point in booking the ISO 27001 certification audit if you have not implemented the required controls to the required level.
No, not directly. It does cover principle 6 maintain adequate security but GDPR and Data Protection are much wider than information security.