Overview
Perform a structured gap assessment against ISO 27001:2022 clauses 4–10 and all 93 Annex A controls. The assessment evaluates current information security practices, identifies gaps, and produces a prioritized remediation roadmap to guide the organization toward certification readiness.
The skill uses a 0–5 maturity model (Nonexistent → Optimized) to rate each clause area, a mandatory artifact detector to find missing ISMS documents, and a clause requirements engine to validate content coverage. A remediation prioritizer groups findings into four implementation phases based on clause dependencies and audit risk.
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- Management system clauses (4–10) — clause-by-clause assessment with maturity ratings and evidence checks
- Mandatory documented information — scans for the 14 mandatory ISMS artifacts required by ISO 27001
- Annex A controls — implementation status assessment for all 93 controls
- Findings register — structured gap findings with severity, clause reference, and remediation actions
- Remediation roadmap — four-phase prioritized plan (Foundation → Core → Operational → Validation)
Example Conversation
You: We need to run a gap assessment against ISO 27001 for our organization. We’re a B2B SaaS company with 120 employees, running on AWS.
Agent: I’ll guide you through a structured gap assessment covering clauses 4–10 and Annex A. Let me start by understanding what you have in place today.
- Do you have any existing security policies or procedures documented?
- Have you done any prior risk assessments or security audits?
- Is there an existing asset inventory or data flow documentation?
- Who currently manages information security?
You: We have an acceptable use policy and a basic incident response plan. No formal risk assessment. Our CTO handles security decisions. We did a SOC 2 Type I last year.
Agent: Good — the SOC 2 work gives you a head start. Let me check your workspace for existing ISMS artifacts. Running
mandatory_artifact_detector…Results — 4/14 artifacts found:
Artifact Clause Status Information security policy 5.2 Missing ISMS scope statement 4.3 Missing Risk assessment methodology 6.1.2 Missing Risk treatment plan 6.1.3 Missing Statement of Applicability 6.1.3 Missing IS objectives 6.2 Missing Competence records 7.2 Missing Operating procedures 8.1 Found (partial) Incident response plan A.5.24 Found Acceptable use policy A.5.10 Found Internal audit results 9.2 Missing Management review records 9.3 Missing Corrective action records 10.2 Missing Monitoring results 9.1 Found (SOC 2 report) 10 mandatory artifacts are missing. Let me now assess each clause area. Let’s start with Clause 4 — Context of the Organization. Tell me: have you documented internal/external issues affecting information security, and have you identified interested parties and their requirements?
You: We know our customers require data protection and we’re subject to GDPR, but nothing is formally documented.
Agent: Running
maturity_rating_toolfor Clause 4.1 (Understanding the organization and its context)…Rating: Level 1 — Ad-hoc
- Justification: Awareness of key issues exists (GDPR, customer expectations) but no documented analysis. Context is understood informally by leadership but not systematically captured.
- To reach Level 3: Document internal/external issues in a formal context analysis. Identify interested parties and their requirements in a register. Review at least annually.
Let me continue through clauses 4.2–4.4, then we’ll move to Leadership (Clause 5)…
You: After going through all clauses, can you build the remediation roadmap?
Agent: Running
remediation_prioritizeron your 23 findings…Phase 1 — Foundation (Weeks 1–4):
- Define ISMS scope (Clause 4.3) — Critical
- Draft information security policy (Clause 5.2) — Critical
- Establish document control process (Clause 7.5) — Major
- Assign ISMS roles and responsibilities (Clause 5.3) — Major
Phase 2 — Core Implementation (Weeks 5–10):
- Conduct risk assessment (Clause 6.1.2) — Critical
- Create Statement of Applicability (Clause 6.1.3) — Critical
- Define IS objectives (Clause 6.2) — Major
- Build competence and training program (Clause 7.2) — Moderate
Phase 3 — Operational Evidence (Weeks 11–16):
- Implement Annex A controls per SoA — Multiple findings
- Establish monitoring and measurement (Clause 9.1) — Major
Phase 4 — Validation (Weeks 17–20):
- Conduct internal audit (Clause 9.2) — Critical
- Hold management review (Clause 9.3) — Critical
- Establish corrective action process (Clause 10.2) — Major
Sample Output Excerpt
Below is a representative excerpt from a generated gap assessment showing the clause assessment and findings register sections.
Clause Assessment (excerpt)
| Clause | Area | Maturity | Key Findings |
|---|---|---|---|
| 4.1 | Context — internal/external issues | 1 | Issues understood informally but not documented |
| 4.2 | Interested parties | 1 | Customer and regulatory requirements known but no register |
| 4.3 | ISMS scope | 0 | No scope statement exists |
| 5.1 | Leadership commitment | 1 | CTO involved but no formal commitment or policy review |
| 5.2 | Information security policy | 0 | No IS policy — only acceptable use policy exists |
| 5.3 | Roles and responsibilities | 1 | CTO acts as security lead; no formal ISMS roles defined |
| 6.1.2 | Risk assessment | 0 | No risk assessment methodology or risk register |
| 6.1.3 | Risk treatment | 0 | No SoA or treatment plan |
| 9.2 | Internal audit | 0 | No internal audit program |
| 9.3 | Management review | 0 | No management review conducted |
Findings Register (excerpt)
| # | Clause | Severity | Finding | Remediation Action | Phase |
|---|---|---|---|---|---|
| F-001 | 4.3 | Critical | No ISMS scope statement defined | Draft scope statement covering SaaS platform, AWS infrastructure, and supporting processes | 1 |
| F-002 | 5.2 | Critical | No information security policy exists | Create IS policy with objectives, commitment, and compliance framework | 1 |
| F-003 | 6.1.2 | Critical | No risk assessment methodology or register | Define methodology (5x5 matrix), conduct initial risk assessment | 2 |
| F-004 | 6.1.3 | Critical | No Statement of Applicability | Create SoA with all 93 controls, justify inclusions/exclusions | 2 |
| F-005 | 9.2 | Critical | No internal audit program | Establish audit program, train/appoint auditors, schedule first audit | 4 |
| F-006 | 5.3 | Major | ISMS roles not formally defined | Appoint information security manager, define responsibilities matrix | 1 |
| F-007 | 7.2 | Moderate | No security awareness training program | Implement annual training with role-based modules | 2 |
Extension Tools
mandatory_artifact_detector
Scans the workspace for the 14 mandatory ISMS artifacts required by ISO 27001:2022:
| Artifact | Clause | What It Checks |
|---|---|---|
| ISMS scope statement | 4.3 | File existence matching scope patterns |
| Information security policy | 5.2 | Policy document with required content |
| Risk assessment methodology | 6.1.2 | Methodology document |
| Risk treatment plan | 6.1.3 | Treatment plan document |
| Statement of Applicability | 6.1.3 | SoA document |
| IS objectives | 6.2 | Objectives document |
| Competence records | 7.2 | Training/competence evidence |
| Operating procedures | 8.1 | Documented procedures |
| Risk assessment results | 8.2 | Risk register |
| Risk treatment results | 8.3 | Treatment implementation evidence |
| Monitoring results | 9.1 | Measurement/monitoring records |
| Internal audit results | 9.2 | Audit program and reports |
| Management review results | 9.3 | Meeting minutes/records |
| Corrective action records | 10.2 | Nonconformity and CAPA records |
maturity_rating_tool
Suggests a maturity rating (0–5) for a clause or control area based on assessment notes:
| Level | Name | Description |
|---|---|---|
| 0 | Nonexistent | No awareness, no process, no documentation |
| 1 | Ad-hoc | Informal, reactive, person-dependent |
| 2 | Repeatable | Some consistency, basic documentation, not standardized |
| 3 | Defined | Formal processes, documented, communicated, limited measurement |
| 4 | Managed | Measured, monitored, KPIs defined, regular review |
| 5 | Optimized | Continuous improvement, benchmarked, proactive adaptation |
clause_requirements_engine
Validates workspace documents against ISO 27001 clause requirements using keyword analysis. For each sub-clause (4.1–10.2), reports coverage percentage, covered topics, missing topics, and mandatory documented information status.
remediation_prioritizer
Takes gap assessment findings and produces a prioritized remediation plan grouped into 4 phases:
| Phase | Focus | Clauses |
|---|---|---|
| 1 — Foundation | Scope, policy, document control, roles | 4.x, 5.x, 7.5 |
| 2 — Core Implementation | Risk assessment, SoA, objectives, competence | 6.x, 7.x |
| 3 — Operational Evidence | Controls, operations, monitoring | 8.x, 9.1 |
| 4 — Validation | Internal audit, management review, corrective actions | 9.2, 9.3, 10.x |
Prioritization considers clause dependencies, audit risk severity, implementation effort, finding severity, and current maturity level.
Getting Started
Activate the ISO 27001 Gap Assessment skill. If you’ve completed the Organization Profile skill, load it — the agent uses your industry, tech stack, and regulatory context to tailor the assessment.
Have this information ready:
- Existing security policies, procedures, and standards
- Prior audit reports, certifications, or security assessments (SOC 2, penetration tests, etc.)
- System architecture and data flow documentation
- Names of people responsible for security decisions
The agent guides you through a 7-step workflow: gather inputs, assess management system clauses (4–10), check mandatory artifacts, assess Annex A controls, rate maturity, compile findings, and validate. Each clause area gets a maturity rating with actionable remediation steps.