ISO 27001 Gap Assessment

Evaluate your readiness for ISO 27001:2022 certification across 4 Annex A control themes and 41 controls. Identify gaps, see your readiness score, and get a prioritized action plan.

What Is ISO 27001?

ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring it remains secure through a framework of policies, processes, and controls. The latest version, ISO 27001:2022, reorganized the Annex A controls into 4 themes: organizational, people, physical, and technological.

Certification is voluntary but increasingly expected by enterprise clients, regulators, and partners. It demonstrates to stakeholders that your organization has implemented a comprehensive security management system that is independently audited and continuously improved.

ISO 27001 certification involves two stages: a Stage 1 audit reviewing your documentation and ISMS design, followed by a Stage 2 audit evaluating implementation effectiveness. Surveillance audits occur annually, and full recertification every three years.

The 4 Control Themes

Organizational Controls (A.5) cover governance, policies, roles, responsibilities, threat intelligence, asset management, access control, supplier relationships, incident management, business continuity, and compliance. These form the management backbone of your ISMS.

People Controls (A.6) address the human element — screening, terms of employment, awareness training, disciplinary processes, termination procedures, confidentiality agreements, remote working, and event reporting. People are both your greatest asset and your greatest risk.

Physical Controls (A.7) cover physical security perimeters, entry controls, securing offices, monitoring for physical threats, equipment protection, secure disposal, clear desk policies, and storage media management.

Technological Controls (A.8) address technical security measures including user devices, privileged access, access restrictions, source code security, authentication, capacity management, malware protection, vulnerability management, configuration management, data deletion, masking, leakage prevention, monitoring, web filtering, network security, and cryptography.

Frequently Asked Questions

How long does ISO 27001 certification take?

For a small to medium organization starting from scratch, typically 6-12 months. This includes building the ISMS, implementing controls, running the system for a period to generate evidence, and completing both Stage 1 and Stage 2 audits. Organizations with existing security practices can move faster.

How much does ISO 27001 certification cost?

Costs vary widely. For a small company (under 50 employees), expect €15,000-30,000 total including consultant fees and certification audit costs. For medium organizations, €30,000-80,000+. The ongoing annual surveillance audit typically costs €5,000-15,000. DIY approaches using tools and templates can reduce consultant fees significantly.

Do I need to implement ALL Annex A controls?

No. ISO 27001 requires you to conduct a risk assessment and then select controls that are appropriate to your identified risks. Controls that are not applicable can be excluded with documented justification in your Statement of Applicability (SoA). However, you must justify every exclusion — auditors will review these.

How does ISO 27001 relate to GDPR and NIS2?

ISO 27001 is a framework, while GDPR and NIS2 are regulations. Having ISO 27001 certification demonstrates that you have implemented appropriate security measures, which supports compliance with both GDPR Article 32 and NIS2 Article 21. Many organizations use ISO 27001 as their internal framework for meeting regulatory security requirements.

Related Articles

Cybersecurity Checklist for Startups

20 things to do before your first enterprise client.

NIS2 Directive Explained

ISO 27001 maps well to NIS2 requirements.

Related Tools

Cybersecurity Maturity Assessment

NIST CSF-based assessment complements ISO 27001.

Security Policy Generator

Create policies required for ISO 27001 documentation.

Disclaimer: This is a self-assessment tool, not a substitute for a formal ISO 27001 audit. ISO 27001 is a registered trademark of the International Organization for Standardization. Created by ClevSec.

Last updated: April 2026