Step 2 of the ISO 27001 implementation process involves conducting a gap analysis. Having defined the scope of your ISMS in Step 1, you now evaluate the organization's current information security practices against the desired state of a fully compliant Information Security Management System (ISMS), within those agreed boundaries. By identifying discrepancies, a gap analysis helps organizations understand where improvements or developments are needed, enabling efficient resource allocation and better planning for subsequent steps. Just as importantly, its findings form the evidence base for the business case presented to management in Step 3—turning the request for commitment into an evidence-driven proposal rather than a generic appeal. While not mandated by ISO 27001, this process provides valuable insights into existing controls, policies, and processes, ensuring a more targeted and effective implementation journey.
A quick but important distinction: a gap analysis is not a risk assessment. The gap analysis is compliance- and requirements-based—it measures how far current practice sits from the standard's requirements. The risk assessment, performed later in Step 7, is threat-based, weighing likelihood and impact. Keeping the two separate from the outset prevents a common source of confusion later in the project.
Required Activities and Tasks
The gap analysis process consists of five key tasks designed to assess the current state, compare it with the desired state, and outline a roadmap for improvement. The tasks are:
Define the Desired State: Clearly articulate the objectives of the ISMS, aligning them with ISO 27001 requirements and the organization's business goals. This represents the ideal state of a fully implemented and effective ISMS.
Analyze the Current State: Assess existing information security controls, policies, technologies, and processes. This involves reviewing the organization's security posture, including any established protocols, to understand what is already in place.
Compare Current and Desired States: Evaluate the differences between the current security practices and the desired ISMS state. This comparison highlights areas where the organization falls short of ISO 27001 compliance.
Identify Specific Gaps: Pinpoint deficiencies in policies, procedures, technical controls, or personnel training that need development or improvement to meet the desired state. This step ensures a clear understanding of what must be addressed.
Produce a Gap Analysis Report: Compile findings into a comprehensive report that summarizes identified gaps, provides actionable recommendations, and prioritizes areas requiring attention. This report serves as a roadmap for planning subsequent implementation steps and supplies the evidence underpinning the Step 3 business case.
While the analysis is positioned here in Step 2, the technique itself remains flexible and can be revisited and refined at later stages of the project as the ISMS matures.
Deliverables of This Step
The primary output of Step 2 is a single, critical deliverable that guides the ISMS implementation:
Gap Analysis Report: A detailed document summarizing the current state, desired state, identified gaps, and prioritized recommendations for addressing deficiencies. This report provides a clear roadmap for aligning the organization's practices with ISO 27001 requirements—and serves as the foundation for justifying management commitment in Step 3.
This deliverable ensures that the organization can allocate resources effectively and focus on areas needing the most attention.
Normative References
A gap analysis is not explicitly required by ISO 27001, so there are no specific clauses directly tied to this activity. However, the process aligns with the standard's overall emphasis on understanding the organization's current capabilities and planning for compliance. The insights gained support the implementation of subsequent steps—such as building the management business case (Step 3), developing the information security policy (Clause 5.2, Step 4), and conducting risk assessments (Clause 6.1, Step 7)—by providing a clear picture of existing controls and deficiencies.


