ISO 27001 Gap Assessment: What to Expect and How to Use the Results

April 11, 2024

Before an ISO 27001 programme begins in earnest, most organisations want to know two things: how far away are we, and how long will it take? A gap assessment is meant to answer both. The problem is that the quality of gap assessments varies significantly. A shallow review that checks whether policies exist and skips any operational testing will produce a programme plan that looks achievable on paper and falls apart in practice.

A thorough gap assessment is worth spending time on because it shapes everything that follows. The scope of the ISMS, the risk assessment methodology, the control implementation roadmap, and the realistic timeline to certification all depend on having an accurate picture of the current state. Underestimating the gap is the most common reason ISO 27001 programmes run over time and over budget.

What a Gap Assessment Covers

A well-structured gap assessment reviews the organisation against the requirements of ISO 27001 clauses 4 through 10, which cover context and scope, leadership, planning, support, operation, performance evaluation, and improvement. It also reviews the organisation's current control environment against the relevant controls in Annex A. The output is a structured view of conformance status across both dimensions, with each gap documented alongside an indication of the effort required to close it.

Beyond document review, a good gap assessment includes structured interviews with key personnel: the people responsible for IT operations, HR processes, supplier management, and incident response. Policies and procedures that look complete on paper sometimes describe processes that no one actually follows. Interviews surface that gap. They also identify informal controls that are working but not documented, which can be formalised rather than rebuilt from scratch.

How to Read the Results

Gap assessment outputs are often presented as a percentage of conformance, sometimes called a maturity score or a compliance score. These aggregate numbers are less useful than the underlying breakdown. What matters is which clauses and which control areas carry the largest gaps, because those are the areas that will require the most time and resource to address before certification is achievable.

Clause 6 (planning) and Clause 8 (operation) tend to be the areas where organisations with no prior ISMS programme have the most ground to cover. Risk assessment methodology, risk register, risk treatment plan, and Statement of Applicability are all Clause 6 and 8 requirements. They are also foundational: other parts of the programme depend on them being in place and coherent. A gap assessment should flag these dependencies so the implementation roadmap sequences work in the right order.

Turning Results into a Realistic Programme Plan

The gap assessment output should feed directly into a programme plan that includes a work breakdown structure, ownership for each stream, and a realistic timeline that accounts for business-as-usual constraints. ISO 27001 programmes that run in parallel with normal business operations compete for the same people and the same time. A programme plan that assumes full-time availability from a part-time team will slip.

We have found that organisations with a solid technology foundation but limited governance documentation can typically close the gap and achieve certification within 9 to 12 months with appropriate support. Organisations that need to build out significant operational controls alongside the documentation framework often need 12 to 15 months. The gap assessment is what allows that estimate to be grounded in evidence rather than aspiration. A client in the identity verification sector recently achieved ISO 27001 certification in 13 months following a gap assessment that surfaced a larger-than-expected documentation deficit early, allowing the programme to prioritise accordingly.

Common Gaps We See in Australian Technology Companies

Across our engagements with Australian SaaS and technology companies, the gaps that appear most consistently are:

  • No documented risk assessment methodology or a methodology that has never been applied
  • Access control processes that work in practice but have no documented procedure
  • Supplier assessments that are informal or absent, particularly for critical cloud service providers
  • Incident response plans that exist but have never been tested
  • Change management processes that are technically enforced but not documented as a control
  • Internal audit programmes that have not been conducted

None of these are uncommon and none are insurmountable. The value of surfacing them at the start of the programme rather than three months before a certification audit is that the team has time to address them properly rather than under pressure.

To discuss a gap assessment for your organisation's ISO 27001 programme, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Guides
Category
GRC
Written by
Indra Gunawan
Head of Consulting
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?