ISO/IEC 27001 sets out the requirements for an information security management system (ISMS). A gap analysis tells you how far your current controls are from those requirements - and what to do about it.
What the gap analysis covers
- Control mapping - assess your current controls against the ISO/IEC 27001 controls and requirements.
- Gaps - see clearly where you do not yet meet the standard, prioritised for action.
- Risk assessment and treatment - identify information-security risks and plan how you will treat them.
- Statement of Applicability - capture which controls apply and why, ready to compile into an SoA.
- Evidence and internal audit prep - collect evidence as you go so an internal audit is not a scramble.
Built toward certification, not a replacement for it
ISO 27001 certification is issued by an accredited certification body after an independent audit. This tool does not certify you - it gets you ready: organised controls, a clear risk picture, and the evidence a certification audit will ask for. It pairs with the cyber risk register so your ISMS risks live in one place.
Frequently asked questions
What is ISO 27001?
ISO/IEC 27001 is the international standard that specifies the requirements for an information security management system (ISMS) - a systematic way to manage the risks to the information an organisation holds.
Can this tool certify us to ISO 27001?
No. Certification is issued by an accredited certification body after an independent audit. The tool helps you prepare - mapping controls, finding gaps and collecting evidence.
What is a Statement of Applicability?
The Statement of Applicability (SoA) records which controls apply to your ISMS and why. The tool helps you capture the inputs for it as you work through the gap analysis.