ISO/IEC 27001 Information Security Gap Analysis Tool

Understanding the Organization and Its Context (Clause 4) (ISO/IEC Guidance)

Have you identified internal and external issues affecting your ISMS?

Yes

Maybe

No

Is the scope of your ISMS defined based on risk, technology, and business context?

Yes

Maybe

No

Are interested parties and their information security requirements documented?

Yes

Maybe

No

Is your information security context reviewed and updated regularly?

Yes

Maybe

No

Leadership (Clause 5) (ISO/IEC Guidance)

Does top management actively lead and support information security efforts?

Yes

Maybe

No

Is an information security policy in place, approved, and communicated across the organization?

Yes

Maybe

No

Are information security roles and responsibilities clearly assigned?

Yes

Maybe

No

Are leaders accountable for ensuring ISMS objectives align with business strategy?

Yes

Maybe

No

Planning (Clause 6) (ISO/IEC Guidance)

Are information security risks identified, assessed, and prioritized using a defined methodology?

Yes

Maybe

No

Are opportunities to enhance security identified and incorporated into plans?

Yes

Maybe

No

Are legal, contractual, and regulatory security requirements analyzed during planning?

Yes

Maybe

No

Are objectives for ISMS measurable and regularly monitored?

Yes

Maybe

No

Support (Clause 7) (ISO/IEC Guidance)

Are competent personnel appointed for managing and maintaining the ISMS?

Yes

Maybe

No

Is awareness and training provided regarding cybersecurity and data protection?

Yes

Maybe

No

Is internal and external communication for ISMS effective and secure?

Yes

Maybe

No

Is documented information for ISMS processes maintained and protected?

Yes

Maybe

No

Operation (Clause 8) (ISO/IEC Guidance)

Are operational controls implemented to manage identified risks to confidentiality, integrity, and availability?

Yes

Maybe

No

Is risk treatment performed according to defined risk acceptance criteria?

Yes

Maybe

No

Are outsourced providers and third-party services evaluated for information security compliance?

Yes

Maybe

No

Are business continuity and disaster recovery integrated into operations?

Yes

Maybe

No

Are controls from ISO/IEC 27001 Annex A (e.g., access control, encryption) appropriately applied?

Yes

Maybe

No

Performance Evaluation (Clause 9) (ISO/IEC Guidance)

Is the performance of the ISMS monitored, measured, and evaluated systematically?

Yes

Maybe

No

Are security incidents and breaches tracked and reported?

Yes

Maybe

No

Are internal audits conducted to verify ISMS effectiveness?

Yes

Maybe

No

Is management review held to assess ISMS fitness, suitability, and continual improvement?

Yes

Maybe

No

Improvement (Clause 10) (ISO/IEC Guidance)

Are nonconformities in the ISMS investigated and corrected with root cause analysis?

Yes

Maybe

No

Is continual improvement a documented goal of your information security management approach?

Yes

Maybe

No

Are lessons learned from incidents used to enhance your ISMS?

Yes

Maybe

No

Are updates to policies and procedures based on improvement findings applied promptly?

Yes

Maybe

No

ISO/IEC 27001 Gap Analysis Tool

Understanding the Organization and Its Context (Clause 4) (ISO/IEC Guidance)

Leadership (Clause 5) (ISO/IEC Guidance)

Planning (Clause 6) (ISO/IEC Guidance)

Support (Clause 7) (ISO/IEC Guidance)

Operation (Clause 8) (ISO/IEC Guidance)

Performance Evaluation (Clause 9) (ISO/IEC Guidance)

Improvement (Clause 10) (ISO/IEC Guidance)