High Table ISO 27001 Toolkit Logo

ISO 27001 Clauses

ISO 27001 Clause 4.1 – Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 – Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 – Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 – Information Security Management System

ISO 27001 Clause 5.1 – Leadership and Commitment

ISO 27001 Clause 5.3 – Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 – Planning General

ISO 27001 Clause 6.1.2 – Information Security Risk Assessment

ISO 27001 Clause 6.1.3 – Information Security Risk Treatment

ISO 27001 Clause 6.2 – Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 – Planning Of Changes

ISO 27001 Clause 7.1 – Resources

ISO 27001 Clause 7.2 – Competence

ISO 27001 Clause 7.3 – Awareness

ISO 27001 Clause 7.4 – Communication

ISO 27001 Clause 7.5.1 – Documented Information

ISO 27001 Clause 7.5.2 – Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 – Control of Documented Information

ISO 27001 Clause 8.1 – Operational Planning and Control

ISO 27001 Clause 8.2 – Information Security Risk Assessment

ISO 27001 Clause 8.3 – Information Security Risk Treatment

ISO 27001 Clause 9.1 – Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 – Internal Audit

ISO 27001 Clause 9.3 – Management Review

ISO 27001 Clause 10.1 – Continual Improvement

ISO 27001 Clause 10.2 – Nonconformity and Corrective Action

ISO 27001 Organisation Controls

ISO 27001 Annex A 5.1: Policies for information security

ISO 27001 Annex A 5.2: Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3: Segregation of duties

ISO 27001 Annex A 5.4: Management responsibilities

ISO 27001 Annex A 5.5: Contact with authorities

ISO 27001 Annex A 5.6: Contact with special interest groups

ISO 27001 Annex A 5.7: Threat intelligence

ISO 27001 Annex A 5.8: Information security in project management

ISO 27001 Annex A 5.9: Inventory of information and other associated assets

ISO 27001 Annex A 5.10: Acceptable use of information and other associated assets

ISO 27001 Annex A 5.11: Return of assets

ISO 27001 Annex A 5.12: Classification of information

ISO 27001 Annex A 5.13: Labelling of information

ISO 27001 Annex A 5.14: Information transfer

ISO 27001 Annex A 5.15: Access control

ISO 27001 Annex A 5.16: Identity management

ISO 27001 Annex A 5.17: Authentication information

ISO 27001 Annex A 5.18: Access rights

ISO 27001 Annex A 5.19: Information security in supplier relationships

ISO 27001 Annex A 5.20: Addressing information security within supplier agreements

ISO 27001 Annex A 5.21: Managing information security in the ICT supply chain

ISO 27001 Annex A 5.22: Monitoring, review and change management of supplier services

ISO 27001 Annex A 5.23: Information security for use of cloud services

ISO 27001 Annex A 5.24: Information security incident management planning and preparation

ISO 27001 Annex A 5.25: Assessment and decision on information security events

ISO 27001 Annex A 5.26: Response to information security incidents

ISO 27001 Annex A 5.27: Learning from information security incidents

ISO 27001 Annex A 5.28: Collection of evidence

ISO 27001 Annex A 5.29: Information security during disruption

ISO 27001 Annex A 5.30: ICT readiness for business continuity

ISO 27001 Annex A 5.31: Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32: Intellectual property rights

ISO 27001 Annex A 5.33: Protection of records

ISO 27001 Annex A 5.34: Privacy and protection of PII

ISO 27001 Annex A 5.35: Independent review of information security

ISO 27001 Annex A 5.36: Compliance with policies and standards for information security

ISO 27001 Annex A 5.37: Documented operating procedures

ISO 27001 People Controls

ISO 27001 Annex A 6.1: Screening

ISO 27001 Annex A 6.2: Terms and conditions of employment

ISO 27001 Annex A 6.3: Information security awareness, education and training

ISO 27001 Annex A 6.4: Disciplinary process

ISO 27001 Annex A 6.5: Responsibilities after termination or change of employment

ISO 27001 Annex A 6.6: Confidentiality or non-disclosure agreements

ISO 27001 Annex A 6.7: Remote working

ISO 27001 Annex A 6.8: Information security event reporting

Home / ISO 27001 Tutorials / The complete guide to ISO 27001 Gap Analysis

The complete guide to ISO 27001 Gap Analysis

Last updated Jul 5, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Gap Analysis

Table of contents

ISO 27001 Gap Analysis

An ISO 27001 Gap Analysis assesses your compliance to ISO 27001, the international standard for information security.

ISO 27001 is a management system that is comprised of 114 management controls.

In addition it includes Annex A controls which are often referred to as ISO 27002. Annex A is made up of 114 business controls.

You can see the difference between ISO 27001 and ISO 27002.

The number of controls changed in 2022.

What is an ISO 27001 Gap Analysis?

To know where you are going it makes sense to know where you are. A gap analysis is a review of how close you are to meeting the standard, the gaps and what you must do to close those gaps.

ISO 27001 Gap Analysis Template

Toolkit Icons ISO 27001 Gap Analysis and Audit Toolkit Black

The ISO 27001 Gap Analysis Template and ISO 27001 Checklist will fast track your ISO 27001 Gap Analysis.

Download ISO 27001 Gap Analysis Template

How to perform an ISO 27001 Gap Analysis

For each of the ISO 27001 controls, read the clause and analyse if that is requirements is already implemented in your organisation. The implementation will be on a sliding scale from does not exist to fully implemented. You can either do it yourself with an ISO 27001 Gap Analysis template or tool, or you can get specialist consulting help.

Time needed: 1 day

How to perform an ISO 27001 Gap Analysis

  1. Get a copy of the ISO 27001 standard

    Purchase a copy of the ISO 27001 standard from a reputable source

  2. Download a copy of the ISO 27001 gap analysis tool

    Download a copy of the ISO 27001 gap analysis tool.

  3. Asses your business against the controls

    For each control assess if, and to what extent, your business has implemented the controls

  4. Draw up a plan to close the gaps

    Where your business has not implemented, or only partially implemented, the required controls you should draw up an implementation plan to close the gaps.

  5. Consider specialist help

    Getting a specialist to help you perform the gap analysis brings experience and guidance on what to do next. Consider getting consulting help: https://hightable.io/consulting/

ISO 27001 Gap Analysis FAQ

How long does an ISO 27001 gap analysis take?

On average an ISO 27001 gap analysis with a consulting firm will take 5 to 10 days. It actually only takes 2 days for someone that knows what they are doing and how to do it. If you are doing it yourself it can take up to a month.

How much does an ISO 27001 gap analysis cost?

On average an ISO 27001 gap analysis with a consulting firm will cost around £8,000. With High Table it costs £2,500.

Where can I download an ISO 27001 gap analysis template?

You can download an ISO 27001 gap analysis template.

What is an ISO 27001 Gap Analysis Checklist?

It is a list of the required controls that you complete to assess how and if you have implemented the required controls. It includes what you need to do to close the gaps.

What are the benefits of an ISO 27001 Gap Analysis?

The benefits of an ISO 27001 Gap Analysis are that it allows you to see how close you are currently to meeting the standard and how much work you must do to close any gaps. It will then allow you to plan the controls implementation and plan and schedule your certification audit. There is no point in booking the ISO 27001 certification audit if you have not implemented the required controls to the required level.

Does an IS27001 Gap Analysis cover GDPR?

No, not directly. It does cover principle 6 maintain adequate security but GDPR and Data Protection are much wider than information security.

Tags:
ISO 27001 Toolkit Business Edition
ISO 27001 Toolkit: Business Edition
ISO 27001 Toolkit: Consultant Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.