← All posts

ISO 27001 Gap Analysis Template: A Practical Guide for UK SMBs

Published 17 May 2026 · Last reviewed 8 March 2026

An ISO 27001 gap analysis tells you how far your current information security practices are from what the standard requires. For UK SMBs, this is the step that separates a realistic certification plan from guesswork. Skip it, and you will overspend on consultancy or walk into your Stage 1 audit unprepared.

ISO 27001:2022 contains 93 controls in Annex A plus management system requirements in Clauses 4-10. Your ISO 27001 gap analysis template needs to cover both. Here is how to do it without turning it into a three-month project.

What you are assessing

Two distinct things:

  1. Management system clauses (4-10) — the ISMS framework. Policy, risk assessment, management review, internal audit.
  2. Annex A controls (93 controls) — specific security measures. Access control, encryption, incident management, supplier oversight.

Common mistake: spending all your time on Annex A and treating the management system as an afterthought. Both are audited equally. Certification bodies report that SMBs fail on Clause 6 (risk assessment methodology) as often as on technical controls.

The 93 Annex A controls

ISO 27001:2022 reorganised controls from 14 categories (2013 version) into 4:

Category Controls Covers
Organisational (A.5) 37 Policies, roles, asset management, supplier relationships
People (A.6) 8 Screening, awareness training, remote working
Physical (A.7) 14 Secure areas, equipment, clear desk, media disposal
Technological (A.8) 34 Access control, encryption, malware, logging, network security

11 controls are new in 2022, including threat intelligence (5.7), cloud services security (5.23), ICT readiness for business continuity (5.30), data masking (8.11), and data leakage prevention (8.12).

Step-by-step gap analysis process

Step 1: Define your ISMS scope (Clause 4.3)

Define which business units, sites, systems, and information assets are covered. For most SMBs under 50 staff, the scope is the entire business. Write one paragraph. Your auditor reviews this first.

Step 2: Assess ISMS management clauses (4-10)

Rate your position on each clause:

  • Clause 4: Have you identified external issues (UK GDPR, cyber threat landscape) and internal issues (IT infrastructure, remote working)?
  • Clause 5: Information security policy signed by the MD? Roles assigned?
  • Clause 6: Defined risk assessment methodology? "We deal with risks as they come up" is not a methodology.
  • Clause 7: Resources allocated? Staff awareness programme? Competence records?
  • Clause 8: Risk treatment plans implemented? Evidence?
  • Clause 9: Internal audits conducted? Management reviews covering information security?
  • Clause 10: Nonconformity and corrective action process in place?

Step 3: Assess each Annex A control

For each of the 93 controls, record:

  1. Applicability — does it apply? If not, justify the exclusion in your Statement of Applicability (Clause 6.1.3 d)
  2. Current state — what exists today? Be factual, not aspirational
  3. Compliance level — 0 (not implemented) / 1 (partial) / 2 (largely implemented) / 3 (fully effective)
  4. Gap description — what work is needed?
  5. Priority — High / Medium / Low based on risk and effort

Step 4: Prioritise gaps

Rank by risk impact and implementation effort. A missing access control policy (A.5.15) for a business handling sensitive client data is higher priority than a clear desk policy (A.7.7) in a paperless office.

Address dependencies first. You cannot classify assets (A.5.12) without an asset inventory (A.5.9). You cannot define access rights (A.5.15) without knowing your systems.

Step 5: Build your risk treatment plan

ISO 27001 Clause 6.1.3 requires this. For each gap, define: specific action, responsible person (name, not role), target date, resources needed, and evidence of completion. Update monthly.

Common mistakes

Ignoring cloud and supplier controls. Controls A.5.19-A.5.23 cover suppliers and cloud services. If you run on Microsoft 365, Xero, and AWS, these apply directly. Your provider handles infrastructure security; you own access management, configuration, and data classification.

Treating the SoA as a formality. The Statement of Applicability is one of the most scrutinised audit documents. Draft it during the gap analysis, not the week before your audit.

Assessing controls in isolation. Access control (A.8.3-A.8.5) depends on identity management, which depends on HR onboarding/offboarding (A.6.1-A.6.5). Gaps cascade.

UK-specific considerations

UK GDPR alignment. The Data Protection Act 2018 and UK GDPR overlap with several Annex A controls — breach notification (72 hours to the ICO per Article 33), DPIAs (Article 35), data subject rights. The ICO provides guidance at ico.org.uk.

Cyber Essentials. If you hold CE or CE Plus (NCSC/IASME scheme), you have a head start. Its five control areas (firewalls, secure configuration, access control, malware protection, patch management) map to several Annex A technological controls.

NCSC guidance. Free practical guidance at ncsc.gov.uk — 10 Steps to Cyber Security, cloud security principles, supply chain guidance.

Public sector supply chain. UK government departments increasingly require ISO 27001 from suppliers handling official information. The Cabinet Office Security Policy Framework references it as a baseline.

Practical takeaway checklist

  1. Allow 2-3 days for a thorough gap analysis
  2. Start with ISMS Clauses 4-10 before Annex A — management system gaps often take longer to close
  3. Use the 0-3 scale — enough granularity without overcomplication
  4. Build in a spreadsheet: control ref | applicability | current state | level | gap | priority | action | owner | deadline
  5. Draft your Statement of Applicability during the gap analysis
  6. Focus first 90 days on high-risk gaps and dependencies
  7. Review findings with management before committing budget

If you have completed your ISO 9001 gap analysis, the management system clauses overlap significantly. Our ISO 9001 gap analysis checklist uses a similar framework. For certification cost estimates, try the cost estimator.

This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.

ClauseWise is coming soon

Generate your ISO 9001 and ISO 27001 documentation without consultant fees.

Related articles

ISO 9001 Management Review: What to Cover and How OftenISO 9001 Internal Audit Checklist: 15 Questions Your Auditor Will AskISO 9001 Document Control: Requirements, Examples, and Common Pitfalls