← Back to ResourcesISO 27001

The ISO 27001 Gap Assessment: What It Is, What It Covers, and Why You Need One First

By Deepak Varma·10 May 2026·6 min read

Introduction

The most common mistake companies make when pursuing ISO 27001 is jumping straight into implementation without first understanding where they actually stand.

A gap assessment solves this problem. It is the diagnostic before the treatment — a structured, evidence-based review that maps your current security controls against every requirement in ISO 27001:2022 and tells you, with specificity, what needs to change before you can certify.

What Is an ISO 27001 Gap Assessment?

A gap assessment is a formal review of your organisation's current information security posture against the ISO 27001:2022 standard. It covers:

  • All 10 clauses of the ISO 27001 standard (the mandatory requirements: context, leadership, planning, support, operation, performance evaluation, and improvement)
  • All 93 Annex A controls across the four control themes: Organisational, People, Physical, and Technological

The output is not a checklist. It is a professional analysis of where your controls are compliant, where they are partially compliant, and where significant gaps exist — along with a prioritised remediation roadmap that tells you what to fix, in what order, and with what level of effort.

What a Gap Assessment Covers

Clause Review (Sections 4–10)

ISO 27001 requires organisations to demonstrate:

  • Context and scope: Who are your stakeholders? What is the defined scope of your ISMS?
  • Leadership commitment: Is there a documented information security policy? Are roles and responsibilities assigned?
  • Risk assessment methodology: Is there a documented, repeatable process for identifying and treating information security risks?
  • Objectives and planning: Are security objectives documented and measurable?
  • Documented information: Are mandatory documents in place — risk register, Statement of Applicability, internal audit records?
  • Performance monitoring: Is there a process for measuring and reviewing ISMS effectiveness?

Many organisations — even those with strong technical security — have significant gaps in documentation, governance, and process formalisation. These are the gaps most likely to cause a certification audit to fail.

Annex A Control Review

The 93 Annex A controls are where implementation gets specific. They cover:

  • Organisational controls (37 controls): Information security policies, roles and responsibilities, threat intelligence, supplier relationships, incident management, business continuity
  • People controls (8 controls): Screening, terms and conditions, training and awareness, disciplinary processes
  • Physical controls (14 controls): Physical security perimeters, entry controls, physical media disposal
  • Technological controls (34 controls): Access control, cryptography, network security, secure development, malware protection, logging and monitoring, vulnerability management

Not every control applies to every organisation. The gap assessment identifies which controls are applicable to your environment and assesses your current compliance against each one.

What You Get as Output

A professional gap assessment delivers:

  1. Clause-by-clause compliance rating — for each of the mandatory clauses, a rating (compliant / partially compliant / non-compliant) with specific findings and evidence reviewed
  2. Control-by-control gap analysis — for each applicable Annex A control, an assessment of current state and what is required
  3. Risk register starter — an initial risk register seeded with findings from the assessment
  4. Prioritised remediation roadmap — a sequenced action plan with effort estimates, so you know what to tackle first and what it will take
  5. Executive summary — a board-ready summary suitable for leadership or investor reporting
  6. Debrief call — a structured session with the lead auditor to walk through findings and answer questions

Why You Need One Before Anything Else

Without a gap assessment, you are flying blind. You do not know:

  • How close (or far) you actually are from certification
  • Which gaps are critical blockers versus minor documentation updates
  • What the realistic implementation timeline and cost will be
  • Whether there are control gaps that would require significant technical remediation

Starting implementation without a gap assessment almost always leads to one of two outcomes: wasted effort (building documentation for controls that are already sufficient) or missed gaps (discovering critical deficiencies late in the process, at the worst possible time).

What Happens If You Skip It

Skipping the gap assessment and going straight to implementation is a false economy. If you engage a certification body without knowing your current state, you risk:

  • Stage 1 audit failure — the certification body identifies documentation gaps that halt the process
  • Stage 2 audit non-conformities — major non-conformities discovered during the implementation audit, requiring remediation before a certificate can be issued
  • Cost overruns — unexpected remediation work mid-implementation blowing out the project budget

A gap assessment typically costs $2,000–$5,000. A failed certification audit costs multiples of that in time, remediation, re-audit fees, and delayed commercial opportunities.

Ready to Know Where You Stand?

VicByte's gap assessment is a rigorous, evidence-based review of your environment against every ISO 27001:2022 requirement. You receive a written report, a prioritised remediation roadmap, and a 60-minute debrief call with Deepak.

Book a free discovery call to discuss your situation and get started.

Ready to get started?

Book a free 30-minute discovery call with Deepak to discuss your certification journey.

Book a Free Discovery Call

Related Articles

ISO 27001

What Does ISO 27001 Certification Actually Cost in Australia? (2026 Guide)

8 min read