ISO/IEC 27001:2022

GAP ANALYSIS CHECKLIST

©2023 OPSCOMPLIX. All rights reserved.

www.linkedin.com/in/meetmarigona
0 PURPOSE AND INSTRUCTIONS

The purpose of this gap analysis checklist is to assess your organization's overall conformance with current processes
against ISO/IEC 27001 requirements and controls.

Gap analysis is typically conducted in the early stages; however, organizations may perform subsequent analyses as part
of ongoing monitoring and improvement activities. To make the most of the gap analysis process when setting up an
Information Security Management System (ISMS), it's essential to follow the step-by-step approach below:

Step 1. Identify Key Stakeholders: Engage in identifying key stakeholders, including internal and external parties such
as employees, customers, suppliers, regulators, and executive management. This active involvement ensures that
understanding their needs and expectations shapes the ISMS, aligning it with organizational goals and compliance
requirements.

Step 2. Define the ISMS Scope: Take the initiative to define the ISMS scope by outlining the boundaries and applicability
within the organization. Actively specify included and excluded assets, processes, and activities. This proactive approach
aligns the scope with the organization's business objectives and considers the needs and expectations of relevant
interested parties.

Step 3. Conduct a Preliminary Risk Assessment: Initiate a preliminary risk assessment before the detailed process to
systematically identify and prioritize potential risks to information security. This proactive step provides a comprehensive,
high-level overview of the organization's risk landscape, actively considering both internal and external factors that could
impact the confidentiality, integrity, and availability of information.

Step 4. Perform the Gap Analysis: Conduct a proactive gap analysis to understand the organization's existing
information security practices and identify areas of non-compliance with ISO/IEC 27001. This analysis actively pinpoints
areas of adherence and areas requiring improvement, forming the foundation for a well-defined roadmap to implement,
validate or maintain the ISMS.

1
1 ISMS FRAMEWORK

NO REQUIREMENT CURRENT STATE/REFERENCE GAP

1 4.1: Has the organization established a process to identify
and evaluate both external and internal factors that are
relevant to its purpose and impact its ability to achieve the
intended outcomes of its Information Security Management
System (ISMS)?

2 4.2: Has the organization identified relevant interested

parties, assessed their associated requirements, and
determined which of these requirements will be addressed by
the Information Security Management System (ISMS)?

3 4.3: Has the organization defined the boundaries and

applicability of its Information Security Management System
(ISMS) to establish its scope, considering external and
internal issues, relevant requirements, and
interfaces/dependencies with other organizations' activities?

2
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
4 4.4: Has the organization created, implemented, maintained,
and continuously improved an Information Security
Management System (ISMS), encompassing the necessary
processes and their interactions?

5 5.1: Has the organization's top management demonstrated

leadership and commitment to the ISMS by establishing
aligned information security policies and objectives,
integrating ISMS requirements into processes, ensuring
resource availability, communicating importance, ensuring
outcomes, directing support, promoting continual
improvement, and aiding other relevant management roles in
demonstrating leadership?

6 5.2: Has the organization's top management established an

information security policy that is suitable for the
organization's purposes, encompasses information security
objectives or provides a framework for setting them, includes
a commitment to fulfill applicable information security
requirements, and commits to the continual improvement of
the Information Security Management System (ISMS)?
Additionally, is the information security policy documented,
communicated within the organization, and made available to
interested parties as deemed appropriate?

3
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
7 5.3: Has the organization's top management assigned and
communicated responsibilities and authorities for roles
relevant to information security, including ensuring ISMS
conformity to standards and reporting on its performance to
top management?

8 6.1 (6.1.1): Has the organization considered relevant issues

and requirements, identified, and addressed risks and
opportunities, and integrated actions into ISMS processes to
ensure intended outcomes, prevent undesired effects, and
achieve continual improvement during the planning of its
ISMS? Additionally, is the organization evaluating the
effectiveness of these actions?

9 6.1 (6.1.2): Has the organization established and

implemented an information security risk assessment process
that defines criteria, ensures consistency, identifies, and
analyzes risks associated with information loss, evaluates
those risks against established criteria, and prioritizes them
for risk treatment?

4
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
10 6.1 (6.1.3): Has the organization established and
implemented an information security risk treatment process
that involves selecting suitable risk treatment options based
on risk assessment results, determining necessary controls,
comparing them with Annex A controls, producing a
Statement of Applicability with justifications for
inclusion/exclusion and implementation status, formulating a
risk treatment plan, and obtaining risk owners' approval for
the plan and acceptance of residual information security
risks?
11 6.2: Has the organization established information security
objectives at relevant functions and levels, ensuring they are
consistent with the information security policy, measurable (if
practicable), aligned with applicable requirements, and
monitored, communicated, and updated as appropriate, with
retention of documented information? Additionally, when
planning to achieve these objectives, has the organization
determined the actions, resources, responsibilities, timeline,
and evaluation methods?

12 6.3: Has the organization, when identifying the need for

changes to the ISMS, carried out the implementation of these
changes in a planned manner?

5
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
13 7.1: Has the organization determined and provided the
necessary resources for the establishment, implementation,
maintenance, and continual improvement of the Information
Security Management System (ISMS)?

14 7.2: Has the organization determined and ensured the

necessary competence of individuals affecting its information
security performance, taking actions as needed to acquire
competence, evaluating the effectiveness of these actions,
and retaining documented information as evidence of
competence?

15 7.3: Has the organization informed individuals working under

its control about the information security policy, their
contribution to ISMS effectiveness, and the consequences of
non-conformance with ISMS requirements?

6
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
16 7.4: Has the organization assessed the need for internal and
external communications relevant to the ISMS, specifying
what to communicate, when to communicate, with whom to
communicate, and how to communicate?

17 7.5 (7.5.1): Has the organization ensured that its ISMS

encompasses documented information required by relevant
standards and determined by the organization as necessary
for the effectiveness of the ISMS?

18 7.5 (7.5.2): When creating and updating documented

information, has the organization ensured appropriate
identification and description, including title, date, author, or
reference number; determined suitable format such as
language and software version, media like paper or
electronic; and undergone a review and approval process for
suitability and adequacy?

7
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
19 7.5 (7.5.3): Has the organization controlled documented
information required by the ISMS and the standard to ensure
its availability and suitability for use when and where needed,
as well as to provide adequate protection against issues such
as loss of confidentiality, improper use, or loss of integrity?
Additionally, has the organization addressed distribution,
access, retrieval, use, storage, preservation (including
legibility), changes (e.g., version control), retention, and
disposition activities, as applicable? Moreover, has
documented information of external origin deemed necessary
for the planning and operation of the ISMS been appropriately
identified and controlled?
20 8.1: Has the organization planned, implemented, and
controlled processes to meet requirements and execute
actions determined in Clause 6 by establishing process
criteria and implementing process controls in accordance with
the established criteria?

21 8.2: Has the organization conducted information security risk

assessments at planned intervals or when significant changes
are proposed or occur, considering the criteria established in
6.1.2 a)?

22 8.3: Has the organization executed the information security

risk treatment plan as required?

8
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
23 9.1: Has the organization determined what needs to be
monitored and measured, including information security
processes and controls? Additionally, has the organization
selected methods for monitoring and measurement that
ensure valid, comparable, and reproducible results?
Moreover, has the organization specified when and who shall
perform the monitoring, and established criteria for the
analysis and evaluation of results, while assigning
responsibilities for these activities?
24 9.2 (9.2.1): Has the organization conducted internal audits at
planned intervals to assess whether the ISMS conforms to
both the organization's own requirements and the standard's
requirements, and to evaluate the effective implementation
and maintenance of the ISMS?

25 9.2 (9.2.2): Has the organization planned, established,

implemented, and maintained an audit programme,
considering process importance and previous audit results?
Additionally, has the organization defined criteria and scope,
selected auditors for objectivity, and ensured the reporting of
audit results to relevant management?

26 9.3 (9.3.1): Has top management reviewed the organization's

ISMS at planned intervals to ensure its ongoing suitability,
adequacy, and effectiveness?

9
NO REQUIREMENT CURRENT STATE/REFERENCE GAP
27 9.3 (9.3.2 & 9.3.3): In the management review process, has
the organization considered the status of previous actions,
changes in relevant external and internal issues, shifts in the
needs and expectations of interested parties, feedback on
information security performance, input from interested
parties, results of risk assessment, and the status of the risk
treatment plan, as well as opportunities for continual
improvement?

28 10.1: Has the organization demonstrated a commitment to the

continual improvement of the suitability, adequacy, and
effectiveness of the Information Security Management
System (ISMS)?

29 10.2: Has the organization, when a nonconformity occurs,

reacted by taking action to control and correct it? Additionally,
has the organization addressed the consequences, evaluated
the need for action to eliminate causes and prevent
recurrence, implemented necessary actions, reviewed the
effectiveness of corrective measures, and made changes to
the ISMS if deemed necessary, ensuring that corrective
actions are appropriate to the effects of the encountered
nonconformities?

10
2 ISMS CONTROLS

2.1 Organizational Controls

NO REQUIREMENT APPLICABILITY CURRENT GAP

STATE/REFERENCE
1 5.1: Has the organization defined, approved, published, ❑ Yes
communicated, and regularly reviewed its information ❑ No
security policy and topic-specific policies, ensuring
acknowledgment by relevant personnel and interested
parties?

2 5.2: Has the organization established a defined, ❑ Yes

approved, and understood structure for the ❑ No
implementation, operation, and management of
information security within the organization?

3 5.3: Has the organization implemented measures to ❑ Yes

segregate conflicting duties and areas of responsibilities ❑ No
in accordance with information security policies?

4 5.4: Does management require all personnel to apply ❑ Yes

information security in accordance with the established ❑ No
policies and procedures of the organization?

11
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
5 5.5: Has the organization established and maintained ❑ Yes
contact with relevant authorities as part of its information ❑ No
security practices?

6 5.6: Does the organization actively establish and maintain ❑ Yes

contact with special interest groups, security forums, or ❑ No
professional associations to enhance information
security?

7 5.7: Is information relating to information security threats ❑ Yes

collected and analyzed to produce threat intelligence? ❑ No

8 5.8: Is information security integrated into project ❑ Yes

management processes within the organization? ❑ No

9 5.9: Has the organization developed and maintained an ❑ Yes

inventory of information and associated assets, including ❑ No
owners?

12
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
10 5.10: Have rules for acceptable use and procedures for ❑ Yes
handling information and associated assets been ❑ No
identified, documented, and implemented?

11 5.11: Do personnel and other relevant parties return all ❑ Yes

organization assets in their possession upon change or ❑ No
termination of employment, contract, or agreement?

12 5.12: Has the organization classified information based ❑ Yes

on confidentiality, integrity, availability, and relevant ❑ No
interested party requirements?

13 5.13: Is there an appropriate set of procedures for ❑ Yes

information labelling in accordance with the organization's ❑ No
information classification scheme?

13
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
14 5.14: Are there established rules, procedures, or ❑ Yes
agreements for information transfer within the ❑ No
organization and with other parties?

15 5.15: Have rules to control physical and logical access to ❑ Yes

information and associated assets been established and ❑ No
implemented based on business and information security
requirements?

16 5.16: Is the full cycle of identities managed within the ❑ Yes

organization? ❑ No

17 5.17: Is the allocation and management of authentication ❑ Yes

information controlled by a management process, ❑ No
including advising personnel on the appropriate handling
of authentication information?

18 5.18: Are access rights to information and other ❑ Yes

associated assets provisioned, reviewed, modified, and ❑ No
removed in accordance with the organization’s topic-
specific policy on and rules for access control?

14
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
19 5.19: Have processes and procedures been defined and ❑ Yes
implemented to manage the information security risks ❑ No
associated with the use of supplier’s products or
services?

20 5.20: Have relevant information security requirements ❑ Yes

been established and agreed with each supplier based on ❑ No
the type of supplier relationship?

21 5.21: Have processes and procedures been defined and ❑ Yes

implemented to manage the information security risks ❑ No
associated with the ICT products and services supply
chain?

22 5.22: Does the organization regularly monitor, review, ❑ Yes

evaluate, and manage change in supplier information ❑ No
security practices and service delivery?

23 5.23: Have processes for acquisition, use, management, ❑ Yes

and exit from cloud services been established in ❑ No
accordance with the organization’s information security
requirements?

15
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
24 5.24: Has the organization planned and prepared for ❑ Yes
managing information security incidents by defining, ❑ No
establishing, and communicating information security
incident management processes, roles, and
responsibilities?

25 5.25: Does the organization assess information security ❑ Yes

events and decide if they are to be categorized as ❑ No
information security incidents?

26 5.26: Are information security incidents responded to in ❑ Yes

accordance with the documented procedures? ❑ No

27 5.27: Is knowledge gained from information security ❑ Yes

incidents used to strengthen and improve the information ❑ No
security controls?

28 5.28: Has the organization established and implemented ❑ Yes

procedures for the identification, collection, acquisition, ❑ No
and preservation of evidence related to information
security events?

16
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
29 5.29: Has the organization planned how to maintain ❑ Yes
information security at an appropriate level during ❑ No
disruption?

30 5.30: Is there a plan in place to ensure the availability of ❑ Yes

the organization’s information and other associated ❑ No
assets during disruption?

31 5.31: Have legal, statutory, regulatory, and contractual ❑ Yes

requirements relevant to information security and the ❑ No
organization’s approach to meet these requirements been
identified, documented, and kept up to date?

32 5.32: Have appropriate procedures been implemented to ❑ Yes

protect intellectual property rights? ❑ No

17
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
33 5.33: Are records protected from loss, destruction, ❑ Yes
unauthorized access, and unauthorized release? ❑ No

34 5.34: Has the organization identified and met the ❑ Yes

requirements regarding the preservation of privacy and ❑ No
protection of PII according to applicable laws and
regulations and contractual requirements?

35 5.35: Is the organization’s approach to managing ❑ Yes

information security and its implementation, including ❑ No
people, processes, and technologies, reviewed
independently at planned intervals or when significant
changes occur?

36 5.36: Is compliance with the organization’s information ❑ Yes

security policy, topic-specific policies, rules, and ❑ No
standards regularly reviewed?

37 5.37: Have operating procedures for information ❑ Yes

processing facilities been documented and made ❑ No
available to personnel who need them?

18
2.2 People Controls

NO REQUIREMENT APPLICABILITY CURRENT GAP

STATE/REFERENCE
1 6.1: Has the organization implemented background ❑ Yes
verification checks on all candidates to become ❑ No
personnel, both prior to joining the organization and on an
ongoing basis, considering applicable laws, regulations,
and ethics, and proportionate to business requirements,
information classification, and perceived risks?

2 6.2: Do the employment contractual agreements explicitly ❑ Yes

state the responsibilities for information security of both ❑ No
the personnel and the organization?

3 6.3: Do personnel of the organization and relevant ❑ Yes

interested parties receive appropriate information security ❑ No
awareness, education, and training, including regular
updates of the organization’s information security policy,
topic-specific policies, and procedures, as relevant to
their job function?

4 6.4: Has the organization formalized and communicated a ❑ Yes

disciplinary process to take actions against personnel and ❑ No
other relevant interested parties who have committed an
information security policy violation?

19
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
5 6.5: Are information security responsibilities and duties ❑ Yes
that remain valid after termination or change of ❑ No
employment defined, enforced, and communicated to
relevant personnel and other interested parties?

6 6.6: Have confidentiality or non-disclosure agreements, ❑ Yes

reflecting the organization’s needs for the protection of ❑ No
information, been identified, documented, regularly
reviewed, and signed by personnel and other relevant
interested parties?

7 6.7: Are security measures implemented when personnel ❑ Yes

are working remotely to protect information accessed, ❑ No
processed, or stored outside the organization’s premises?

8 6.8: Does the organization provide a mechanism for ❑ Yes

personnel to report observed or suspected information ❑ No
security events through appropriate channels in a timely
manner?

20
2.3 Physical Controls

NO REQUIREMENT APPLICABILITY CURRENT GAP

STATE/REFERENCE
1 7.1: Have security perimeters been defined and used to ❑ Yes
protect areas containing information and other associated ❑ No
assets?

2 7.2: Are secure areas protected by appropriate entry ❑ Yes

controls and access points? ❑ No

3 7.3: Has physical security for offices, rooms, and facilities ❑ Yes
been designed and implemented? ❑ No

4 7.4: Is continuous monitoring in place to detect ❑ Yes

unauthorized physical access to premises? ❑ No

21
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
5 7.5: Has protection against physical and environmental ❑ Yes
threats, including natural disasters and intentional or ❑ No
unintentional threats to infrastructure, been designed, and
implemented?

6 7.6: Is security awareness for working in secure areas ❑ Yes

designed and implemented? ❑ No

7 7.7: Have clear desk rules for papers and removable ❑ Yes
storage media, as well as clear screen rules for ❑ No
information processing facilities, been defined and
appropriately enforced?

8 7.8: Are equipment locations secure and adequately ❑ Yes

protected? ❑ No

22
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
9 7.9: Have off-site assets been adequately protected? ❑ Yes
❑ No

10 7.10: Is the life cycle management of storage media, ❑ Yes

including acquisition, use, transportation, and disposal, ❑ No
carried out in accordance with the organization’s
classification scheme and handling requirements?

11 7.11: Are information processing facilities protected from ❑ Yes

power failures and other disruptions caused by failures in ❑ No
supporting utilities?

12 7.12: Are cables carrying power, data, or supporting ❑ Yes

information services protected from interception, ❑ No
interference, or damage?

23
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
13 7.13: Is equipment maintained correctly to ensure the ❑ Yes
availability, integrity, and confidentiality of information? ❑ No

14 7.14: Are items of equipment containing storage media ❑ Yes

verified to ensure that any sensitive data and licensed ❑ No
software has been removed or securely overwritten prior
to disposal or re-use?

24
2.4 Technological Controls

NO REQUIREMENT APPLICABILITY CURRENT GAP

STATE/REFERENCE
1 8.1: Is information stored on, processed by, or accessible ❑ Yes
via user endpoint devices protected? ❑ No

2 8.2: Are the allocation and use of privileged access rights ❑ Yes
restricted and managed? ❑ No

3 8.3: Is access to information and other associated assets ❑ Yes

restricted in accordance with the established topic- ❑ No
specific policy on access control?

4 8.4: Is read and write access to source code, ❑ Yes

development tools, and software libraries appropriately ❑ No
managed?

25
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
5 8.5: Have secure authentication technologies and ❑ Yes
procedures been implemented based on information ❑ No
access restrictions and the topic-specific policy on access
control?

6 8.6: Is the use of resources monitored and adjusted in ❑ Yes

line with current and expected capacity requirements? ❑ No

7 8.7: Is protection against malware implemented and ❑ Yes

supported by appropriate user awareness? ❑ No

8 8.8: Is information about technical vulnerabilities of ❑ Yes

information systems in use obtained, evaluated, and ❑ No
appropriate measures taken to address the organization’s
exposure to such vulnerabilities?

26
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
9 8.9: Have configurations, including security ❑ Yes
configurations, of hardware, software, services, and ❑ No
networks been established, documented, implemented,
monitored, and reviewed?

10 8.10: Is information stored in information systems, ❑ Yes

devices, or any other storage media deleted when no ❑ No
longer required?

11 8.11: Is data masking used in accordance with the ❑ Yes

organization’s topic-specific policy on access control, ❑ No
other related topic-specific policies, and business
requirements, taking applicable legislation into
consideration?

12 8.12: Have data leakage prevention measures been ❑ Yes

applied to systems, networks, and any other devices that ❑ No
process, store, or transmit sensitive information?

27
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
13 8.13: Are backup copies of information, software, and ❑ Yes
systems maintained and regularly tested in accordance ❑ No
with the agreed topic-specific policy on backup?

14 8.14: Have information processing facilities been ❑ Yes

implemented with redundancy sufficient to meet ❑ No
availability requirements?

15 8.15: Are logs that record activities, exceptions, faults, ❑ Yes

and other relevant events produced, stored, protected, ❑ No
and analyzed?

16 8.16: Are networks, systems, and applications monitored ❑ Yes

for anomalous behavior, and appropriate actions taken to ❑ No
evaluate potential information security incidents?

28
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
17 8.17: Are the clocks of information processing systems ❑ Yes
used by the organization synchronized to approved time ❑ No
sources?

18 8.18: Is the use of utility programs that can be capable of ❑ Yes

overriding system and application controls restricted and ❑ No
tightly controlled?

19 8.19: Have procedures and measures been implemented ❑ Yes

to securely manage software installation on operational ❑ No
systems?

20 8.20: Are networks and network devices secured, ❑ Yes

managed, and controlled to protect information in ❑ No
systems and applications?

29
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
21 8.21: Have security mechanisms, service levels, and ❑ Yes
service requirements of network services been identified, ❑ No
implemented, and monitored?

22 8.22: Are groups of information services, users, and ❑ Yes

information systems segregated in the organization’s ❑ No
networks?

23 8.23: Is access to external websites managed to reduce ❑ Yes

exposure to malicious content? ❑ No

24 8.24: Have rules for the effective use of cryptography, ❑ Yes

including cryptographic key management, been defined, ❑ No
and implemented?

30
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
25 8.25: Have rules for the secure development of software ❑ Yes
and systems been established and applied? ❑ No

26 8.26: Have information security requirements been ❑ Yes

identified, specified, and approved when developing or ❑ No
acquiring applications?

27 8.27: Have principles for engineering secure systems ❑ Yes

been established, documented, maintained, and applied ❑ No
to any information system development activities?

28 8.28: Are secure coding principles applied to software ❑ Yes

development? ❑ No

31
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
29 8.29: Have security testing processes been defined and ❑ Yes
implemented in the development life cycle? ❑ No

30 8.30: Is the organization directing, monitoring, and ❑ Yes

reviewing activities related to outsourced system ❑ No
development?

31 8.31: Are development, testing, and production ❑ Yes

environments separated and secured? ❑ No

32 8.32: Are changes to information processing facilities and ❑ Yes

information systems subject to change management ❑ No
procedures?

32
NO REQUIREMENT APPLICABILITY CURRENT GAP
STATE/REFERENCE
33 8.33: Is test information appropriately selected, protected, ❑ Yes
and managed? ❑ No

34 8.34: Are audit tests and other assurance activities ❑ Yes

involving the assessment of operational systems planned ❑ No
and agreed between the tester and appropriate
management?

33