ISO 27001 Gap Assessment — ISO 27001

The ISO 27001 Gap Assessment evaluates your Information Security Management System against the requirements of ISO/IEC 27001:2022. The assessment covers the mandatory clauses (4 through 10) that define the ISMS management system requirements, as well as the applicable Annex A controls identified in your Statement of Applicability.

Assessment Structure

The gap assessment is organised into two parts:

Part 1: ISMS Clauses (4–10)

These clauses define the "shall" requirements for the management system itself. Every clause must be addressed regardless of your ISMS scope:

Clause	Title	Key Areas Assessed
Clause 4	Context of the Organisation	Understanding the organisation and its context, needs and expectations of interested parties, scope of the ISMS, ISMS and its processes
Clause 5	Leadership	Leadership and commitment, information security policy, organisational roles responsibilities and authorities
Clause 6	Planning	Actions to address risks and opportunities, information security objectives and planning, planning of changes
Clause 7	Support	Resources, competence, awareness, communication, documented information (creation, updating, control)
Clause 8	Operation	Operational planning and control, information security risk assessment, information security risk treatment
Clause 9	Performance Evaluation	Monitoring measurement analysis and evaluation, internal audit, management review
Clause 10	Improvement	Continual improvement, nonconformity and corrective action

Part 2: Annex A Controls

The gap assessment for Annex A controls is linked to your Statement of Applicability. Only controls marked as "Applicable" in the SoA are included in the gap assessment. This ensures you are only assessed against controls relevant to your ISMS scope.

Maturity Scoring

Each assessment question is scored on the same 0–4 maturity scale used across all Venvera gap assessments:

Score	Level	Description
0	Not Implemented	No evidence of the requirement being addressed. No policies, procedures, or controls exist.
1	Initial	Ad-hoc or reactive approach. Some awareness exists but practices are informal, undocumented, and inconsistent.
2	Developing	Basic processes are being established. Some documentation exists. Practices are applied in some areas but not consistently organisation-wide.
3	Defined	Formal, documented processes are established and consistently applied. Policies are approved, communicated, and reviewed. Evidence is maintained.
4	Optimised	Mature, continuously improving processes driven by metrics. Regular testing, review, and enhancement. Proactive approach with industry best practices adopted.

ℹ️

For ISO 27001 certification, a score of 3 (Defined) or above is generally expected for all mandatory clause requirements. Annex A controls may have a mix of scores, but any control scored below 2 represents a significant gap that will likely result in audit findings.

Results

The results page displays your assessment findings in several views:

Clause Scores

A bar chart shows the maturity score for each clause (4 through 10). This highlights which management system areas are strongest and which need the most work. Each bar is colour-coded by maturity level.

Overall Percentage

Your overall ISO 27001 compliance percentage is calculated by combining clause scores and Annex A control scores. The formula converts the average maturity score (0–4 scale) to a percentage (0–100%).

Annex A Category Scores

Scores for the four Annex A categories (A.5 Organisational, A.6 People, A.7 Physical, A.8 Technological) are shown separately, allowing you to identify which control domains need improvement.

Remediation Plan Generation

The system automatically generates a remediation plan based on your assessment results:

Critical items (score 0) — flagged for immediate action with suggested 30-day target
High priority items (score 1) — 60-day target
Medium priority items (score 2) — 90-day target
Items scored 3 or 4 are not included in the remediation plan

Each remediation item includes the clause or control reference, current score, target score, recommended actions, and an assignable owner field.

Comparison with SoA

The gap assessment results page includes a comparison view with your Statement of Applicability. This cross-reference identifies inconsistencies:

Controls marked as "Full" implementation in the SoA but scored below 3 in the gap assessment
Controls marked as "Not Started" in the SoA but scored above 0 in the gap assessment
Controls not yet assessed in either the SoA or gap assessment

Resolving these inconsistencies ensures your SoA and gap assessment are aligned and present a coherent picture to auditors.

💡

Run the gap assessment before your first internal audit to identify areas needing improvement. Then reassess after implementing corrective actions to measure progress. Aim to have all clause requirements at score 3 or above and all applicable Annex A controls at score 2 or above before scheduling your Stage 1 certification audit.

⚠️

The gap assessment is a self-assessment tool. Scores should be evidence-based and honest. Over-scoring will create a false sense of readiness and lead to unexpected findings during certification audits. Involve subject matter experts from relevant departments to ensure accurate scoring.