// COMPLIANCE & AUDIT

ISO 27001 Gap Assessment

Comprehensive gap analysis against ISO 27001:2022 with actionable remediation roadmap.

ISO27001:2022
93Controls Assessed
CISMCertified Auditors
12wkAvg. Cert Readiness
Overview

ISO 27001:2022 Gap Assessment

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems. It was significantly updated in 2022 with a restructured Annex A containing 93 controls across 4 themes — replacing the 114 controls in 14 domains of the 2013 version. Organisations certified to the 2013 standard must transition by October 2025.

Intelliroot's ISO 27001 gap assessment gives you a precise, clause-by-clause picture of where you stand against the 2022 standard — with a prioritised remediation roadmap and realistic timeline to certification readiness. Our assessors hold CISM and ISO 27001 Lead Auditor certifications and have guided dozens of organisations through successful certification.

Scope

What the Assessment Covers

Clauses 4–10 (ISMS Requirements)

  • Context of the organisation
  • Leadership and commitment
  • Risk assessment and treatment
  • Support (resources, competence, awareness)
  • Operations planning and control
  • Performance evaluation and improvement

Annex A Controls (2022)

  • Organisational controls (37 controls)
  • People controls (8 controls)
  • Physical controls (14 controls)
  • Technological controls (34 controls)
  • New 2022 controls gap focus

New 2022 Controls Spotlight

  • Threat intelligence (A.5.7)
  • Information security for cloud services (A.5.23)
  • ICT readiness for business continuity (A.5.30)
  • Web filtering (A.8.23)
  • Data masking (A.8.11)
  • Data leakage prevention (A.8.12)

Statement of Applicability (SoA)

  • Review or draft SoA against 93 Annex A controls
  • Justification for included/excluded controls
  • Control implementation status rating
  • Maturity scoring per control
Methodology

How We Run the Gap Assessment

01

Kick-off & Document Request

Agree scope and assessment boundaries. Collect existing IS policies, risk register, incident records, audit history, and any prior ISO 27001 documentation.

02

Clause-by-Clause Assessment

Systematically assess each clause (4–10) and Annex A control against the ISO 27001:2022 requirements through document review, interviews, and control observation walkthroughs.

03

Control Maturity Scoring

Score each of the 93 Annex A controls on a 0–5 maturity scale (Not Implemented → Optimised) using a consistent, evidence-based scoring methodology.

04

Gap Register Development

Document every gap with: affected clause/control, gap description, risk implication, and recommended remediation action with effort estimate.

05

Remediation Roadmap

Prioritise gaps into a phased remediation roadmap aligned to your certification target date, with quick wins, workstream dependencies, and resource requirements.

06

Report & Readiness Briefing

Deliver the gap assessment report with maturity radar chart, gap register, SoA draft, and remediation roadmap. Present findings to CISO and senior management.

FAQ

Frequently Asked Questions

Typically 2–3 weeks for a medium-sized organisation. The timeline depends on the number of sites in scope, availability of documentation, and number of interviews required. We provide a fixed schedule at kick-off.
Yes. Intelliroot offers a separate ISO 27001 Implementation service where our consultants work alongside your team to build and implement the ISMS controls identified in the gap assessment. We can also conduct the ISO 27001 Internal Audit before your certification audit.
Yes. The 2022 revision introduced 11 new controls and restructured the Annex A significantly. A transition gap assessment identifies which new controls require implementation, what documentation needs updating, and the effort required to achieve 2022 compliance before the October 2025 deadline.

Deliverables

ISO 27001:2022 Gap Report

Clause-by-clause and control-level gap assessment with maturity scores and finding descriptions for all 93 Annex A controls.

Maturity Radar Chart

Visual heat map of control maturity across all four Annex A control themes — ideal for executive presentations and board reporting.

Gap Register

Spreadsheet register of every gap with clause reference, risk implication, remediation action, effort estimate, and ownership field.

Statement of Applicability (Draft)

Draft SoA covering all 93 Annex A controls with implementation status, justification for exclusions, and references to implementing controls.

Remediation Roadmap

Phased 90/180/270-day implementation roadmap with dependencies, effort estimates, and certification timeline projection.

Related Services in Compliance & Audit

ISO 27001 Internal Audit SOC 2 Readiness PCI DSS Compliance GDPR Compliance
GET STARTED
Accepting New Engagements · 24h Response

Request a Security Assessment

Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.

Scoping Call with a Certified Consultant 45-minute deep-dive with a senior practitioner — no sales pitch.
Proposal Delivered in 48 Hours Fully scoped engagement plan with pricing and timeline.
Free Attack Surface Analysis Preliminary external exposure report at no cost.
Fully Confidential. NDA Available. No obligation. Your data is never shared.
200+ Engagements
40+ Services
98% Satisfaction
CERT-In Empanelled ISO 27001 OSCP · CEH · CISSP
1
You
2
Service
3
Details

About You

We'll use this to route you to the right expert.

What Do You Need?

Select all that apply — you can pick multiple.

Select at least one area to continue.

Final Details

Optional context to help us scope your engagement.

By submitting, you agree to our Privacy Policy. We'll never share your data.