When I first got into audit, I always wondered why companies would hire consultants to perform gap analysis. I mean they know better their company, their processes, applicable standards and frameworks. For me, it was a waste of money, something you could easily do yourself.
Turns out I was wrong. That’s the lesson I learned over the years.
Let’s start with « What is a gap analysis »? Simply a rehearsal for your coming real ISO 27001 audit. This is where you will find all the issues before they become pricey, uncomfortable issues in front of the auditor assigned by the certification body.
By definition, an ISO 27001 gap analysis is a systematic approach to figure out the distance between where your organization’s information security is right now and where it desired to be to get certified. That’s it. Nothing more complex than that. It’s a structured comparison exercise.
But here’s what makes this exercise extremely valuable: it’s the difference between showing up to a certification audit hoping to pass versus showing up with a clear understanding of the security situation in the organization and knowing your will pass.
Why do a gap analysis? A gap analysis gives you a clear roadmap: what’s missing, how to fix it and how long it will take. It is the best exercise to avoid failing your certification audit, including wasting time, losing money, and creating Executive crisis.
Gap Analysis: An almost Binary Approach
A gap analysis asks a simple question for each requirement:
You’re either compliant, partially compliant, or non-compliant. It’s comparable to a pass/fail test. The goal is to identify what needs to be fixed to achieve certification.
When to use a gap analysis:
– Preparing for initial certification
– Needing to know exactly what workload is required before planning for certification
– Needing clarity when your ISMS has got out of hand following significant changes in personnel and organization
What you get at the end:
– A clear list of gaps
– Prioritized remediation actions
– Resource and timeline estimates
– A roadmap to certification
A 5-Phase Process:
Phase 1: Get Together and Prepare (Preparation)
Get a Sponsor: Make sure someone from top management is clearly involved. It’s not an IT or a security team only project. If top management see this as an IT initiative, it’s lost. This is a business initiative that happens to involve information security.
Build a Team: The worst gap analyses are conducted by a single person (usually from IT) working in isolation. They produce technically accurate reports that no one understands or acts on. The best gap analyses involve cross-functional teams (IT, Security, HR and other business people) that bring different perspectives and build organizational buy-in.
Consider Hiring an external Consultant: If internal ISO 27001 expertise is lacking, an experienced consultant can accelerate the process and help avoid common mistakes. Just make sure they’re there to transfer knowledge, not to do everything for you.
Define Your Scope: Decide what part of the business you’re certifying. Be specific. The scope is a strategic decision, not a technical one. It’s common to see companies struggle with technical details while missing the big picture.
The scope can always be expanded in future recertification cycles. Start with something manageable.
Make a Plan & Develop the Assessment Questionnaire
Figure out who you’ll talk to, what you’ll ask, and how long it will take (hint: from 8 to 14 weeks). Build a questionnaire to ease the process. Don’t overdo it but make sure you cover all the ISMS. The right balance is a comprehensive but usable questionnaire —typically 150-250 questions covering all requirements.
Establish the timeline
Typical timeline for a medium-sized organization:
– Preparation and planning: 1-2 weeks
– Document review: 2-3 weeks
– Interviews and observations: 2-4 weeks
– Analysis and gap identification: 1-2 weeks
– Report writing: 1-2 weeks
– Review and finalization: 1 week
Total: 8-14 weeks
Larger organizations or broader scopes will take longer. Smaller organizations or narrower scopes might be faster.
These estimations consider for scheduling challenges, unexpected findings, and stakeholder availability.
It’s not unusual to see organizations and consultant try to do a gap analysis in two weeks. It’s possible but then it’s very high level and ends up with a superficial assessment that misses important gaps. Most probably a waste of time. Then, the certification audit is a failure, and the whole thing must be done over again. Slow down to speed up.
Communicate the Plan
Often overlooked, poor communication brings anxiety and resistance. Clear, honest communication prevents this. Explain what’s being done and why. Make it safe for people to be honest about gaps.
Emphasize that the goal is organizational improvement, not individual blame. The objective is to identify and fix problems before they become expensive problems.
Phase 2: The Investigation (Fieldwork and Assessment)
Read Existing Documentation: Gather all existing policies, procedures, and records.
What to look for: Does it exist? Is it current? Is it approved? Is it complete? Is it accessible? Is it being followed?
At this step, common findings include long-forgotten requirement, procedures that describe processes that no longer exist, evidence of good intentions that were never followed through.
This is usually where time is wasted and the project is delayed, chasing people for documents, screenshots, logs, and records. People forget. Try to give enough time between document request and the effective start of the review.
Talk to People/The interviews: Interview everyone relevant to the ISMS from the CEO to the IT help desk. It is usually at the bottom of the chart that you discover what really happens. Interviews are where the truth is discovered. People will say things they’d never write down. You’ll hear about workarounds, shortcuts, and “the way we really do things.”
Most importantly, walkthroughs with interviewees is where “shadow ISMS” is discovered—the informal processes and workarounds that people actually use instead of the official procedures. Those are important to understand.
On-Site visits: Look around and observe. Some things can only be learned by looking. Walk the floors. Are workstations locked? Are passwords on sticky notes? Reality often differs from policy. Observations reveal the gap between policy and practice. The policy says workstations must be locked when unattended. The observation reveals that in the sales department, no one locks their workstation because “it’s inconvenient.”
That’s valuable information. It indicates that either the policy needs to change, the culture needs to change, or the technology needs to change (hello, automatic screen locking).
Complete the questionnaire and pull it all together : As document reviews, interviews, and observations are completed, systematically complete the assessment questionnaire. The completed questionnaire is the foundation of the gap analysis report. Take your time. Be thorough. Be honest. This is not the time for wishful thinking.
Phase 3: Make Sense of What We Found (Analysis & Gap Identification)
Categorize/Use Traffic Lights: Categorize every requirement as Green (Compliant), Yellow (Partially), or Red (Non-Compliant). It’s simple and everyone gets it. The traffic light system is simple and effective. Everyone understands red/yellow/green. It makes findings immediately accessible to non-technical stakeholders.
Find the Root causes – The “Why”: For every Red and Yellow, figure out the root cause. Is it a lack of training? No budget? A bad process?
Assess Risk and Impact, Prioritize: Not all gaps are created equal. Focus on the high-risk stuff first—the things that could actually cause a breach or an audit failure. Risk assessment is where the urgent is separated from the merely important. A missing policy might be a compliance gap, but an unpatched, internet-facing server is an existential threat.
Some organizations spend months perfecting their documentation while ignoring critical technical vulnerabilities. Don’t do that. Fix the things that could actually cause harm first.
Phase 4: Write It Down (Reporting)
Write for Your Audience: The work is done. Now the findings need to be communicated clearly and compellingly. Create a short, punchy Executive Summary with charts and numbers for the C-suite. They won’t read the rest. Don’t’ be overly technical. Be factual and understandable by all parties.
The main body of the report is for the implementation team and should be detailed enough that for each gap, technical teams understand what’s wrong, why it matters, and how to fix it. Be specific and actionable.
Phase 5: Actually Fix Things (Remediation)
The report isn’t the end. It’s the beginning. Now a plan is needed to close the gaps
Make a To-Do List: Create a detailed action plan with tasks, owners, and deadlines.
Focus on Quick Wins: Knock out a few easy, high-impact items first to build momentum.
Track Everything: Use a project plan to monitor progress and hold people accountable.
The Bottom Line: A gap analysis is a strategic investment, not a cost. It’s the difference between hoping you’ll pass your audit and knowing you will.