ISO 27001 Gap Analysis:
Free Tool & Step-by-Step Guide 2026

ISO/IEC 27001:2022 is the internationally recognized standard for Information Security Management Systems (ISMS). Whether you are pursuing certification for the first time or maintaining an existing ISMS, a structured gap analysis is the essential first step. This guide explains how to perform an ISO 27001 gap analysis, what the 2022 update changed, and how to build the fastest path from current state to certification readiness.

ISO/IEC 27001:2022 — What Changed From the 2013 Version

The 2022 revision of ISO 27001 introduced significant changes to both the main clauses and Annex A. The most notable change was a restructuring of Annex A from 114 controls in 14 domains to 93 controls organized across four themes: Organizational controls (37), People controls (8), Physical controls (14), and Technological controls (34).

Eleven new controls were introduced in 2022, including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. Organizations certified under the 2013 standard were required to transition to ISO/IEC 27001:2022 by October 2025, meaning all certified organizations should now be operating under the 2022 version.

What Is an ISO 27001 Gap Analysis?

A gap analysis compares your organization's current information security practices against the requirements of ISO/IEC 27001:2022. It identifies where you meet the standard (compliant), where you partially meet it (partial), and where you do not meet it at all (absent/gap). The output drives your remediation roadmap, resource planning, and certification timeline estimate.

A gap analysis covers two layers: the mandatory ISMS clauses (Clauses 4–10 of the standard) and the Annex A controls referenced in your Statement of Applicability (SoA). It is important to note that not all 93 Annex A controls need to be implemented — but every control must be considered, and if excluded, the exclusion must be justified in the SoA based on the risk assessment.

Step-by-Step: How to Perform an ISO 27001 Gap Analysis

Step 1 — Understand the Scope

Define the ISMS scope: which parts of the organization, which systems, and which processes are included? Scope decisions have a direct impact on which assets, risks, and controls are in play. Overly narrow scopes can undermine the value of certification; overly broad scopes can make the project unmanageable.

Step 2 — Assess ISMS Clause Compliance (Clauses 4–10)

Work through each mandatory clause systematically. Clause 4 (Organizational Context) requires understanding internal and external issues and interested party requirements. Clause 5 (Leadership) requires demonstrated management commitment and an information security policy. Clause 6 (Planning) requires formal risk assessment and treatment processes. Clauses 7–10 cover Support, Operation, Performance Evaluation, and Improvement respectively.

Step 3 — Conduct a Risk Assessment

ISO 27001 requires a formal information security risk assessment that identifies risks to the confidentiality, integrity, and availability of information assets. The risk assessment must use a consistent methodology, assign risk owners, and evaluate likelihood and impact to produce risk scores. Risk treatment decisions (mitigate, accept, avoid, transfer) must be documented with supporting rationale.

Step 4 — Map Controls Against Annex A

For each of the 93 Annex A controls, assess: Is this control applicable? If yes, is it implemented? If not implemented, what is the gap? This mapping forms the basis of your Statement of Applicability.

Step 5 — Draft the Statement of Applicability (SoA)

The SoA is a required document that lists all 93 Annex A controls, states whether each is applicable or excluded, justifies each inclusion or exclusion, and indicates the implementation status. The SoA is a critical document for certification auditors and must be kept current.

Step 6 — Build a Remediation Roadmap

Prioritize gaps by risk level and business impact. Create a remediation roadmap with specific actions, owners, timelines, and resource requirements. Track progress against this roadmap on a regular basis — monthly for organizations in active certification preparation, quarterly for those in maintenance mode.

Most Common ISO 27001 Gaps

• Incomplete asset inventory: ISO 27001 requires a complete inventory of information assets (hardware, software, data, people, processes). Many organizations have partial inventories that miss cloud assets, shadow IT, and third-party-held data.
• No formal risk register: Risk assessments are often conducted as ad-hoc exercises without a maintained risk register that tracks risk owners, treatment decisions, and residual risk over time.
• Statement of Applicability not maintained: The SoA is frequently a point-in-time document that is not updated as the organization's systems or risk profile changes.
• ISMS internal audits not conducted: Clause 9.2 requires periodic internal audits of the ISMS. Organizations often skip internal audits between certification cycles, creating compliance gaps that surface during recertification.
• Management review not formalized: Clause 9.3 requires formal management review of ISMS performance. Many organizations conduct informal discussions that do not meet the documented review requirement.
• New Annex A controls not implemented: The 11 new controls in the 2022 revision — particularly threat intelligence, cloud security, and data leakage prevention — are frequently absent in organizations that transitioned from the 2013 version.
• Supplier security not formally managed: Third-party and supplier risk management requires documented supplier assessments, security clauses in contracts, and ongoing monitoring — gaps that affect most organizations.

ISO 27001 Gap Analysis Checklist: 10 Key Items

ISO 27001 and OT/ICS Environments

For organizations operating OT or ICS environments — manufacturing, energy, utilities, transport — ISO 27001 certification presents unique challenges. The standard was designed primarily for IT environments, and many Annex A controls require adaptation or supplementation to apply effectively to operational technology. Patch management timelines, remote access controls, and availability requirements all differ significantly between IT and OT contexts.

Organizations with mixed IT/OT environments typically need to address ISMS scope carefully, potentially scoping OT systems separately with tailored risk treatment plans. Tabletop exercises that test the ISMS incident response procedures against realistic OT cyberattack scenarios are particularly valuable for validating that the ISMS works in practice across the full operational environment.

From Gap Analysis to Certification

The path from a completed gap analysis to ISO 27001 certification typically takes 6–18 months depending on the size of the organization and the depth of existing controls. Organizations that have already invested in frameworks like NIST CSF, SOC 2, or CMMC often find significant overlap with ISO 27001 requirements, reducing the remediation effort substantially.

Certification involves a two-stage audit by an accredited certification body: a Stage 1 (documentation review) and a Stage 2 (on-site assessment of ISMS implementation). Surveillance audits occur annually in Years 1 and 2, with a full recertification audit in Year 3. The gap analysis output — the SoA, risk register, and remediation roadmap — forms the core of the documentation reviewed at Stage 1.