ISO 27001 Gap Assessment SOP

Standard Operating Procedure for ISO 27001 readiness assessments

Service Pillar: Protect Service Category: Compliance Gap Assessment Target Duration: 4-6 weeks Related Pricing: See Pricing & Positioning

---

Service Overview

Purpose

Conduct comprehensive ISO 27001 gap assessments evaluating organization controls against the ISO/IEC 27001:2022 standard, preparing clients for successful certification audits.

Target Personas

Persona	Primary Pain Point	Value Case
CTO/VP Engineering	Enterprise customers requiring ISO certification	Global market access
Managing Partner (Legal)	International client requirements, data protection	Client trust and retention
CFO/Controller	Compliance investment decisions, ROI validation	Cost-justified security investment

Business Justification

Metric	Value	Source
Organizations with ISO 27001 certification	70,000+ globally	ISO Survey 2023
ISO 27001 certification cost	$50,000-$200,000	Advisera ISO 27001 Cost Analysis
Time to certification (traditional)	12-18 months	ISMS.online 2024
SBK average time to certification	6-9 months	SBK client data
Competitive advantage from certification	68% report increased business	BSI Benefits Study

---

Pricing Reference

Tier	Scope	Price Range	Duration
Standard	<100 employees, single location	$25,000-$30,000	4 weeks
Professional	100-300 employees, multiple locations	$30,000-$40,000	5-6 weeks
Enterprise	300+ employees, complex environment	$40,000-$60,000	6-8 weeks

See Pricing & Positioning for complete pricing structure.

---

Pre-Engagement

Qualification Checklist

• Management commitment to certification confirmed
• ISMS scope boundaries defined
• Key stakeholders available
• Existing documentation accessible
• Certification body selected or shortlisted
• Budget for full implementation approved

Required Information Gathering

Category	Documents Needed
Organizational	Org chart, locations, business units, interested parties
Documentation	Existing policies, procedures, risk assessments
Technology	Asset inventory, network diagrams, system architecture
Legal/Regulatory	Contractual requirements, regulatory obligations
Risk	Previous risk assessments, incident history

Scope Definition Considerations

Scope Factor	Description
Organizational scope	Which business units, departments, locations
Information scope	What information assets are in scope
Technology scope	Which systems, applications, infrastructure
Process scope	Which business processes are covered
Physical scope	Which facilities are included

---

Assessment Framework

ISO 27001:2022 Structure

Clause	Title	Focus Areas
Clause 4	Context of the Organization	Understanding needs, scope, ISMS
Clause 5	Leadership	Commitment, policy, roles
Clause 6	Planning	Risk assessment, objectives, planning of changes
Clause 7	Support	Resources, competence, awareness, communication, documentation
Clause 8	Operation	Operational planning, risk treatment
Clause 9	Performance Evaluation	Monitoring, internal audit, management review
Clause 10	Improvement	Nonconformity, continual improvement

Annex A Controls (2022 Update)

Control Category	Controls	Focus Areas
Organizational (37)	A.5	Policies, asset management, access control, supplier relationships
People (8)	A.6	Screening, employment terms, awareness, termination
Physical (14)	A.7	Perimeters, offices, equipment, cabling
Technological (34)	A.8	Endpoints, access rights, malware, backup, logging, development

Total Controls: 93 controls (reduced from 114 in 2013 version)

New Controls in 2022 Version

Control	Description
A.5.7	Threat intelligence
A.5.23	Information security for cloud services
A.5.30	ICT readiness for business continuity
A.7.4	Physical security monitoring
A.8.9	Configuration management
A.8.10	Information deletion
A.8.11	Data masking
A.8.12	Data leakage prevention
A.8.16	Monitoring activities
A.8.23	Web filtering
A.8.28	Secure coding

---

Assessment Process

Phase 1: Context and Planning (Days 1-5)

Objective: Understand organization context and ISMS scope

Activity	Deliverable	Duration
Kickoff meeting	Aligned expectations	0.5 day
Context analysis (Clause 4)	Interested parties register	1 day
Scope definition	ISMS scope statement	0.5 day
Legal/regulatory review	Obligations register	1 day
Planning and scheduling	Assessment plan	0.5 day

Clause 4 Assessment Focus

Requirement	Assessment Questions
4.1 Context	What external/internal issues affect the ISMS?
4.2 Interested parties	Who are the stakeholders and their requirements?
4.3 Scope	What are the boundaries of the ISMS?
4.4 ISMS	Are processes established to meet requirements?

Phase 2: Leadership and Planning Assessment (Days 5-10)

Objective: Evaluate governance and risk management

Activity	Deliverable	Duration
Leadership interviews (Clause 5)	Leadership commitment evidence	1 day
Policy review	Policy gap analysis	1 day
Risk assessment review (Clause 6)	Risk methodology evaluation	1.5 days
Objectives assessment	Objectives gap analysis	0.5 day

Clause 5 Assessment Focus

Requirement	Assessment Evidence
5.1 Leadership	Management commitment, resources, communication
5.2 Policy	IS policy existence, appropriateness, communication
5.3 Roles	Responsibilities assigned, authority defined

Clause 6 Assessment Focus

Requirement	Assessment Evidence
6.1 Risk	Risk assessment methodology, risk treatment plan
6.2 Objectives	Measurable objectives, planning to achieve
6.3 Changes	Planning of changes to ISMS

Phase 3: Support and Operations Assessment (Days 10-20)

Objective: Evaluate supporting infrastructure and operations

Activity	Deliverable	Duration
Resource assessment (Clause 7)	Resource gap analysis	2 days
Documentation review	Document inventory and gaps	2 days
Annex A controls assessment	Control implementation status	5 days
Technical validation	Technical findings	2 days

Clause 7 Assessment Focus

Requirement	Assessment Evidence
7.1 Resources	Adequate resources provided
7.2 Competence	Skills identified, training provided
7.3 Awareness	Security awareness program
7.4 Communication	Internal/external communication processes
7.5 Documentation	Document control, retention

Phase 4: Performance and Improvement Assessment (Days 18-22)

Objective: Evaluate monitoring, measurement, and improvement

Activity	Deliverable	Duration
Monitoring and measurement (Clause 9)	Metrics gap analysis	1 day
Internal audit review	Audit program assessment	1 day
Management review assessment	Review process evaluation	0.5 day
Improvement processes (Clause 10)	Continual improvement gaps	0.5 day

Phase 5: Reporting (Days 20-28)

Objective: Document findings and create implementation roadmap

Activity	Deliverable	Duration
Finding consolidation	Comprehensive gap matrix	1 day
Remediation planning	Implementation roadmap	2 days
Report drafting	Draft assessment report	2 days
Client review	Feedback incorporation	2 days
Final delivery	Complete gap assessment	1 day

---

Gap Rating Methodology

Maturity Levels

Level	Definition	Certification Readiness
5 - Optimizing	Control continuously improved, metrics-driven	Audit-ready
4 - Managed	Control measured, performance tracked	Minor adjustments
3 - Defined	Control documented, consistently applied	1-2 months remediation
2 - Repeatable	Control exists but informal	3-4 months remediation
1 - Initial	Ad-hoc, not documented	6+ months remediation
0 - Non-existent	No control in place	Significant development needed

Priority Classification

Priority	Definition	Impact on Certification
Critical	Mandatory requirement not met	Blocks certification
High	Significant gap in control implementation	Likely major nonconformity
Medium	Partial implementation or minor gaps	Likely minor nonconformity
Low	Opportunity for improvement	Observation

---

Deliverables

ISO 27001 Readiness Report

Structure:

1. Executive Summary
2. Assessment scope and approach
3. Overall readiness score
4. Certification timeline estimate

5. Investment requirements

6. ISMS Scope Definition

7. Recommended scope boundaries
8. Exclusions with justification

9. Interface points

10. Clause-by-Clause Assessment

11. Clauses 4-10 gap analysis
12. Evidence reviewed

13. Findings and recommendations

14. Annex A Control Assessment

15. All 93 controls evaluated
16. Implementation status
17. Applicability determination

18. Gap identification

19. Statement of Applicability (Draft)

20. Control selection rationale

21. Exclusion justifications

22. Implementation Roadmap

23. Prioritized action items
24. Resource estimates
25. Timeline to certification
26. Milestone checkpoints

Supporting Materials

Material	Purpose
Gap matrix spreadsheet	Detailed control-by-control status
Policy templates	Address documentation gaps
Risk assessment template	ISMS-compliant risk methodology
SoA template	Statement of Applicability format
Internal audit checklist	Pre-certification audit preparation

---

Certification Pathway

Timeline to Certification

Phase	Duration	Activities
Gap Assessment	4-6 weeks	This engagement
Implementation	3-6 months	Control implementation, documentation
Internal Audit	2-4 weeks	Pre-certification validation
Stage 1 Audit	1-2 days	Documentation review
Stage 2 Audit	2-5 days	Implementation verification
Certification	2-4 weeks	Certificate issuance

Certification Body Selection Considerations

Factor	Considerations
Accreditation	UKAS, ANAB, or equivalent accreditation
Industry expertise	Experience in client's industry
Global presence	If multi-location certification needed
Pricing	Audit day rates, surveillance costs
Availability	Lead times for audit scheduling

---

Quality Assurance

Internal Review Checklist

• All ISO 27001 clauses addressed
• All Annex A controls evaluated
• Gap ratings consistent and justified
• Recommendations are actionable
• Timeline is realistic
• Resource estimates included
• Statement of Applicability draft provided

Client Review Process

1. Draft report delivery
2. 5 business day review period
3. Questions/clarifications call
4. Final report delivery
5. Implementation planning session

---

Post-Delivery

Implementation Support Options

Option	Scope	Investment
Self-Implementation	Report + templates only	Included
Guided Implementation	Monthly check-ins, Q&A	$3,000-$5,000/month
Full Implementation	Hands-on control implementation	Custom scoping

Pre-Certification Services

Service	Description
Internal audit	Pre-certification internal audit
Management review	Facilitated management review
Stage 1 preparation	Documentation review and gap closure
Stage 2 readiness	Final readiness assessment

---

Related Services

Service	Connection	SOP Reference
SOC 2 Gap Assessment	Related compliance framework	soc2-gap-sop.md
Risk Assessment	Core ISMS requirement	risk-assessment-sop.md
Security Policy Development	Documentation requirements	security-policy-sop.md
vCISO	Ongoing ISMS management	vcto-vciso-engagement-sop.md

---

Evidence Base

Why This Approach Works

Principle	Evidence	Source
Gap assessment reduces audit risk	85% first-time certification success	SBK client data
ISO 27001:2022 structure is clearer	20% fewer controls with better organization	ISO/IEC 27001:2022
Business benefits of certification	68% report increased revenue	BSI Benefits Study
Risk-based approach improves security	Aligns security with business objectives	ISACA Framework Analysis

SBK Success Metrics

Metric	Target	Measurement
First-time certification pass	95%+	Audit outcomes
Time to certification	<9 months	Client tracking
Client satisfaction	4.5+/5.0	Post-engagement survey
Implementation engagement rate	65%+	Sales tracking

---

Regulatory References

• ISO/IEC 27001:2022 - Information Security Management
• ISO/IEC 27002:2022 - Code of Practice
• ISO 19011:2018 - Auditing Management Systems
• IAF MD 26 - Transition Requirements

---

Last Updated: February 2026 Version: 1.0