← All posts

ISO 9001 Gap Analysis Checklist: Step-by-Step for UK SMBs

Published 8 February 2026

An ISO 9001 gap analysis checklist is the single most useful thing you can produce before spending money on a certification body. It tells you exactly where your quality management system stands today, what's missing, and what you need to fix. Without one, you're guessing — and guessing gets expensive when audit days cost £800–£1,200 each.

This guide walks you through a 7-step gap analysis process, referencing specific ISO 9001 clauses. If you're also preparing for the ISO 9001:2026 revision, the same approach applies — just map against the new clause structure.

What Is an ISO 9001 Gap Analysis?

A gap analysis compares what ISO 9001 requires against what your organisation currently does. The output is a list of gaps — requirements you don't yet meet — ranked by severity and effort to close.

It's not an audit. You're not issuing nonconformities. You're creating a project plan.

Before You Start

Gather these before you begin:

  • A copy of ISO 9001:2015 (or the 2026 DIS if you're preparing for the revision). Available from the BSI Shop — currently £138 for the 2015 edition.
  • Your existing quality documentation: quality manual (if you have one), procedures, work instructions, forms, records.
  • Access to the people who actually do the work. A gap analysis done entirely at a desk, by one person, is unreliable.

The 7-Step ISO 9001 Gap Analysis Checklist

Step 1: Map Your Existing Processes

Before you open the standard, document what you actually do. Map your core business processes from order to delivery (or enquiry to completion, depending on your business). Include:

  • Who does what
  • What records are created
  • What checks or approvals happen
  • Where handoffs occur between teams or individuals

This gives you a baseline. Many UK SMBs discover they already follow sensible processes — they just haven't written them down.

Step 2: Work Through Clauses 4–10 Systematically

Go clause by clause. For each requirement, ask three questions:

  1. Do we do this? (Yes / Partly / No)
  2. Can we prove it? (Is there a record, document, or evidence?)
  3. Is it consistent? (Does it happen every time, or only when someone remembers?)

Here's what to look for in each clause:

Clause 4 — Context of the organisation

  • Have you identified external issues (market conditions, regulations, customer expectations) and internal issues (staff capability, infrastructure, culture) that affect your QMS?
  • Have you identified interested parties (customers, regulators, suppliers, staff) and their requirements?
  • Is your QMS scope defined and documented?

Clause 5 — Leadership

  • Is there a documented quality policy? Does top management actually reference it in decisions?
  • Are quality responsibilities assigned to specific people?
  • Does top management participate in management reviews (not just sign off)?

Clause 6 — Planning

  • Have you identified risks and opportunities related to your QMS?
  • Do you have measurable quality objectives? ("Improve quality" doesn't count — "reduce customer complaints by 15% by Q4" does.)
  • When you make changes to the QMS, do you plan the change before implementing it?

Clause 7 — Support

  • Are resources adequate? (People, infrastructure, work environment, monitoring and measuring equipment.)
  • Is staff competence assessed and recorded? (Training records, qualifications, performance evidence.)
  • Is documented information controlled? (Version control, access control, retention.)

Clause 8 — Operation

  • Are your operational processes planned and controlled?
  • How do you handle customer requirements? (Contract review, order confirmation, change management.)
  • How do you control externally provided products/services? (Supplier evaluation, incoming inspection, ongoing monitoring.)
  • Do you have criteria for product/service release? Who authorises it?

Clause 9 — Performance evaluation

  • Do you monitor customer satisfaction? (Surveys, complaint data, repeat business rates — anything measurable.)
  • Do you conduct internal audits? (Planned programme, trained auditors, recorded results.)
  • Does top management conduct management reviews at defined intervals? (Minimum annually, though quarterly or six-monthly is more practical for SMBs.)

Clause 10 — Improvement

  • Do you have a process for handling nonconformities and corrective actions?
  • Can you show evidence of continual improvement? (Not just fixing problems — actually making things better.)

Step 3: Score Each Requirement

Use a simple scoring system. A three-point scale works:

Score Meaning
0 Not addressed — no process, no evidence
1 Partly addressed — process exists but inconsistent or undocumented
2 Fully addressed — process in place, documented, evidence available

This gives you a heatmap of your compliance. Anything scoring 0 is a major gap. Anything scoring 1 needs tightening.

Step 4: Prioritise Your Gaps

Not all gaps are equal. Prioritise based on:

  • Audit risk: Clauses 8 (Operation) and 9 (Performance evaluation) generate the most nonconformities in Stage 2 audits, according to data published by UKAS-accredited certification bodies. Fix these first.
  • Business impact: A gap in your customer complaints process (Clause 10) affects customer retention. A missing document header template (Clause 7) doesn't.
  • Effort to close: Some gaps need a new process. Others just need you to write down what you already do.

Step 5: Assign Ownership and Deadlines

For each gap, assign:

  • Who will close it
  • By when
  • What "done" looks like (specific deliverable: a documented procedure, a completed training record, a populated risk register)

Gaps without owners don't get closed. This is where most DIY certification attempts stall — everything is identified, nothing is assigned.

Step 6: Close the Gaps

Do the work. Write the procedures. Conduct the training. Set up the records. Run a management review. Start your internal audit programme.

Two practical points:

  • Don't over-document. ISO 9001 requires documented information for specific items (quality policy, quality objectives, scope, and others listed in the standard). Beyond those mandatory items, document only what's needed for your processes to run consistently. A 10-person company doesn't need 200 pages of procedures.
  • Use your existing systems. If you track jobs in a spreadsheet, that spreadsheet can be part of your QMS. You don't need specialist software on day one.

Step 7: Verify With an Internal Audit

Before you spend money on a certification body, audit yourself. Conduct a full internal audit against ISO 9001 using your gap analysis as a guide. This catches remaining gaps, tests your documented processes, and gives you audit evidence for Clause 9.

Your internal auditor should be someone who wasn't directly responsible for creating the processes they're auditing. In a small company, this can be tricky — consider swapping: the operations manager audits the sales process, and vice versa.

Not sure where you stand right now? Our ISO 9001 readiness quiz gives you a quick assessment across all major clause areas in under 5 minutes.

Common Mistakes in ISO 9001 Gap Analyses

Doing it alone. The quality manager writes the gap analysis in isolation, without talking to the people who run the processes. The result looks good on paper but doesn't reflect reality.

Treating it as a one-off. Your gap analysis should be a living document. Update it after internal audits, management reviews, and any significant business change.

Ignoring Clause 4. Context of the organisation sounds abstract, but auditors check it. If you can't articulate your external and internal issues and how they affect your QMS, expect a nonconformity.

Focusing on documents over processes. ISO 9001 is a process standard, not a documentation standard. The gap analysis should assess whether your processes work, not just whether you have paperwork.

Key Takeaways

  1. A gap analysis is your project plan for ISO 9001 certification. Do it before engaging a certification body.
  2. Work through Clauses 4–10 systematically, scoring each requirement against what you actually do today.
  3. Prioritise gaps by audit risk and business impact — not by clause number.
  4. Assign every gap an owner and a deadline. Gaps without owners stay open.
  5. Verify your work with an internal audit before booking your Stage 1 assessment.
  6. Take the ISO 9001 readiness quiz for a quick snapshot of where you stand.

This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.

ClauseWise is coming soon

Generate your ISO 9001 and ISO 27001 documentation without consultant fees.

Related articles

ISO 9001 vs ISO 27001: Which Does Your Business Need?ISO 27001 Certification Cost UK: What Small Businesses Actually PayISO 9001 for Small Business: A Proportionate Guide to Certification