Know where you stand

ISO 27001 gap analysis: where you actually stand

Every certification journey should start by measuring the distance. The eight questions below give you the five minute version; the full gap analysis scores every clause and control in about a week and returns a costed plan.

The five minute version

Eight questions that predict your gap

Answer them without generosity. Six or more confident yeses and you are closer than most; three or fewer and certification is a programme, not a project.

1. Could you show a current, board-approved information security policy today?

Clause 5.2. If it exists but nobody could find it, count that as a no.

2. Do you have a written risk assessment with named owners for each risk?

Clause 6.1. A spreadsheet updated this year counts; a workshop memory does not.

3. Could you produce a Statement of Applicability covering all 93 Annex A controls?

Clause 6.1.3d. If the term is unfamiliar, this is your biggest single gap.

4. Is MFA enforced everywhere, and are admin rights reviewed on a schedule?

Annex A 5.15 to 5.18 and 8.2. The controls auditors sample first.

5. Do joiners, movers and leavers follow a recorded process?

Annex A 6.1, 6.5 and 5.18. Ask when access was last removed and how you know.

6. Have you assessed the security of your key suppliers and cloud services?

Annex A 5.19 to 5.23. Contracts alone are not an assessment.

7. Has anyone independent audited your security arrangements in the last year?

Clause 9.2. Your certification body cannot do this for you.

8. Could you evidence your last security incident and what changed because of it?

Annex A 5.24 to 5.27. No recorded incidents usually means no recording, not no incidents.

The full version

What the week-long gap analysis delivers

A scored assessment across clauses 4 to 10 and all 93 Annex A controls, built from document review, interviews and technical spot checks. The report is written for two audiences at once: a board summary of where you stand and what it will cost, and a practitioner-level fix list your team can start on the same day.

If you continue into the full readiness engagement, the gap analysis fee is credited; if you take the report and run it yourself, that is a perfectly good outcome too.

You receive

  • Clause-by-clause and control-by-control scoring with evidence notes
  • A sequenced remediation plan ordered by effort and audit weight
  • A realistic timeline to Stage 1 and Stage 2 for your organisation
  • A fixed fee for the rest of the journey, should you want us for it

Quick answers

Gap analysis questions, answered

What is an ISO 27001 gap analysis?

A structured assessment of your organisation against everything certification will test: clauses 4 to 10 and all 93 Annex A controls. The output is a scored picture of where you stand and a sequenced, costed plan to close the distance. It is the first block of any sensible readiness programme.

How long does a gap analysis take?

About a week for a typical SME: document review, interviews with the people who run IT and operations, and technical spot checks, then the report. It is deliberately quick; its job is to make the rest of the programme accurate.

How much does a gap analysis cost?

Published UK figures run roughly £1,000 to £3,500 for SME engagements, with some firms charging far more as a disguised sales exercise. Ours is priced within the market band, credited against the full readiness fee if you continue, and the report is yours either way.

All the costs, itemised

Is the free self-assessment on this page enough?

It will tell you plainly which of the two common situations you are in: mostly-there or genuinely early. What it cannot do is score 93 controls, weigh your risks or produce the plan. Treat it as the five minute version of the week-long exercise.

3D rocket illustration for booking a free ISO 27001 scoping call

Five minutes done, one week to go

Book the full gap analysis

A free 45 minute scoping call sets it up; a week later you know exactly where you stand and what certification will cost you.