# ISO 27001 Gap Assessment > Perform a structured gap assessment against ISO 27001:2022 clauses 4-10 and 93 Annex A controls. Mandatory artifact detector scans for missing ISMS documents; maturity rating tool suggests 0-5 maturity levels per clause area. Produces findings register and remediation roadmap. Tags: ISO 27001, ISMS, Compliance, Gap Assessment, GRC, Audit Readiness ## Example Prompts - Run a gap assessment against ISO 27001 for our organization - Check which mandatory ISMS documents we are missing - Assess our current maturity level for ISO 27001 clause 6 risk management - Create a remediation roadmap from our ISO 27001 gap assessment findings URL: https://rakenne.app/skills/iso27001-gap-assessment/index.md Try this skill: https://rakenne.app/a/?skill=iso27001-gap-assessment ## Overview Perform a structured gap assessment against ISO 27001:2022 clauses 4–10 and all 93 Annex A controls. The assessment evaluates current information security practices, identifies gaps, and produces a prioritized remediation roadmap to guide the organization toward certification readiness. The skill uses a 0–5 maturity model (Nonexistent → Optimized) to rate each clause area, a mandatory artifact detector to find missing ISMS documents, and a clause requirements engine to validate content coverage. A remediation prioritizer groups findings into four implementation phases based on clause dependencies and audit risk. For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/). ### What It Covers - **Management system clauses (4–10)** — clause-by-clause assessment with maturity ratings and evidence checks - **Mandatory documented information** — scans for the 14 mandatory ISMS artifacts required by ISO 27001 - **Annex A controls** — implementation status assessment for all 93 controls - **Findings register** — structured gap findings with severity, clause reference, and remediation actions - **Remediation roadmap** — four-phase prioritized plan (Foundation → Core → Operational → Validation) ## Example Conversation > **You:** We need to run a gap assessment against ISO 27001 for our organization. We're a B2B SaaS company with 120 employees, running on AWS. > > **Agent:** I'll guide you through a structured gap assessment covering clauses 4–10 and Annex A. Let me start by understanding what you have in place today. > > 1. Do you have any existing security policies or procedures documented? > 2. Have you done any prior risk assessments or security audits? > 3. Is there an existing asset inventory or data flow documentation? > 4. Who currently manages information security? > > **You:** We have an acceptable use policy and a basic incident response plan. No formal risk assessment. Our CTO handles security decisions. We did a SOC 2 Type I last year. > > **Agent:** Good — the SOC 2 work gives you a head start. Let me check your workspace for existing ISMS artifacts. Running `mandatory_artifact_detector`... > > **Results — 4/14 artifacts found:** > > | Artifact | Clause | Status | > |----------|--------|--------| > | Information security policy | 5.2 | **Missing** | > | ISMS scope statement | 4.3 | **Missing** | > | Risk assessment methodology | 6.1.2 | **Missing** | > | Risk treatment plan | 6.1.3 | **Missing** | > | Statement of Applicability | 6.1.3 | **Missing** | > | IS objectives | 6.2 | **Missing** | > | Competence records | 7.2 | **Missing** | > | Operating procedures | 8.1 | Found (partial) | > | Incident response plan | A.5.24 | Found | > | Acceptable use policy | A.5.10 | Found | > | Internal audit results | 9.2 | **Missing** | > | Management review records | 9.3 | **Missing** | > | Corrective action records | 10.2 | **Missing** | > | Monitoring results | 9.1 | Found (SOC 2 report) | > > 10 mandatory artifacts are missing. Let me now assess each clause area. Let's start with Clause 4 — Context of the Organization. Tell me: have you documented internal/external issues affecting information security, and have you identified interested parties and their requirements? > > **You:** We know our customers require data protection and we're subject to GDPR, but nothing is formally documented. > > **Agent:** Running `maturity_rating_tool` for Clause 4.1 (Understanding the organization and its context)... > > **Rating: Level 1 — Ad-hoc** > - Justification: Awareness of key issues exists (GDPR, customer expectations) but no documented analysis. Context is understood informally by leadership but not systematically captured. > - To reach Level 3: Document internal/external issues in a formal context analysis. Identify interested parties and their requirements in a register. Review at least annually. > > Let me continue through clauses 4.2–4.4, then we'll move to Leadership (Clause 5)... > > **You:** After going through all clauses, can you build the remediation roadmap? > > **Agent:** Running `remediation_prioritizer` on your 23 findings... > > **Phase 1 — Foundation (Weeks 1–4):** > - Define ISMS scope (Clause 4.3) — Critical > - Draft information security policy (Clause 5.2) — Critical > - Establish document control process (Clause 7.5) — Major > - Assign ISMS roles and responsibilities (Clause 5.3) — Major > > **Phase 2 — Core Implementation (Weeks 5–10):** > - Conduct risk assessment (Clause 6.1.2) — Critical > - Create Statement of Applicability (Clause 6.1.3) — Critical > - Define IS objectives (Clause 6.2) — Major > - Build competence and training program (Clause 7.2) — Moderate > > **Phase 3 — Operational Evidence (Weeks 11–16):** > - Implement Annex A controls per SoA — Multiple findings > - Establish monitoring and measurement (Clause 9.1) — Major > > **Phase 4 — Validation (Weeks 17–20):** > - Conduct internal audit (Clause 9.2) — Critical > - Hold management review (Clause 9.3) — Critical > - Establish corrective action process (Clause 10.2) — Major ## Sample Output Excerpt Below is a representative excerpt from a generated gap assessment showing the clause assessment and findings register sections. --- ### Clause Assessment (excerpt) | Clause | Area | Maturity | Key Findings | |--------|------|:--------:|-------------| | 4.1 | Context — internal/external issues | 1 | Issues understood informally but not documented | | 4.2 | Interested parties | 1 | Customer and regulatory requirements known but no register | | 4.3 | ISMS scope | 0 | No scope statement exists | | 5.1 | Leadership commitment | 1 | CTO involved but no formal commitment or policy review | | 5.2 | Information security policy | 0 | No IS policy — only acceptable use policy exists | | 5.3 | Roles and responsibilities | 1 | CTO acts as security lead; no formal ISMS roles defined | | 6.1.2 | Risk assessment | 0 | No risk assessment methodology or risk register | | 6.1.3 | Risk treatment | 0 | No SoA or treatment plan | | 9.2 | Internal audit | 0 | No internal audit program | | 9.3 | Management review | 0 | No management review conducted | ### Findings Register (excerpt) | # | Clause | Severity | Finding | Remediation Action | Phase | |---|--------|----------|---------|-------------------|-------| | F-001 | 4.3 | Critical | No ISMS scope statement defined | Draft scope statement covering SaaS platform, AWS infrastructure, and supporting processes | 1 | | F-002 | 5.2 | Critical | No information security policy exists | Create IS policy with objectives, commitment, and compliance framework | 1 | | F-003 | 6.1.2 | Critical | No risk assessment methodology or register | Define methodology (5x5 matrix), conduct initial risk assessment | 2 | | F-004 | 6.1.3 | Critical | No Statement of Applicability | Create SoA with all 93 controls, justify inclusions/exclusions | 2 | | F-005 | 9.2 | Critical | No internal audit program | Establish audit program, train/appoint auditors, schedule first audit | 4 | | F-006 | 5.3 | Major | ISMS roles not formally defined | Appoint information security manager, define responsibilities matrix | 1 | | F-007 | 7.2 | Moderate | No security awareness training program | Implement annual training with role-based modules | 2 | ## Extension Tools ### `mandatory_artifact_detector` Scans the workspace for the 14 mandatory ISMS artifacts required by ISO 27001:2022: | Artifact | Clause | What It Checks | |----------|--------|----------------| | ISMS scope statement | 4.3 | File existence matching scope patterns | | Information security policy | 5.2 | Policy document with required content | | Risk assessment methodology | 6.1.2 | Methodology document | | Risk treatment plan | 6.1.3 | Treatment plan document | | Statement of Applicability | 6.1.3 | SoA document | | IS objectives | 6.2 | Objectives document | | Competence records | 7.2 | Training/competence evidence | | Operating procedures | 8.1 | Documented procedures | | Risk assessment results | 8.2 | Risk register | | Risk treatment results | 8.3 | Treatment implementation evidence | | Monitoring results | 9.1 | Measurement/monitoring records | | Internal audit results | 9.2 | Audit program and reports | | Management review results | 9.3 | Meeting minutes/records | | Corrective action records | 10.2 | Nonconformity and CAPA records | ### `maturity_rating_tool` Suggests a maturity rating (0–5) for a clause or control area based on assessment notes: | Level | Name | Description | |:-----:|------|-------------| | 0 | Nonexistent | No awareness, no process, no documentation | | 1 | Ad-hoc | Informal, reactive, person-dependent | | 2 | Repeatable | Some consistency, basic documentation, not standardized | | 3 | Defined | Formal processes, documented, communicated, limited measurement | | 4 | Managed | Measured, monitored, KPIs defined, regular review | | 5 | Optimized | Continuous improvement, benchmarked, proactive adaptation | ### `clause_requirements_engine` Validates workspace documents against ISO 27001 clause requirements using keyword analysis. For each sub-clause (4.1–10.2), reports coverage percentage, covered topics, missing topics, and mandatory documented information status. ### `remediation_prioritizer` Takes gap assessment findings and produces a prioritized remediation plan grouped into 4 phases: | Phase | Focus | Clauses | |-------|-------|---------| | 1 — Foundation | Scope, policy, document control, roles | 4.x, 5.x, 7.5 | | 2 — Core Implementation | Risk assessment, SoA, objectives, competence | 6.x, 7.x | | 3 — Operational Evidence | Controls, operations, monitoring | 8.x, 9.1 | | 4 — Validation | Internal audit, management review, corrective actions | 9.2, 9.3, 10.x | Prioritization considers clause dependencies, audit risk severity, implementation effort, finding severity, and current maturity level. ## Getting Started Activate the *ISO 27001 Gap Assessment* skill. If you've completed the *Organization Profile* skill, load it — the agent uses your industry, tech stack, and regulatory context to tailor the assessment. Have this information ready: - Existing security policies, procedures, and standards - Prior audit reports, certifications, or security assessments (SOC 2, penetration tests, etc.) - System architecture and data flow documentation - Names of people responsible for security decisions The agent guides you through a 7-step workflow: gather inputs, assess management system clauses (4–10), check mandatory artifacts, assess Annex A controls, rate maturity, compile findings, and validate. Each clause area gets a maturity rating with actionable remediation steps. --- Back to [Skill Library](https://rakenne.app/skills/index.md)