You Can’t Certify What You Haven’t Mapped: The Case for an ISO 27001 Gap Assessment
Every ISO 27001 certification journey starts the same way — with a question that sounds simple and isn’t: Where are we right now?
That question is the gap assessment. And whether you’re a 20-person SaaS company trying to win enterprise deals or a mid-market firm responding to customer security questionnaires, the gap assessment is the most valuable thing you’ll do before you spend a dollar on tooling, a minute in a consultant’s workshop, or a day preparing for a Stage 1 audit.
Here’s what it is, why it matters, and how a structured approach turns a wall of compliance requirements into an honest six-month roadmap.
What Is an ISO 27001 Gap Assessment?
An ISO 27001 gap assessment is a structured comparison of your current state against the requirements of ISO/IEC 27001:2022 — across two dimensions:
Mandatory clauses (4–10): These are non-negotiable structural requirements. They cover how your organization defines its context (Clause 4), leadership commitment (Clause 5), risk management (Clause 6), operational controls (Clause 8), performance measurement (Clause 9), and continual improvement (Clause 10). Every single one must be addressed. You cannot exclude them.
Annex A controls (A.5–A.8): These are 93 controls across four domains — Organizational, People, Physical, and Technological. Unlike the mandatory clauses, you can exclude Annex A controls from your scope — but every exclusion must be formally justified in your Statement of Applicability (SoA). “We forgot about that one” is not a justification.
The gap assessment looks at each requirement, asks whether evidence currently exists to satisfy it, notes what’s missing, and assigns a severity to the gap. The output isn’t a score. It’s a prioritized remediation list and a realistic timeline.
Why Bother? The Business Case Is Concrete
Organizations skip the gap assessment for the same reason they skip the architect before construction: it feels like overhead when you just want to get moving. That reasoning fails at the first audit.
Here’s what the gap assessment actually buys you:
It stops you from building in the wrong order. ISO 27001 has hard dependencies. You cannot run a compliant risk assessment before you’ve documented your methodology (Clause 6.1.1). You cannot write a valid Statement of Applicability before you’ve completed the risk treatment plan (Clause 6.1.3). You cannot close the loop on continual improvement without internal audit findings feeding into it (Clause 10). Organizations that skip the gap assessment routinely discover at Stage 1 that they’ve built Phase 3 before completing Phase 1. That’s expensive rework.
It surfaces the controls that actually take time. Ask any ISO 27001 implementer what delayed their certification, and you’ll hear the same two answers: the asset register and the risk assessment. Both are downstream dependencies for everything else. The asset register isn’t glamorous, but without it, your risk assessment is a fiction and your SoA is guesswork. The gap assessment forces you to confront this at the beginning, not six weeks before Stage 2.
It gives leadership an honest brief. The gap assessment is the most credible document you can put in front of your CISO, CTO, or board when asking for budget. It’s not a vendor deck. It’s a bill of materials: here’s what we have, here’s what we need, here’s how long it realistically takes. Management commitment isn’t something you get once and bank — it needs to be sustained through a multi-month implementation. The gap assessment keeps everyone calibrated.
It protects your audit investment. ISO 27001 certification costs real money — certification body fees, consultant time, internal hours. A gap assessment is insurance on that investment. Organizations that go into Stage 1 with an honest gap analysis spend their audit time demonstrating maturity. Organizations that don’t spend it discovering they’re missing a signed Information Security Policy or a single completed management review.
The Implementation Roadmap: Six Months from Scratch
Based on the structure of a rigorous gap assessment across all 93 Annex A controls and the 25 mandatory clause requirements, here’s what a realistic implementation looks like.
Phase 1 — Foundation (Weeks 1–6)
Do these first or nothing else works.
This phase is about structural prerequisites. Without them, you cannot run a compliant risk assessment, write a defensible SoA, or pass Stage 1.
The critical outputs here are: a signed ISMS scope document (no scope, no certification), a context and stakeholder analysis that drives policy and control selection downstream, documented management commitment with budget and RACI, a signed Information Security Policy, a completed asset register, and a defined risk assessment methodology — documented before you run the assessment.
The asset register deserves a dedicated call-out. It is the foundation for nearly every Annex A control that follows. Organizations chronically underestimate how long it takes to build an accurate, comprehensive register covering data assets, software, hardware, and cloud services. Start here, not when you feel ready.
Phase 2 — Core Controls (Weeks 7–14)
Treat risks and build the control baseline.
With the foundation in place, Phase 2 is where you run the formal risk assessment, complete the risk treatment plan, and produce the Statement of Applicability — the single most scrutinized document at any ISO 27001 audit. Every one of the 93 Annex A controls must appear in the SoA with a decision: implement, accept risk, or exclude with justification.
The technical controls that come online in this phase include IAM with MFA (auditors have moved well past treating MFA as optional), privileged access management, endpoint and malware protection, patch management with defined severity SLAs, and log aggregation. Alongside the technical stack, the core policy suite gets written and communicated: Acceptable Use Policy, Access Control Policy, Incident Response Plan, Cryptography Policy, and Remote Working Policy.
Security awareness training also launches in Phase 2. Auditors don’t just check completion records — they informally quiz staff. If your employees can’t articulate how to report a security incident, your training program didn’t land.
Phase 3 — Operational Readiness (Weeks 15–20)
Prove the ISMS is running, not just documented.
This is where the gap between policy and practice gets closed. The most common Stage 2 finding isn’t missing documentation — it’s documentation that describes controls nobody is actually operating.
Phase 3 focus areas: supplier security (every material vendor needs an assessment; auditors review actual contract language for IS clauses), a tested incident response plan (a tabletop exercise is the minimum; untested plans don’t satisfy auditors), a documented and tested backup restoration process (backups alone don’t count), a running vulnerability scanning cadence with critical CVEs remediated, configuration baselines against a recognized standard like CIS Benchmarks, and the beginning of IS objective measurement so you have data to present at management review.
Phase 4 — Audit Readiness (Weeks 21–26)
Close the loop before Stage 1.
The final phase is about demonstrating a functioning ISMS, not a perfect one. Auditors are looking for a system that works — that captures findings, generates corrective actions, and learns from them. Zero nonconformities is not the goal. A functioning corrective action process is.
Phase 4 deliverables: a completed internal audit covering all clauses with findings logged (at least one full cycle must be complete before Stage 2), signed management review minutes covering all required inputs, open corrective actions with root cause analysis in progress, and a Stage 1 readiness check against the mandatory documentation list.
The Hard Reality of Timeline Compression
Six months is achievable for a focused organization starting from scratch. It is not guaranteed, and the most common reason programs stall is Phases 1 and 2 taking twice as long as planned.
The two failure modes I see consistently:
Asset register underestimation. Organizations discover mid-Phase 2 that their asset inventory is incomplete, which invalidates the risk assessment they’ve already invested in. Scope the asset register effort honestly at the outset.
Risk assessment scope creep. Without a documented methodology agreed to in Phase 1, the risk assessment becomes a moving target. Define your methodology — asset-based, scenario-based, or hybrid — before you run a single assessment.
Fix those two early, and the downstream phases flow. Get them wrong, and you’re looking at nine to twelve months, not six.
My Perspective
I’ve implemented ISO 27001 in enough environments — from government to financial services to cloud SaaS — to have strong opinions about where programs succeed and where they fail. The gap assessment is usually where the outcome is determined.
The organizations that complete certification on schedule are rarely the ones with the most mature controls. They’re the ones that knew exactly what they were missing before they started. They used the gap assessment to make hard sequencing decisions early, to socialize realistic expectations with leadership, and to protect their audit investment by entering Stage 1 with evidence, not hope.
The controls that most consistently trip up organizations starting from scratch — the ones I watch most closely on a gap assessment — are the Statement of Applicability, periodic access reviews (quarterly is the recommended minimum; most organizations have never done one), supplier security assessments with IS contract language, tested incident response (not just a plan that lives in a SharePoint nobody reads), and the four 2022-edition controls that are still underestimated: threat intelligence (A.5.7), cloud service security (A.5.23), ICT readiness for business continuity (A.5.30), and monitoring activities (A.8.16). These aren’t obscure — they’re just new enough that organizations haven’t built them into their default ISMS architecture yet.
ISO 27001 certification is not a compliance trophy. Done properly, it’s operational infrastructure — the difference between a security program that responds to incidents because it has to and one that prevents them because it was designed to.
The gap assessment is how you know which one you’re building.
DISC InfoSec is a boutique cybersecurity and AI governance consultancy. Hugh Deura serves as lead implementer and internal auditor for ISO 27001 and ISO 42001 engagements. If you’re evaluating your organization’s readiness for ISO 27001 certification, we offer a structured gap assessment engagement that delivers a prioritized remediation roadmap, an honest timeline, and a plain-English brief for leadership.
Connect or reach out at deurainfosec.com
AI Vulnerability Scorecard: Discover Your AI Attack Surface Before Attackers Do
Your Shadow AI Problem Has a Name-And Now It Has a Score
Most AI Security Tools Won’t Pass an Audit. Here’s a 15-Minute Way to Find Out.
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security
- You Can’t Certify What You Haven’t Mapped: The Case for an ISO 27001 Gap Assessment
- The New Identity Perimeter: Machines, Agents, and the Trust Problem
- Securing the Agentic Enterprise: Where AI Autonomy Meets ISO 42001 and the EU AI Act
- Regulatory Relief Is Not Risk Relief: The EU AI Act Delay Trap
- Your AI Strategy Has a Debt Problem. Here Are the 13 Places It’s Hiding.
