CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

ISO 27001 gap analysis vs. risk assessment

Author: Dejan Kosutic

Very often I see people confuse gap analysis with risk assessment – which is understandable, since the purpose of both is to identify deficiencies in their company’s information security. However, from the perspective of ISO 27001, and from the perspective of a certification auditor, these two are quite different. Here’s why:

What is ISO 27001 gap analysis?

Gap analysis is nothing but reading each clause of ISO 27001 and analyzing if that requirement is already implemented in your company. When you do so, you can either say Yes or No, or you could use a scale similar to this:

0 – requirement not implemented nor planned;

1 – requirement is planned but not implemented;

2 – requirement is implemented only partially, so that full effects cannot be expected;

3 – requirement is implemented, but measurement, review and improvement are not performed; and

4 – requirement is implemented and measurement, review and improvement are performed regularly.

Gap analysis is mandatory in ISO 27001, but only when developing your Statement of Applicability – clause 6.1.3 d) says you need to determine “… whether they [the necessary controls] are implemented or not.”

Therefore, you don’t need to perform the gap analysis for clauses of the main part of the standard – only for the controls from Annex A. Further, gap analysis doesn’t need to be performed before the start of ISO 27001 implementation – you must do it only after the risk assessment and treatment.

What is risk assessment?

Risk assessment is a crucial step in Information Security Management System (ISMS) implementation because it tells you the following: you should implement security controls (safeguards) only if there are risks (potential incidents) that would justify that particular control. In other words, the higher the risk, the more you need to invest in controls; but, on the other hand, if there are no risks that would justify a particular control, then implementing it would be a waste of time and money.

Risk assessment is a key requirement in ISO 27001 that must be performed before you start implementing security controls, and, consequently, it is the one that determines the shape of your information security. Learn more here: ISO 27001 risk assessment & treatment – 6 basic steps.

So, the difference is…

Gap analysis tells you how far you are from ISO 27001 requirements/controls; it doesn’t tell you which problems can occur or which controls to implement. Risk assessment tells you which incidents can happen and which controls to implement, but it doesn’t give you an overview of which controls are already implemented.

While risk assessment is crucial for ISO 27001 implementation, gap analysis is only required when writing the Statement of Applicability – therefore, one is not a replacement for the other, and both are required, but in different phases of implementation and with different purposes.

Sometimes companies perform gap analysis before the start of ISO 27001 implementation, in order to get a feeling of where they are right now, and to find out which resources they will need to employ in order to implement ISO 27001. However, the usefulness of such approach is doubtful, since only risk assessment will show the real extent of what needs to be implemented and in which form.

Click here to try free  ISO 27001 Gap Analysis Tool.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert, Advisera


Upcoming free webinar
How to integrate GDPR with ISO 27001
Wednesday – September 25, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.