ISO/IEC 27001:2022 is the world's leading international standard for Information Security Management Systems (ISMS). With over 70,000 organizations certified globally and growing recognition among enterprise procurement teams, ISO 27001 certification has evolved from a differentiator to a baseline requirement in many industries. The 2022 revision — published in October 2022 with a transition deadline of October 2025 — introduced the most significant structural changes to the standard in over a decade.
A gap analysis is the essential first step in any ISO 27001 implementation or transition program. It identifies the delta between your current information security controls and what the standard requires, allowing you to prioritize remediation efforts and build a realistic implementation roadmap. This guide covers the 2022 changes, the gap analysis process, the most commonly deficient controls, and what to expect on the path to certification.
Organizations holding ISO 27001:2013 certification were required to transition to the 2022 version by October 31, 2025. The 2022 revision significantly restructured Annex A, reducing the total control count from 114 to 93 controls, reorganized into four themes rather than the previous 14 domains. Eleven controls were merged, 23 were renamed, and most importantly, 11 entirely new controls were introduced — though the CMMC framework officially describes 4 as "new" in a narrower sense.
Policies, roles, responsibilities, governance, supplier relations, threat intelligence.
Screening, terms of employment, awareness, training, disciplinary process, remote working.
Physical security perimeters, clear desk/screen, equipment security, physical security monitoring.
Access control, malware protection, logging, web filtering, data masking, DLP, SIEM, configuration management.
Among the 11 new controls introduced in the 2022 revision, four represent genuinely new capability requirements that most organizations did not have formal programs for under the 2013 standard:
| Control | Title | What It Requires |
|---|---|---|
| A.5.7 | Threat Intelligence | Collect and analyze information about threats to produce actionable threat intelligence for security decisions. |
| A.5.23 | Information Security for Cloud Services | Establish and implement processes for acquisition, use, management, and exit from cloud services — covering IaaS, PaaS, and SaaS. |
| A.5.30 | ICT Readiness for Business Continuity | Plan, implement, and test ICT readiness based on business continuity objectives and ICT continuity requirements. |
| A.7.4 | Physical Security Monitoring | Continuously monitor premises for unauthorized physical access — requiring documented monitoring procedures, not just CCTV installation. |
The 2022 revision also introduced a new attribute tagging system for controls, assigning each control properties like cybersecurity concept (Identify/Protect/Detect/Respond/Recover), operational capabilities, and security domains. While these attributes do not change what controls require, they are used in the Statement of Applicability and support risk-based selection.
A structured gap analysis is not simply running through a checklist — it requires understanding the organization's context, information assets, and risk environment before evaluating individual controls. The process should follow the Plan-Do-Check-Act (PDCA) cycle embedded in the standard itself.
Define the boundaries of the ISMS — which organizational units, locations, processes, and information assets are in scope. ISO 27001 Clause 4.3 requires the scope to be documented and available as a managed document. Scope decisions directly affect certification cost and timeline — a narrowly scoped ISMS may certify faster but provide less business value.
Inventory existing information security policies, procedures, technical controls, and documentation. This establishes the baseline for gap measurement. Many organizations discover that controls exist informally but lack the documentation that an auditor requires to verify implementation.
Evaluate each of the 93 Annex A controls across all four themes. For each control, determine: Is it applicable? (Not all controls are always applicable — exclusions must be justified in the SoA.) If applicable, is it implemented? Is there documented evidence of implementation and effectiveness?
Document all gaps — controls required by the risk assessment that are not currently implemented or not demonstrably effective. Categorize gaps by severity and map them to the information risks they leave unmitigated. This forms the basis of the risk treatment plan.
Develop the Risk Treatment Plan (RTP) — documenting which risks will be treated, transferred, tolerated, or terminated. Complete the Statement of Applicability (SoA), which lists all Annex A controls, whether each is included or excluded, the justification, and implementation status. The SoA is a mandatory output of the ISO 27001 process and a primary audit artifact.
Sequence remediation activities based on risk priority, implementation effort, and certification timeline requirements. Assign owners, set deadlines, and establish metrics to track progress. Most organizations target closing critical and high-priority gaps before the Stage 1 documentation review audit.
Analysis of certification audit findings consistently identifies the same Annex A control areas as the most frequent sources of non-conformities, both for organizations seeking initial certification and those transitioning from the 2013 standard. Understanding these common gaps allows compliance teams to prioritize their gap analysis efforts.
Arguably the most common major non-conformity cluster. Organizations frequently have contracts with suppliers but lack formal information security requirements in those contracts, a process for assessing supplier security maturity, or procedures for managing changes to supplier services. The 2022 standard further extends this to ICT supply chain security (A.5.21), requiring assessment of hardware and software suppliers.
One of the four entirely new 2022 controls, and a near-universal gap in organizations that have not yet formally documented their cloud service inventory, classification of data in cloud environments, shared responsibility model documentation, and exit procedures. Most organizations use cloud extensively but have not formalized the governance structure the standard requires.
Another new 2022 control that requires a formal program — not just subscribing to threat feeds. Auditors look for evidence that threat intelligence is actually analyzed, disseminated to relevant stakeholders, and used to inform security decision-making. An ad-hoc approach to consuming vendor advisories does not typically satisfy this control.
A new 2022 control requiring data masking to be used in accordance with the organization's access control policy and business and legal requirements. Many organizations have personal data in development and test environments that is not masked, creating both compliance and data protection risk.
DLP as a formal control is new in the 2022 revision. Organizations are required to apply DLP measures to systems, networks, and devices that process, store, or transmit sensitive information. Many lack deployed DLP tools or have tools deployed without formal policies, monitoring processes, or incident response procedures for DLP alerts.
Networks, systems, and applications are required to be monitored for anomalous behavior, and monitoring results used to evaluate the effectiveness of security measures. Organizations frequently have logging enabled but lack a formal monitoring process — no defined baselines, no alert triage process, and no evidence that monitoring results inform security decisions.
A new 2022 control requiring web filtering to protect systems from access to malicious websites. While most organizations have perimeter controls, auditors look for documented web filtering policies that specify permitted categories, exception handling procedures, and evidence of monitoring.
Transition Insight: Organizations transitioning from ISO 27001:2013 should prioritize the 11 new controls as immediate gap analysis targets. Certification bodies reported that supplier security management, cloud security, and threat intelligence were the three controls most frequently cited as non-conformities in 2024-2025 transition audits.
Ready to identify your ISO 27001 gaps? Take our free 5-minute online gap analysis — get an instant score across all 93 Annex A controls and a prioritized remediation guide.
Take the Free ISO 27001 Gap Analysis →Use this 10-point readiness checklist to evaluate your ISMS program before a formal certification audit. Each item corresponds to a mandatory requirement in ISO 27001:2022 Clauses 4 through 10, not just Annex A controls.
The path from initial gap analysis to ISO 27001 certification typically spans 9 to 18 months, depending on organizational size, current security maturity, ISMS scope complexity, and the availability of internal resources. Well-prepared organizations with existing frameworks (such as SOC 2 or NIST CSF) often reach certification in 9-12 months; organizations building an ISMS from scratch typically need 15-18 months.
The Stage 1 (or "desk review") audit is typically conducted on-site or remotely, lasting 1-2 days for small-to-medium organizations. The certification body auditor reviews the ISMS documentation — scope, risk assessment, Statement of Applicability, risk treatment plan, ISMS policies, and key procedures. The goal is to determine whether the organization is ready for the Stage 2 audit. Stage 1 findings must typically be remediated before Stage 2 is scheduled.
Common Stage 1 findings include: incomplete SoA, risk assessment not linked to Annex A control selection, missing mandatory documented information (as specified in the standard's normative requirements), and insufficient evidence of management involvement in ISMS governance.
The Stage 2 audit verifies that the ISMS is implemented, operating effectively, and achieving its stated objectives. Auditors use examination, interview, and observation techniques across all in-scope areas. Duration varies from 2-3 days (small scope) to 1-2 weeks (large enterprise scope). Nonconformities are classified as major (preventing certification) or minor (requiring correction within defined period, typically 90 days).
A major nonconformity in the Stage 2 audit results in postponed certification pending remediation verification. Most organizations that have completed thorough internal audits and gap analysis programs avoid major nonconformities at Stage 2.
ISO 27001 certification is valid for three years, subject to annual surveillance audits that verify continued compliance and continuous improvement. Recertification audits occur at the three-year mark. Organizations that treat ISO 27001 as a living program — rather than a one-time compliance exercise — consistently perform better in surveillance and recertification audits.
Exercise Documentation Tip: ISO 27001 requires evidence that the incident management procedure has been tested. Auditors specifically look for documented tabletop exercise results that demonstrate the procedure works in practice. Organizations that run structured tabletop exercises using realistic threat scenarios and retain formal After Action Reports have a significantly easier path through Stage 2 audits.
Get a free, instant gap score across all 93 ISO/IEC 27001:2022 Annex A controls. Identify your priority gaps, understand your certification readiness, and get a customized implementation roadmap.
Take the Free ISO 27001 Gap Analysis →No credit card required. Results in 5 minutes. Aligned to ISO/IEC 27001:2022.