Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

ISO 27001 Gap Assessment Guide

Understanding Where You Are and What You Need

18 min read January 2026

Understanding Where You Are and What You Need

A practical guide to assessing your organisation against ISO 27001:2022

Published: January 2026

Author: Dead Simple Computing Ltd

Version: 1.0

Contents

  • Executive Summary
  • What Is ISO 27001?
  • Why Get Certified?
  • The 2022 Update
  • ISO 27001 Structure
  • Conducting a Gap Assessment
  • Clause-by-Clause Assessment
  • Annex A Controls Assessment
  • Common Gaps
  • Interpreting Your Results
  • Planning Your Implementation
  • Gap Assessment Checklist
  • How DSC Can Help

1. Executive Summary

ISO 27001 is the international standard for information security management. Achieving certification demonstrates that your organisation has a comprehensive, systematic approach to managing information security risks.

What a gap assessment tells you:

  • Where you are today
  • What you need to achieve certification
  • How much effort is required
  • Where to prioritise resources

The standard requires:

This guide helps you:

  • Understand ISO 27001 requirements
  • Assess your current state
  • Identify gaps
  • Plan your certification journey

2. What Is ISO 27001?

Overview

ISO/IEC 27001 is an international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

Key characteristics:

  • Risk-based: Security measures based on risk assessment
  • Management system: Systematic approach, not just technical controls
  • Continuous improvement: Plan-Do-Check-Act cycle
  • Certifiable: Third-party audit and certification available

What ISO 27001 Is NOT

It's not a checklist of controls:

ISO 27001 doesn't mandate specific technical controls. It requires you to implement controls appropriate to your risks.

It's not one-time compliance:

It's an ongoing management system requiring continuous operation and improvement.

It's not just an IT project:

It's a business management system requiring organisation-wide engagement.

The ISMS Concept

An Information Security Management System includes:

  • Policies and objectives
  • Risk assessment and treatment
  • Organisational structure and responsibilities
  • Processes and procedures
  • Technology and controls
  • Monitoring and measurement
  • Continuous improvement

The ISMS ensures security is managed systematically across the organisation.

3. Why Get Certified?

Business Benefits

Customer requirements:

  • Major customers require ISO 27001
  • Defence primes, aerospace OEMs, financial services
  • Public sector and government contracts
  • Simplifies security questionnaires

Competitive advantage:

  • Differentiates from uncertified competitors
  • Demonstrates commitment to security
  • Builds customer confidence
  • Enables access to certain markets

Risk reduction:

  • Systematic approach to security
  • Better understanding of risks
  • Appropriate controls implemented
  • Reduced likelihood of incidents

Operational improvement:

  • Documented processes
  • Clear responsibilities
  • Consistent approach
  • Better incident handling

Certification Recognition

International recognition:

  • Recognised worldwide
  • Common language for security
  • Accepted across sectors

Regulatory alignment:

  • Supports GDPR compliance
  • Aligns with NIS/NIS2
  • Maps to CAF
  • Satisfies many regulatory expectations

4. The 2022 Update

ISO 27001:2022

The standard was updated in 2022, replacing the 2013 version. Key changes:

Main body (clauses 4-10):

  • Minor updates to align with other management system standards
  • Clarifications rather than major changes
  • Some new requirements (e.g., planning changes)

Annex A (controls):

  • Restructured from 14 domains to 4 themes
  • Reduced from 114 controls to 93 controls
  • 11 new controls added
  • Many controls merged or reorganised

The Four Themes

Annex A controls are now organised into:

Theme Controls
Organisational (5) 37 controls
People (6) 8 controls
Physical (7) 14 controls
Technological (8) 34 controls

New Controls in 2022

The 11 new controls address:

  • Threat intelligence
  • Cloud services security
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

Transition Timeline

Organisations certified to ISO 27001:2013 must transition to 2022 by October 2025. New certifications should be to 2022 version.

5. ISO 27001 Structure

Main Body (Clauses 4-10)

The main body defines ISMS requirements:

Clause 4: Context of the organisation

  • Understanding the organisation and context
  • Understanding stakeholder needs
  • Determining ISMS scope
  • The ISMS itself

Clause 5: Leadership

  • Leadership and commitment
  • Information security policy
  • Roles, responsibilities, authorities

Clause 6: Planning

  • Actions to address risks and opportunities
  • Information security objectives
  • Planning to achieve objectives
  • Planning of changes

Clause 7: Support

  • Resources
  • Competence
  • Awareness
  • Communication
  • Documented information

Clause 8: Operation

  • Operational planning and control
  • Information security risk assessment
  • Information security risk treatment

Clause 9: Performance evaluation

  • Monitoring, measurement, analysis, evaluation
  • Internal audit
  • Management review

Clause 10: Improvement

  • Continual improvement
  • Nonconformity and corrective action

Annex A Controls

Annex A provides a reference set of 93 controls. You must:

  • Determine which controls are relevant through risk assessment
  • Implement selected controls appropriately
  • Document reasons for including/excluding controls (Statement of Applicability)

Not all controls will apply. Selection is based on your risk assessment.

6. Conducting a Gap Assessment

Purpose of Gap Assessment

A gap assessment:

  • Determines your current state against ISO 27001
  • Identifies what's missing or inadequate
  • Informs implementation planning
  • Estimates effort and resources required
  • Prioritises activities

Assessment Approach

Two-part assessment:

  • Main body (clauses 4-10): Assess ISMS requirements
  • Annex A controls: Assess control implementation

For each requirement/control:

  • Does it exist? (Policy, process, control)
  • Is it documented?
  • Is it implemented?
  • Is it effective?
  • Is there evidence?

Rating Scale

Use a consistent rating scale:

Rating Description
**Fully Met** Requirement/control fully implemented, documented, evidenced
**Partially Met** Some implementation but gaps exist
**Not Met** Not implemented or no evidence
**Not Applicable** Not relevant (with justification)

Evidence Gathering

Documentation review:

  • Policies and procedures
  • Records and logs
  • Meeting minutes
  • Reports and metrics

Interviews:

  • Management
  • IT/Security personnel
  • General staff (awareness)
  • Process owners

Observation:

  • Technical configurations
  • Physical security
  • Process execution

7. Clause-by-Clause Assessment

Clause 4: Context of the Organisation

4.1 Understanding the organisation and its context

Assess:

  • External issues identified (regulatory, market, technology)
  • Internal issues identified (culture, resources, processes)
  • Issues documented and reviewed

4.2 Understanding the needs and expectations of interested parties

Assess:

  • Interested parties identified (customers, regulators, staff, etc.)
  • Their requirements determined
  • Requirements documented

4.3 Determining the scope of the ISMS

Assess:

  • ISMS scope defined
  • Scope boundaries clear (locations, systems, processes)
  • Exclusions justified
  • Scope documented and available

4.4 Information security management system

Assess:

  • ISMS established
  • ISMS documented
  • ISMS implemented
  • ISMS maintained and improved

Clause 5: Leadership

5.1 Leadership and commitment

Assess:

  • Top management demonstrates commitment
  • Security policy aligned with business direction
  • Resources provided
  • Importance of security communicated
  • Security objectives achieved
  • People directed and supported

5.2 Policy

Assess:

  • Information security policy exists
  • Policy appropriate to organisation
  • Policy includes commitment to requirements
  • Policy includes commitment to improvement
  • Policy documented and available
  • Policy communicated within organisation
  • Policy available to interested parties (as appropriate)

5.3 Organisational roles, responsibilities and authorities

Assess:

  • Security responsibilities assigned
  • Responsibilities communicated
  • ISMS conformance responsibility assigned
  • Performance reporting responsibility assigned

Clause 6: Planning

6.1 Actions to address risks and opportunities

Assess:

  • Risks and opportunities considered
  • Actions to address risks/opportunities planned
  • Integration into ISMS planned
  • Effectiveness evaluation planned

6.1.2 Information security risk assessment

Assess:

  • Risk assessment process defined
  • Risk criteria established
  • Risk assessment repeatable and consistent
  • Risk assessment identifies risks
  • Risk owners assigned
  • Risk assessment documented

6.1.3 Information security risk treatment

Assess:

  • Risk treatment options selected
  • Controls determined for treatment
  • Controls compared to Annex A
  • Statement of Applicability produced
  • Risk treatment plan formulated
  • Risk owners approve treatment plan
  • Residual risk accepted

6.2 Information security objectives

Assess:

  • Security objectives established
  • Objectives measurable (where practicable)
  • Objectives consistent with policy
  • Objectives communicated
  • Objectives updated as needed
  • Objectives documented

6.3 Planning of changes

Assess:

  • Changes to ISMS planned
  • Change purpose and consequences considered
  • ISMS integrity maintained through change

Clause 7: Support

7.1 Resources

Assess:

  • Resources determined
  • Resources provided

7.2 Competence

Assess:

  • Competence requirements determined
  • Persons competent (education, training, experience)
  • Actions taken to acquire competence
  • Evidence of competence retained

7.3 Awareness

Assess:

  • Staff aware of security policy
  • Staff aware of their contribution to ISMS
  • Staff aware of non-conformance implications

7.4 Communication

Assess:

  • Internal communication determined (what, when, who)
  • External communication determined

7.5 Documented information

Assess:

  • Required documented information exists
  • Organisation-determined documentation exists
  • Documents appropriately identified and described
  • Documents in appropriate format
  • Documents reviewed and approved
  • Documents controlled (availability, protection)
  • Document changes controlled
  • External documents controlled
  • Retention and disposition defined

Clause 8: Operation

8.1 Operational planning and control

Assess:

  • Processes planned
  • Processes implemented
  • Processes controlled
  • Criteria for processes established
  • Processes controlled against criteria
  • Documented information retained
  • Planned changes controlled
  • Unintended changes reviewed
  • Outsourced processes controlled

8.2 Information security risk assessment

Assess:

  • Risk assessments performed at planned intervals
  • Risk assessments performed when changes occur
  • Results documented

8.3 Information security risk treatment

Assess:

  • Risk treatment plan implemented
  • Results documented

Clause 9: Performance Evaluation

9.1 Monitoring, measurement, analysis and evaluation

Assess:

  • What to monitor/measure determined
  • Methods determined
  • When to perform determined
  • Who performs determined
  • Results analysed and evaluated
  • Who analyses determined
  • Evidence retained

9.2 Internal audit

Assess:

  • Internal audits conducted at planned intervals
  • Audits assess ISMS conformance
  • Audit programme planned
  • Audit criteria and scope defined
  • Auditors objective and impartial
  • Results reported to management
  • Evidence retained

9.3 Management review

Assess:

  • Management reviews conducted at planned intervals
  • Reviews consider required inputs (status, feedback, risks, opportunities, etc.)
  • Reviews produce required outputs (decisions, improvement needs)
  • Evidence retained

Clause 10: Improvement

10.1 Continual improvement

Assess:

  • ISMS continually improved

10.2 Nonconformity and corrective action

Assess:

  • Nonconformities addressed
  • Actions taken to control and correct
  • Consequences dealt with
  • Root cause determined
  • Similar nonconformities checked
  • Corrective actions implemented
  • Effectiveness reviewed
  • Changes to ISMS made if needed
  • Evidence retained

8. Annex A Controls Assessment

Assessment Approach

For each of the 93 Annex A controls:

  • Is the control applicable? (Based on risk assessment)
  • If applicable, is it implemented?
  • Is implementation documented?
  • Is there evidence of operation?
  • What gaps exist?

Control Categories Overview

5. Organisational controls (37 controls)

Key areas:

  • Policies and procedures
  • Roles and responsibilities
  • Contact with authorities
  • Threat intelligence
  • Information classification
  • Asset management
  • Access control policies
  • Supplier relationships
  • Incident management
  • Business continuity
  • Compliance

6. People controls (8 controls)

Key areas:

  • Screening
  • Terms and conditions
  • Awareness and training
  • Disciplinary process
  • Termination responsibilities
  • Confidentiality agreements
  • Remote working
  • Information security event reporting

7. Physical controls (14 controls)

Key areas:

  • Security perimeters
  • Entry controls
  • Securing offices and facilities
  • Physical security monitoring
  • Protection against threats
  • Working in secure areas
  • Clear desk/screen
  • Equipment siting
  • Equipment security
  • Secure disposal
  • Cabling security

8. Technological controls (34 controls)

Key areas:

  • Endpoint devices
  • Privileged access
  • Information access restriction
  • Source code access
  • Secure authentication
  • Capacity management
  • Malware protection
  • Vulnerability management
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Backup
  • Redundancy
  • Logging
  • Monitoring
  • Clock synchronisation
  • Utilities
  • Software installation
  • Network security
  • Web filtering
  • Cryptography
  • Secure development
  • Security testing
  • Outsourced development
  • Separation of environments
  • Change management
  • Test information

Sample Control Assessment

Control 5.1: Policies for information security

Requirement: Information security policy and topic-specific policies shall be defined, approved by management, published, communicated, and reviewed.

Assessment questions:

  • Is there an information security policy?
  • Is it approved by management?
  • Is it communicated to all staff?
  • Is it available to relevant external parties?
  • Are topic-specific policies in place?
  • Are policies reviewed at planned intervals?
  • Are policies reviewed when significant changes occur?

Rating: Fully Met / Partially Met / Not Met

Evidence: [Document policy, approval record, communication record, review record]

Gaps: [Describe any gaps]

9. Common Gaps

Governance and Management Gaps

Common Gap What's Needed
No information security policy Documented, approved, communicated policy
No defined scope Clear ISMS scope document
No management review Regular management review meetings with records
No security objectives Defined, measurable objectives
No assigned responsibilities Documented roles and responsibilities

Risk Management Gaps

Common Gap What's Needed
No risk assessment Formal risk assessment process and results
Ad-hoc risk approach Defined, repeatable methodology
No risk treatment plan Documented plan addressing identified risks
No Statement of Applicability SoA documenting all controls and applicability
Risks not reviewed Regular risk review process

Documentation Gaps

Common Gap What's Needed
Policies not documented Written, approved policies
Procedures not documented Documented operational procedures
No document control Version control, approval, distribution control
No records retained Evidence of ISMS operation retained
Documents out of date Regular review and update process

Operational Gaps

Common Gap What's Needed
No internal audit Planned internal audit programme
No incident management Incident response process and records
No awareness training Security awareness programme with records
No access management process Formal access provisioning process
No change management Documented change control process

Technical Gaps

Common Gap What's Needed
No vulnerability management Regular scanning and remediation
Inconsistent patching Patch management process
No malware protection AV/EDR deployed and managed
No logging/monitoring Logging enabled, logs reviewed
No backup testing Regular backup and restoration testing

10. Interpreting Your Results

Scoring Your Assessment

Calculate compliance percentage:

For each clause/control, assign score:

  • Fully Met = 2
  • Partially Met = 1
  • Not Met = 0
  • Not Applicable = Exclude

Compliance % = (Actual Score / Maximum Possible Score) × 100

Interpreting Scores

Score Range Interpretation
80-100% Strong foundation, minor gaps
60-79% Moderate gaps, significant work needed
40-59% Major gaps, substantial implementation required
Below 40% Starting from scratch, full implementation project

Prioritising Gaps

Critical (fix first):

  • Main body clause failures (4-10)
  • Controls addressing highest risks
  • Controls required for operations

Important (fix soon):

  • Controls addressing significant risks
  • Documentation gaps
  • Process gaps

Moderate (plan to fix):

  • Lower-risk control gaps
  • Enhancement opportunities
  • Efficiency improvements

Estimating Effort

Factors affecting effort:

  • Number and severity of gaps
  • Organisation size and complexity
  • Current documentation maturity
  • Management commitment
  • Available resources
  • External support engaged

Typical timelines:

Starting Point Typical Timeline
Strong foundation (80%+) 3-6 months
Moderate gaps (60-79%) 6-9 months
Major gaps (40-59%) 9-12 months
Starting from scratch 12-18 months

11. Planning Your Implementation

Phase 1: Foundation (Months 1-3)

Governance:

  • Establish ISMS scope
  • Create information security policy
  • Assign responsibilities
  • Gain management commitment

Risk management:

  • Define risk methodology
  • Conduct initial risk assessment
  • Develop risk treatment plan
  • Create Statement of Applicability

Documentation:

  • Establish document control
  • Create key policies
  • Develop procedures

Phase 2: Implementation (Months 4-8)

Controls:

  • Implement priority controls
  • Address major gaps
  • Deploy technical controls
  • Establish processes

Training:

  • Awareness programme
  • Role-specific training
  • Competence development

Documentation:

  • Complete procedures
  • Create records/evidence
  • Implement forms/templates

Phase 3: Operation (Months 9-10)

Run the ISMS:

  • Operate processes
  • Collect evidence
  • Handle incidents
  • Monitor and measure

Build evidence:

  • Records of operation
  • Meeting minutes
  • Audit trails
  • Metrics and reports

Phase 4: Verification (Months 11-12)

Internal audit:

  • Conduct internal audit
  • Identify nonconformities
  • Implement corrective actions

Management review:

  • Conduct management review
  • Make decisions
  • Allocate resources

Prepare for certification:

  • Address audit findings
  • Compile evidence
  • Select certification body
  • Schedule Stage 1 audit

12. Gap Assessment Checklist

Pre-Assessment

  • Understand ISO 27001:2022 requirements
  • Define assessment scope
  • Identify key stakeholders
  • Gather existing documentation
  • Schedule interviews

Main Body Assessment (Clauses 4-10)

  • Clause 4: Context assessed
  • Clause 5: Leadership assessed
  • Clause 6: Planning assessed
  • Clause 7: Support assessed
  • Clause 8: Operation assessed
  • Clause 9: Performance evaluation assessed
  • Clause 10: Improvement assessed

Annex A Assessment

  • Organisational controls (5) assessed
  • People controls (6) assessed
  • Physical controls (7) assessed
  • Technological controls (8) assessed

Results and Planning

  • Gaps documented
  • Gaps rated/prioritised
  • Compliance score calculated
  • Implementation roadmap developed
  • Resource requirements estimated
  • Timeline established
  • Management presentation prepared

13. How DSC Can Help

Dead Simple Computing helps organisations achieve and maintain ISO 27001 certification.

Gap Assessment

ISO 27001 Gap Assessment:

  • Comprehensive assessment against ISO 27001:2022
  • All clauses and Annex A controls
  • Prioritised findings
  • Implementation roadmap
  • Resource and timeline estimates

Deliverables:

  • Gap assessment report
  • Prioritised action plan
  • Implementation roadmap
  • Management summary

Implementation Support

Documentation:

  • Policy development
  • Procedure creation
  • Risk assessment facilitation
  • Statement of Applicability

Technical:

  • Control implementation
  • Managed security services
  • Vulnerability management
  • Monitoring and logging

Training:

  • Awareness programme
  • Internal auditor training
  • Management briefings

Certification Support

Pre-certification:

  • Internal audit
  • Management review facilitation
  • Certification readiness review
  • Evidence compilation

Certification:

  • Certification body liaison
  • Audit support
  • Nonconformity remediation

Ongoing Compliance

ISMS Management:

  • Surveillance audit support
  • Recertification support
  • Continuous improvement
  • Change management

vCISO:

  • ISMS oversight
  • Management reporting
  • Audit coordination
  • Ongoing compliance management

Why DSC

  • We're ISO 27001 certified ourselves
  • We understand practical implementation
  • CISSP qualified consultants
  • Ongoing support, not just project delivery
  • Managed services to maintain compliance

Contact us:

Resources

Standards

ISO/IEC 27001:2022:

Available from ISO or BSI

ISO/IEC 27002:2022:

Implementation guidance for controls

Certification

UKAS-accredited certification bodies:

  • BSI
  • LRQA
  • NQA
  • Others listed on UKAS website

About This Guide

This guide was prepared by Dead Simple Computing Ltd in January 2026 to help organisations assess their readiness for ISO 27001:2022 certification.

ISO 27001 requirements should be interpreted by competent professionals. This guide provides an overview, not comprehensive implementation guidance.

© 2026 Dead Simple Computing Ltd. All rights reserved.

Related Guides

Compliance CAF Self-Assessment Guide Compliance Cyber Essentials Plus Preparation Guide