ISO 27001 Gap Analysis

Check the maturity level of your ISMS according to ISO 27001.

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

ISO 27001 gap analysis: Kick-off for an ISMS

Apart from the fact that ISO 27001 does not give you any concrete instructions on what exactly you have to implement and how - it is also not a good assistance in the question of which steps should be implemented in which order.

The ISO 27001 gap analysis delivers in about 5 man-days what you need:

  • We provide you with clarity on the scope of ISO 27001, in other words, 'what needs to be protected'.
  • We assess your ISMS processes, policies and measures, in other words, the 'where are you today'.
  • We evaluate this information and as a result provide you with a roadmap to get from A (baseline) to Z (certification), including time and cost estimates.
Establishment of an ISMS according to NIS-2

The process in detail

Plan and review

Before we start with the ISO 27001 gap analysis, we define in an initial meeting the framework conditions in order to provide you with the best possible added value. Do you already have a scope of the ISMS to be established? What are your reasons for conducting the ISO 27001 gap analysis? What are your expectations?

Afterwards, we create an audit plan so that you can start coordinating the dates of the audit sessions, which are the interviews with the respective area managers.

Before conducting the interviews, we review your existing safety documents. These give us an initial indication of possible deficits.

< >

Conduct interviews

Usually, we conduct the audit sessions or interviews on-site at your company. If desired, this can of course also take place remotely.

During the interviews with the department heads ( for example IT, purchasing, facility management, human resources, production, compliance, ...) we identify possible security weaknesses, as well as deviations from the requirements of ISO 27001. In parallel, we carry out technical samples. This enables us to assess whether relevant security aspects are actually integrated into business processes and whether your ISMS is 'lived'.


< >

Deliver results

After we have conducted the audit sessions and examined your organization, we provide you with a detailed overview of your current implementation status or the maturity level of your ISMS according to ISO 27001. We document the identified action areas in a report. This gives you a pretty accurate idea of where the problem lies and what work is waiting for you. 

You will receive additional 'start help' for the implementation of your ISMS from us in the form of an ISO 27001 roadmap. In it, we tell you which steps you should take in which order and how much time and resources you should plan for them.

< >

Create awareness

Creating a certifiable ISMS requires the support of your organization's top management. Therefore, if desired, we are happy to conduct a management presentation at the end of the ISO 27001 gap analysis. In addition to the top findings, we will particularly address your ISO 27001 roadmap and sensitize your management to the following topics:

  • How should the implementation of an ISMS according to ISO 27001 usually be set up and which setup has proven itself in practice. 
  • What framework conditions must be created for this.
  • What roles and tasks does the top management have within an ISMS so that the ISMS can also be effective and successful.
< >

Do you want to know your ISO 27001 gap?

Let us get to know each other in a web meeting and let us determine whether your expectations harmonise with our services in the field of ISO 27001 gap analysis.
Yes, I would like to learn more!

Why ISO 27001 gap analyses with HvS?

Standard but still individual
Of course we have a structured approach, but not a 'stereotypical' one with predefined questionnaires or checklists, because every situation (business model, resource constitution, legal or contractual requirements, market situation, etc.) is different and also must be considered individually.
No 'pig in a poke'
Initially, you only commission us to carry out the gap analysis. In this way, you get to know our values and our approach better and can then decide whether we offer you the right support for setting up your ISMS. We will also be happy to provide you with some reference contacts.
Consulting and audit
We not only advise on ISO 27001, we also audit for the certification authority TÜV Nord CERT, so we know both sides very well. It is precisely these "two hearts in our breast" that enable us to take a pragmatic approach that nevertheless meets the requirements of a certification.