What is an ISO 27001 gap analysis?

An ISO 27001 gap analysis compares your current information security management system against ISO/IEC 27001 to find which controls and documentation are missing or incomplete before certification. OntoRamp runs it structurally: it maps your ISMS corpus into a graph and measures where Annex A control intent exists but the evidence chain breaks, and which governance domains are thin.

What does the gap analysis cover?

The management-system clauses (4 to 10) and the Annex A controls, evaluated as documentation coverage and evidence traceability rather than as a single pass-or-fail checklist. The output is a prioritized inventory of broken evidence chains and thin domains.

Does OntoRamp certify ISO 27001?

No. An accredited certification body issues the ISO/IEC 27001 certificate after a successful audit. OntoRamp produces the readiness and gap analysis that prepares you for that audit; it does not award the certificate.

How is a gap analysis different from the certification audit?

A gap analysis is preparatory and self-directed — it finds and prioritizes gaps so you can close them. The certification audit is performed by an accredited certification body and determines whether the certificate is granted.

Can I run it without bringing in consultants?

Yes. The automated analysis runs from your uploaded ISMS corpus and returns the gap inventory directly. Many teams use it for a first internal pass, then engage a consultant or certification body for the formal audit.

How to Do an ISO 27001 Gap Analysis

How to do an ISO 27001 gap analysis

An ISO 27001 gap analysis measures the distance between your current information security management system and what the standard requires. Done as a manual checklist it is slow, subjective, and blind to structure — it confirms a policy exists without checking whether anything downstream actually references it.

OntoRamp does the same comparison structurally. It maps your ISMS corpus into a governance graph and measures where Annex A control intent is declared but the evidence chain breaks, and which governance domains are thin. Those structural gaps are exactly the ones that surface at the Stage 2 audit, when an auditor follows a control to its evidence and finds nothing there.

What the gap analysis measures

Clause and Annex A coverage — which requirements are documented and which are absent.
Evidence traceability — where a declared control connects to real records versus where the chain breaks.
Domain coverage asymmetry — which governance domains are mature and which are performative.
Statement of Applicability drift — where the SoA claims a control the corpus does not substantiate.

The four steps

Assemble your ISMS documentation. Policies, the Statement of Applicability, the risk treatment plan, procedures, and records.
Run an automated structural gap analysis. Upload the corpus through the assessment intake, or call the governance tools (get_maturity_gap, lint_document) over the MCP API.
Read the gap inventory. Work through the broken evidence chains against the clauses (4 to 10) and the Annex A controls, and the domains that carry the most exposure.
Build the roadmap, then re-run. Prioritize remediation, close the gaps, and re-run before the Stage 1 and Stage 2 certification audits.

Where OntoRamp fits

An accredited certification body issues the ISO/IEC 27001 certificate; OntoRamp does not. What OntoRamp provides is the structural readiness underneath the audit — the view of which controls are genuinely documented and connected, so the formal audit holds no surprises.

The same engine handles adjacent reviews. Compare the SOC 2 readiness guide, the audit-readiness use case, or read how the assessment computes scores.

Start a gap analysis at ontoramp.com/assess.