How to Conduct an ISO 27001 Gap Analysis: A Complete Step-by-Step Guide for 2026

The decision to pursue ISO 27001 certification is straightforward for most SaaS companies. Enterprise customers are asking for it. Procurement teams are requiring it. Cyber insurers are pricing against it. The business case is clear.

What is less clear is the starting point. Most organizations that commit to ISO 27001 certification have some information security practices in place — access controls, security policies, incident response procedures, and risk assessments of varying formality. What they do not have is a precise understanding of how those existing practices measure against what ISO 27001:2022 actually requires, which requirements they already satisfy, which they partially address, and which they have not touched at all.

That understanding is what a gap analysis provides. A structured ISO 27001 gap analysis is the essential first step between the decision to certify and the implementation work that follows. It tells you where you are, where you need to be, and what it will take to close the distance. Without it, ISO 27001 implementation is either underpowered — organizations discover gaps during the Stage 2 audit rather than addressing them in advance — or overbuilt, with teams rebuilding capabilities that already exist and only need to be documented and formalized.

This guide walks through exactly how to conduct an ISO 27001 gap analysis against the 2022 version of the standard — what to assess, how to score your findings, how to prioritize remediation, and how to turn the results into an implementation roadmap that gets you to certification without unnecessary rework.

What an ISO 27001 Gap Analysis Actually Measures

An ISO 27001 gap analysis measures the distance between your organization's current information security practices and the requirements of ISO 27001:2022. It is structured around the two components of the standard: the management system requirements in Clauses 4 through 10, and the technical and operational controls in Annex A.

The Clauses assess your management system. ISO 27001 is not only a set of security controls. It is a management system standard, which means it requires a defined governance structure, a documented risk management methodology, formal leadership commitment, and ongoing operational processes — internal audits, management reviews, nonconformity management, and continual improvement — that keep the Information Security Management System functional between certification audits. Many organizations have security controls but no management system. The Clauses gap assessment surfaces exactly that distinction.

Annex A assesses your control implementation. ISO 27001:2022 Annex A contains 93 controls organized into four themes: organizational controls (37), people controls (8), physical controls (14), and technological controls (34). The 2022 revision restructured the previous 114 controls into this new organization and added 11 new controls that address cloud security, threat intelligence, configuration management, and data masking — areas that were underrepresented in the 2013 version of the standard.

A complete gap analysis covers both components. Organizations that assess only the Annex A controls and skip the Clauses typically discover during their Stage 1 audit that their management system documentation is insufficient, even when their technical controls are strong. Organizations that assess only the Clauses and skip Annex A find the opposite — strong governance but significant control gaps. Both produce audit findings and delays.

Before You Start: What You Need to Gather

A gap analysis is only as accurate as the information it draws on. Before beginning the assessment, gather the documentation and evidence that reflect your current security practices.

Security policies and procedures. Collect every information security policy document your organization has produced — acceptable use policies, access control policies, incident response procedures, data classification policies, business continuity plans, and any other documents that describe how security-related activities are conducted. Do not limit the collection to documents whose titles contain "security policy". Any documented operational procedure that governs how information assets are handled is relevant.

Evidence of current controls. Policies describe what should happen. Evidence demonstrates what does happen. Collect screenshots, configuration exports, audit logs, and records that show how your current security controls are configured and operating. Access control configurations, encryption settings, logging configurations, vulnerability scan results, and penetration test reports are all relevant.

Asset inventory. ISO 27001 requires that information assets be inventoried and classified. Whatever version of an asset inventory your organization maintains — even if it is informal — collect it as a baseline for the gap assessment.

Existing risk assessment documentation. If your organization has conducted any form of risk assessment, formal or informal, collect the documentation. Even a basic risk register, or a list of identified threats and vulnerabilities, provides a starting point for assessing the gap relative to ISO 27001's risk assessment requirements.

Supplier and vendor contracts. ISO 27001 Annex A includes controls governing information security in supplier relationships. Collect a representative sample of contracts with key suppliers to assess whether information security requirements are addressed.

The quality of your gap analysis is directly proportional to the honesty and completeness of the evidence you gather. A gap analysis that examines only policy documents, without verifying whether those policies are implemented in practice, will produce an overly optimistic picture that will not withstand a Stage 2 audit.

The Gap Analysis Scoring Framework

A gap analysis yields meaningful results when each requirement is assessed against a consistent scoring framework rather than a binary met/not-met judgment. A four-point scale is the most practical for ISO 27001 gap analysis work.

Score 0 — Not Addressed. The requirement has not been considered, no relevant policy or control exists, and there is no evidence of activity in this area. This is a full gap that requires building a capability from scratch.

Score 1 — Partially Addressed. Some relevant activity exists — a policy document, an informal practice, or a technical control that partially addresses the requirement — but significant gaps remain. The existing activity provides a foundation, but cannot be presented as compliance with the requirement without substantial additional work.

Score 2 — Largely Addressed. The requirement is substantially met by existing practices. Documentation exists, the control is implemented, and evidence is available. Minor gaps remain — documentation may be incomplete, the control may not be applied consistently, or evidence collection may not be systematic — but the required remediation is incremental rather than foundational.

Score 3 — Fully Addressed. The requirement is fully met. Documentation is complete, the control is implemented consistently, evidence is systematically collected, and the practice would withstand audit scrutiny without modification.

The output of a scored gap analysis is a complete picture of your organization's readiness — not just which requirements are unmet, but also the relative effort required to address each gap, enabling realistic prioritization of remediation and timeline estimation.

Assessing the Management System Clauses

The Clauses assessment systematically works through ISO 27001 Clauses 4 through 10. Each clause contains sub-requirements that must be individually assessed.

Clause 4 — Context of the Organisation requires that the organisation has identified the internal and external factors that affect its ability to achieve the intended outcomes of the ISMS, identified the interested parties and their requirements relevant to information security, and defined the scope of the ISMS. The most common gap here is scope. Many organizations have not formally defined what is in scope for the ISMS — which systems, which locations, which business processes — and have not documented that scope in a way that is defensible to an auditor.

Clause 5 — Leadership requires documented evidence of senior leadership commitment to the ISMS. This means a documented information security policy signed by leadership, defined information security roles and responsibilities, and evidence that leadership actively participates in ISMS governance — through management reviews, by providing resources for security activities, and by promoting a culture of information security across the organization. The gap here is frequently not the absence of a security policy but the absence of evidence that leadership treats the ISMS as a live governance commitment rather than a document.

Clause 6 — Planning requires a formal risk assessment methodology, documented risk assessments conducted in accordance with that methodology, a risk treatment plan, and a Statement of Applicability that documents which Annex A controls apply to the organization, which have been implemented, and the justification for any exclusions. The Statement of Applicability is one of the most scrutinized documents in a Stage 1 audit and among the most common sources of significant gaps. Many organizations have implemented security controls without ever documenting the reasoning behind which controls apply and which do not.

Clause 7 — Support requires documented competence requirements for ISMS roles, evidence of awareness across the organization, and controlled document management for ISMS documentation. Document control is a common gap — organizations have security policies but lack version control, a review schedule, and a process for communicating updates to relevant personnel.

Clause 8 — Operation requires that risk assessment and treatment activities are implemented according to the plans established in Clause 6, and that ISMS operational processes are conducted and controlled as documented. The gap here is typically between what the policy documents say and what operational evidence demonstrates. A risk assessment policy exists, but no risk assessment has been conducted in the past year. A vulnerability management procedure exists, but there is no evidence of systematic vulnerability scanning.

Clause 9 — Performance Evaluation requires internal audits conducted on a planned schedule, a management review conducted at planned intervals, and monitoring and measurement of ISMS performance against defined objectives. Internal audits and management reviews are among the most commonly absent capabilities in organizations at the beginning of their ISO 27001 journey. They require formal scheduling, documented procedures, trained internal auditors, and management time — investments that most organizations have not made before committing to certification.

Clause 10 — Improvement requires a documented process for managing nonconformities — identifying them, understanding their root causes, implementing corrective actions, and verifying their effectiveness. This process must be operational, not theoretical. An organization that has never recorded a nonconformity against its ISMS processes is not demonstrating compliance with Clause 10. It is demonstrating that no one has been looking.

Assessing the Annex A Controls

The Annex A assessment is the larger and more technically detailed component of the gap analysis. Working through all 93 controls systematically is the only reliable method — sampling approaches miss gaps that auditors will find.

Organizational Controls (A.5.1 through A.5.37) cover policies for information security, information security roles, contact with authorities and special interest groups, threat intelligence, information security in project management, asset management, access control, supplier relationships, incident management, business continuity, and legal compliance. The 11 new controls introduced in the 2022 revision are clustered here — including A.5.7 (Threat Intelligence), A.5.23 (Information Security for Use of Cloud Services), and A.5.30 (ICT Readiness for Business Continuity). These 11 new controls are the most common source of gaps in organizations that previously assessed themselves against the 2013 version of the standard.

People Controls (A.6.1 through A.6.8) cover screening, terms and conditions of employment, information security awareness and training, disciplinary processes, responsibilities after termination or change of employment, confidentiality agreements, remote working, and information security event reporting. The most common gap in this section is awareness and training — not the absence of any training activity but the absence of systematic, role-specific, regularly updated training with documented completion records.

Physical Controls (A.7.1 through A.7.14) cover physical security perimeters, physical entry controls, securing offices and facilities, physical security monitoring, protection against physical threats, working in secure areas, clear desk and clear screen policies, equipment siting and protection, security of assets off-premises, storage media, supporting utilities, cabling security, equipment maintenance, and secure disposal. For cloud-native SaaS companies that do not operate their own data centers, many physical controls apply to office premises and employee devices rather than server infrastructure. The gap assessment must be calibrated to the organization's actual physical environment rather than applied in a generic manner.

Technological Controls (A.8.1 through A.8.34) cover user endpoint devices, privileged access rights, information access restriction, source code access restriction, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, configuration management, deletion of information, data masking, prevention of data leakage, backup, redundancy, logging, monitoring, clock synchronisation, use of privileged utility programs, installation of software, networks, web filtering, use of cryptography, secure development lifecycle, security testing in development and acceptance, outsourced development, separation of development, test and production environments, change management, test information, and audit system protection. A.8.8 (Management of Technical Vulnerabilities) and A.8.9 (Configuration Management) are the two controls most frequently found to be partially addressed at best in SaaS companies — the practices exist but are not systematic, not documented, and not consistent.

Prioritizing Your Remediation Roadmap

A completed gap analysis produces a scored assessment of every requirement in ISO 27001:2022. The next step is converting that assessment into a prioritized remediation roadmap. Three factors should drive prioritization.

Audit risk. Some gaps carry higher audit risk than others. Gaps in the management system Clauses — particularly the Statement of Applicability, internal audit program, and management review — are structural requirements that Stage 1 auditors examine directly and that cannot be addressed with technical controls. These must be remediated before the audit, regardless of their operational complexity. Gaps in Annex A controls addressing the confidentiality, integrity, and availability of customer data pose a high audit risk because these controls are most likely to be tested with evidence requests during Stage 2.

Implementation effort. Some gaps require building capabilities from scratch. Others require formalizing and documenting practices that already exist informally. Gaps that require only documentation and formalization should be addressed early — they produce audit-ready evidence quickly at relatively low effort. Gaps that require building new technical controls or operational processes require longer lead times and should be planned for accordingly.

Business risk. Some gaps represent genuine exposure to security incidents regardless of their audit implications. Gaps in access control, vulnerability management, and incident response should be prioritized for business risk reasons, independent of their impact on certification. The best ISO 27001 implementation programs address business risk and certification requirements simultaneously, rather than treating them as separate workstreams.

The output of the prioritization exercise is a remediation roadmap with three categories: immediate actions to take before the Stage 1 audit, actions to complete before the Stage 2 audit, and ongoing operational activities that must be demonstrated as functioning during the Stage 2 audit.

Common Gap Analysis Findings in SaaS Companies

Certain gaps appear consistently across SaaS companies conducting their first ISO 27001 gap analysis, regardless of their size, technical sophistication, or security maturity.

No formal scope definition. The ISMS has never been formally scoped. It is unclear which systems, services, locations, and business processes are in scope and which are not. This is a Clause 4 gap that must be resolved before any other aspect of the ISMS can be properly assessed.

Security policies exist but are not controlled documents. Policies have been written but lack version numbers, review dates, approval records, and a process for communicating updates. The content may be good but the document control gap means they cannot be relied upon as ISMS documentation.

No Statement of Applicability. The SoA is required by Clause 6 and is one of the first documents a Stage 1 auditor will request. Many organizations at the beginning of their ISO 27001 journey have not yet produced one.

Risk assessment methodology is undefined. Some form of risk assessment has been conducted but the methodology — how risks are identified, how likelihood and impact are scored, what the risk acceptance criteria are — has never been formally documented. Undocumented methodology means each risk assessment is conducted differently, which means risk treatment decisions cannot be defended as consistent or proportionate.

No internal audit program. Internal audits have never been conducted against the ISMS. This is a Clause 9 gap that requires scheduling, resourcing, and conducting at least one complete internal audit before Stage 2.

Logging exists but is not monitored. Cloud infrastructure and application logs are collected, but no one reviews them systematically. Alerts exist, but their thresholds have never been calibrated, and their outputs are not consistently acted upon. This gap in Annex A.8.15 and A.8.16 is extremely common and represents both an audit risk and a genuine security exposure.

Supplier security is informal. Vendor security reviews happen, but are not systematic, documented, or linked to a formal supplier risk assessment process. Contracts with key suppliers do not include information security requirements. This gap in A.5.19 and A.5.20 is consistently among the most significant findings for SaaS companies with complex vendor stacks.

From Gap Analysis to Certification

A well-conducted gap analysis is not the end of a process. It is the beginning of one. The output — a scored assessment of every ISO 27001:2022 requirement, a prioritized remediation roadmap, and a realistic timeline to certification — is the foundation on which an effective ISO 27001 implementation is built.

Organizations that skip the gap analysis or conduct it superficially consistently take longer to certify, generate more audit findings, and incur more remediation costs than those that invest in a rigorous upfront assessment. The gap analysis converts the open-ended question of "how far are we from ISO 27001 certification" into a specific, manageable answer: these are the gaps, this is the priority order, and this is what it will take.

The gap analysis also serves as the baseline against which progress is measured. As remediation activities are completed, re-scoring individual requirements against the original assessment allows the organization to track progress, update the Stage 1 audit preparation, and demonstrate to leadership that the implementation is advancing on schedule.

For organizations that want to compress the time between the decision to certify and the certification itself, the gap analysis is where that compression happens. Precise knowledge of where the gaps are and what they require eliminates the wasted effort of building capabilities that already exist and focuses implementation resources on the requirements that will determine audit outcomes.

dsalta helps organizations conduct structured ISO 27001 gap analyses, build remediation roadmaps, and automate evidence collection to turn gap findings into audit-ready documentation.