ISO 27001 Gap Analysis: How to Assess Your Readiness Without a Consultant

You don’t need to spend €10,000 on a consultant to find out where your ISO 27001 gaps are. Here’s how to do it yourself.

ISO 27001 is the international standard for information security management. It’s increasingly a requirement for winning enterprise contracts, satisfying investor due diligence, and meeting supply chain security expectations.

But getting certified is a journey. And the first step on that journey is a gap analysis — understanding where you are today versus where the standard expects you to be.

Most consultants charge €5,000–€15,000 for this exercise. This guide shows you how to do it yourself.

What ISO 27001 Actually Requires

At its core, ISO 27001 requires you to establish, implement, maintain, and continually improve an Information Security Management System (ISMS). The ISMS is a structured approach to managing sensitive company information so it remains secure.

The standard has two main parts:

  1. Clauses 4–10: The management system requirements (context, leadership, planning, support, operation, performance evaluation, improvement)

  2. Annex A: A reference list of 93 security controls across 4 themes (organisational, people, physical, technological)

A gap analysis checks your organisation against both parts.

The Key Control Areas

Here are the areas that matter most for a gap analysis, with practical checkpoints for each.

Management System (Clauses 4–10)

  • ✅ The scope of your ISMS is defined (which parts of the business, which information assets)

  • ✅ An information security policy exists, is approved by management, and is communicated to staff

  • ✅ Roles and responsibilities for information security are assigned

  • ✅ A risk assessment methodology is defined and a risk assessment has been conducted

  • ✅ A Statement of Applicability (SoA) documents which Annex A controls apply and why

  • ✅ A risk treatment plan exists with owners and timelines

  • ✅ Management reviews are conducted at planned intervals

  • ✅ Internal audits are planned and conducted

  • ✅ Nonconformities are recorded and corrective actions tracked

Organisational Controls

  • ✅ Information security policies are documented and reviewed regularly

  • ✅ Roles and responsibilities are clearly defined and segregation of duties is applied where appropriate

  • ✅ Contact with relevant authorities and special interest groups is maintained

  • ✅ Information security is integrated into project management

  • ✅ An asset inventory exists and assets have assigned owners

  • ✅ Acceptable use policies are defined for information and assets

  • ✅ Information classification and labelling schemes are in place

People Controls

  • ✅ Background checks are performed prior to employment (where legally permitted)

  • ✅ Employment contracts include information security responsibilities

  • ✅ Information security awareness training is provided to all staff

  • ✅ A disciplinary process exists for information security violations

  • ✅ Responsibilities that remain valid after termination or change of employment are defined

Physical Controls

  • ✅ Physical security perimeters are defined for areas containing sensitive information

  • ✅ Entry controls are in place for secure areas

  • ✅ Equipment is protected from environmental threats

  • ✅ Secure disposal of storage media is practiced

  • ✅ Clear desk and clear screen policies are enforced

Technological Controls

  • ✅ User access is managed through a formal registration and de-registration process

  • ✅ Multi-factor authentication is implemented on critical systems

  • ✅ Privileged access is restricted and monitored

  • ✅ Data is encrypted in transit and at rest

  • ✅ Secure development practices are followed

  • ✅ Networks are segregated and secured

  • ✅ Vulnerability management is in place (regular scanning and patching)

  • ✅ Logging and monitoring is active with alerting on security events

  • ✅ Backup processes are documented and tested

  • ✅ Malware protection is deployed and maintained

Common Gaps SMBs Have

From running ISO 27001 gap analyses in my consultancy practice, these are the gaps I see most often in SMBs:

  1. No formal ISMS scope or policy — the biggest blocker. Without a defined scope and approved policy, nothing else matters.

  2. Risk assessment not done (or done once and forgotten) — the risk assessment is the engine of ISO 27001. It drives everything.

  3. No Statement of Applicability — many organisations don’t know this document exists, but auditors will ask for it immediately.

  4. Access control is informal — people have access because they always have, not because a process granted it.

  5. No internal audit programme — ISO 27001 requires you to audit yourself before the external auditor arrives.

  6. Security training is a checkbox exercise — a once-a-year slideshow doesn’t count as awareness culture.

How ShieldIQ Maps to ISO 27001

ShieldIQ’s ISO 27001 assessment covers the key control areas above with practical, jargon-free questions. AI scores each area from 0–100% and generates a gap analysis report showing exactly where you fall short.

The spider graph overlays your current scores against your target maturity levels, so you can see the gap visually. The priority matrix tells you what to fix first based on effort and impact.

It’s not a replacement for a formal Stage 1 audit, but it gives you a clear picture of readiness before you engage a certification body — and it costs nothing.

Ready to find out where you stand?

Start your free ISO 27001 gap analysis at app.shieldiqcyber.com

No credit card. No sales call. Under 15 minutes.