Key Takeaways
- A gap assessment compares current security posture against ISO 27001 requirements (clauses 4-10 plus Annex A) and identifies what is missing or weak.
- Coverage: 7 management system clauses (context, leadership, planning, support, operation, performance, improvement) plus 93 Annex A controls.
- Maturity scoring on a 0 to 5 scale (or similar) for each requirement: 0 not implemented, 5 optimised. Gives a heat map and a prioritised remediation roadmap.
- Output is a report, not a recommendation memo. Executive summary, scoring per requirement, top findings, remediation roadmap with effort and dependencies.
- Typical duration: 2 to 5 weeks depending on organisation size. Cost: INR 2 to 8 lakh as a standalone engagement.
What a Gap Assessment Covers
An ISO 27001 gap assessment is a structured review of an organisation's current security posture against every requirement of the standard. The assessor compares documented and operating practice against ISO 27001 clauses 4 to 10 and Annex A controls, then produces a report with findings, maturity scores and a remediation roadmap.
Scope of assessment must match the intended certification scope. A gap assessment for a single subsidiary cannot inform certification of the parent. Define scope precisely before the assessment starts; revising scope mid-engagement adds material rework.
Gap Assessment Methodology
Our standard methodology runs in five steps: scoping workshop with sponsor and key stakeholders, document review (existing policies, procedures, records), interviews with control owners across IT, HR, legal, procurement, facilities, sampling of evidence (access reviews, training records, change tickets, incident records), and scoring against the standard.
The interview-and-evidence approach catches gaps that a documentation-only review misses. Most Indian organisations have policy that is more mature than practice; the gap between policy and practice is itself a finding.
Need Compliance Programme Help?
Codesecure delivers ISO 27001, SOC 2, PCI DSS, DPDP, HIPAA, GDPR, RBI, SEBI and NIST CSF programmes for Indian businesses. ISO/IEC 27001:2022 certified delivery, named ISO 27001 LA consultants, fixed-price proposals.
See Compliance Services →Maturity Scoring
We score each requirement on a 0 to 5 maturity scale: 0 (not implemented), 1 (initial / ad hoc), 2 (repeatable), 3 (defined / documented), 4 (managed / measured), 5 (optimised / continuous improvement). ISO 27001 certification typically requires a 3 or higher across all requirements, with most controls operating at 3 to 4.
Scoring is calibrated through evidence sampling. A documented policy alone is 2 or 3 depending on dissemination. Evidence of operation (training records, access reviews, audit logs) lifts the score. Continuous improvement evidence (review of effectiveness, trending KPIs) lifts further.
Prioritising Remediation
Not every gap is equal. Mandatory clauses (4 to 10) must be at or near 3 before any certification attempt. Annex A controls have implementation flexibility but must be addressed if the SoA marks them applicable.
Priority is set by gap severity (low maturity), risk impact (high-risk areas first), dependencies (foundational controls before dependent ones), and effort (quick wins balanced against structural changes). The remediation roadmap typically has 30 / 60 / 90 / 180 day buckets.
Gap Assessment Report Structure
A complete report contains: executive summary (1 to 2 pages, board-readable), scope and methodology, overall maturity heat map, per-clause findings (clauses 4-10), per-control findings (Annex A), top 10 findings ranked by priority, remediation roadmap with effort and timeline, recommendations for the certification path forward, and appendices with detailed scoring and evidence sample.
The report is the input to the project plan for the next phase (implementation). The clearer and more specific the findings, the smoother the implementation.
Audit Pressure or Customer Questionnaire?
Whether you need a gap assessment, an internal audit, a customer security questionnaire response or a board-ready compliance status, our compliance lead is available for a 30-minute free scoping call.
Talk to a Compliance Lead →Gap Assessment vs Internal Audit vs Pre-Certification Audit
Gap assessment is informal, broad, identifies what to build. Done at programme start, possibly mid-programme to recalibrate.
Internal audit is the formal audit required by ISO 27001 clause 9.2. Independent auditor, structured methodology, formal findings tracked through corrective action. Required before external certification.
Pre-certification audit (also called mock audit or readiness audit) simulates the external Stage 2 audit. Conducted by an external consultant familiar with certification body expectations. Identifies last-mile gaps before the real audit.
All three are useful at different points in the journey. Many Indian organisations conflate them and underestimate the formality of the internal audit.
Duration, DIY vs Consultant-Led
Typical duration: 2 to 3 weeks for SMB, 3 to 5 weeks for mid-size enterprise, 5 to 8 weeks for large enterprise or multi-site scope. Consultant-led engagements compress the timeline through methodology, tooling and benchmarking.
DIY gap assessment is possible if the in-house team includes someone with ISO 27001 Lead Implementer or Lead Auditor experience. Without that experience, the assessment often misses standard-specific requirements (control formulation, evidence expectations, justification language for the SoA). Codesecure delivers gap assessments as standalone engagements or as the kickoff of a full certification programme.
Frequently Asked Questions
How is a gap assessment different from a risk assessment?
A gap assessment compares current state to a standard (ISO 27001 in this case). A risk assessment identifies threats and vulnerabilities and quantifies risk. ISO 27001 requires both. Gap assessment scopes the certification effort; risk assessment drives the SoA.
Can we skip the gap assessment?
Possible but rarely advisable. Without a gap assessment, the implementation programme runs blind on scope and effort. Most failed certification attempts trace back to no proper gap assessment at the start.
How long does a gap assessment take?
2 to 8 weeks depending on organisation size and scope. Document review and interviews dominate the timeline; scoring and report writing take 1 to 2 weeks at the end.
What does a gap assessment cost?
Standalone engagement INR 2 to 8 lakh in India depending on size and scope. Included in fixed-price certification programmes from Codesecure.
Will the gap assessment tell us if we will pass certification?
It tells you what is missing today. The certification outcome depends on what you build between the gap assessment and Stage 2. A clean gap assessment plus disciplined remediation produces a clean Stage 2.
Does Codesecure do gap assessments?
Yes. Codesecure delivers ISO 27001 gap assessments with named LA consultants, structured methodology, evidence sampling, maturity heat map and a 90/180/360-day remediation roadmap.
Start Your ISO 27001 Journey With A Gap Assessment That Works
Codesecure delivers structured ISO 27001 gap assessments as standalone engagements or as the kickoff of full certification programmes for Indian organisations. Named LA consultants, fixed-price proposals, board-ready reporting.
