Free Tool · ISO/IEC 27001:2022

Free ISO 27001 Gap Analysis

Developed by consultants behind 500+ successful certifications. Answer 30 questions about your organisation and get an instant readiness score, a prioritised remediation map, and a downloadable gap analysis report.

About 15 minutes. No registration. Your answers never leave your browser.

ISO 27001 Gap Analysis

Understand how close your organisation is to certification

Free · No registration · ~15 minutes

This free self-assessment gives you a clear, objective picture of your organisation's readiness against ISO/IEC 27001:2022 — the international standard for information security management.

  • Quick and easy: 30 plain-language questions across 5 key areas.
  • Time: About 15 minutes.
  • Result: An instant readiness score and a detailed gap register.

Built by HEIC consultants · 500+ successful certifications

🔒 Full Privacy & Flexibility

  • 100% local: The assessment runs entirely on your device. Your answers never leave your browser — nothing is uploaded or stored on our servers.
  • Progress saved: Your progress is automatically saved in this browser. You can close the page and return to it later.

Prefer to review your results with an expert? After completing the assessment, you can request a free 30-minute session with one of our consultants — no commitment required.

What You'll Get in 15 Minutes

A percentage on its own doesn't tell you what to do on Monday morning. This gap analysis produces the working documents an ISO 27001 project actually starts from:

Readiness score and diagnostic

An overall readiness percentage against ISO/IEC 27001:2022, plus two sub-scores — your management system (Clauses 4–10) and your security controls (Annex A) — that show not just how far you are from certification, but which side of the standard needs attention first.

Gap register

Every requirement where you're partially covered or not covered at all, listed with its clause or control reference. This is the same starting artefact a consultant would produce in a paid gap analysis.

Prioritised remediation map

Your gaps ordered the way an experienced implementer would tackle them: management system foundations first, operating rhythm second, individual controls third. Working top to bottom avoids the most common way ISO 27001 projects stall.

Statement of Applicability preview

An indicative status for the 51 Annex A controls the assessment covers — a head start on one of the first documents a certification auditor will ask to see.

Downloadable gap analysis report

All of the above in a single document you can save, print, and put in front of your management team.

Client Testimonials

Trusted by Organisations Across Bulgaria and the EU

"HEIC LTD made the implementation of ISO 27001 easy and understandable. They explained everything clearly, guided us step by step, and we passed the audit with an excellent score. As a result, we now have a stable risk management framework and a stronger information security culture. The certificate itself helps us with our customers, as we work in a very conservative and demanding industry. I have already recommended HEIC LTD to colleagues from other companies."

Miroslav Valchev
FindMeCure

"HEIC LTD delivered exceptional results on our ISO 27001 certification journey. From initial gap analysis to final audit, they provided clear guidance and practical solutions tailored to our business needs. Their consultants were responsive, knowledgeable, and made complex compliance requirements accessible to our entire organization. An invaluable partnership we're grateful for."

Dinko Manolov
Kodin Soft

"HEIC LTD made our ISO 27001 certification process smooth and stress-free. Their expert guidance, clear roadmap, and practical tools helped us achieve certification with zero nonconformities. Beyond compliance, they strengthened our overall security culture and boosted client trust. A truly professional and results driven partner."

Gospodin Gochev
GENERIX LTD

Fifteen Minutes, Three Steps

Answer 30 questions

Five short sections covering the full scope of ISO/IEC 27001:2022 — from ISMS scope and risk assessment to access control, backups, and incident management. Each question explains what "implemented" actually looks like, so you can answer the way an auditor would judge it.

Get your results instantly

Your readiness score, band, and diagnostic are calculated on your device the moment you finish. No waiting, no "we'll email your results" — and no email required.

Download your gap analysis report

Take the report, gap register, and remediation map straight into your planning. If you'd like an expert's read on the results, you can request a free 30-minute review from one of our consultants — entirely optional.

Your Answers Stay With You

This assessment runs entirely in your browser. Your answers are never uploaded, stored on our servers, or shared — we couldn't read them if we wanted to. Progress is saved locally on your device so you can leave and come back.

The only exception is one you control: if you choose to request an expert review, the structured results you see on screen — scores and gap register — are sent to us so a consultant can prepare. Nothing is transmitted unless you press that button.

We built it this way deliberately. An honest gap analysis requires honest answers, and honest answers require knowing nobody is reading over your shoulder.

Built by Practitioners

This tool was developed by the consultants at HEIC Ltd — Health Environment InfoSecurity Consulting — drawing on 25+ years of management systems consulting and more than 500 successful certifications. Our clients consistently achieve zero or minimal nonconformities at their certification audits. The 30 questions are the ones we weight most heavily when we assess a new client's readiness: the requirements where certification audits are most often won or lost.

ISO 27001 Gap Analysis FAQ

A gap analysis compares your organisation's current security practices against the requirements of ISO/IEC 27001 — both the management system clauses (4–10) and the Annex A controls. The output is a register of gaps: requirements you don't yet meet, or meet only partially. It's typically the first step of any certification project, because it turns "we need ISO 27001" into a concrete list of work with priorities attached.

They answer different questions. A gap analysis measures you against the standard's requirements — what's missing for certification. A risk assessment, which is itself one of those requirements, measures threats to your specific information — what could go wrong and how badly. You'll need both: the gap analysis tells you that a risk assessment is required and whether yours is adequate; the risk assessment then drives which Annex A controls you implement.

It's free, ungated, and complete — score, gap register, remediation map, SoA preview, and the downloadable report, with no registration. The honest commercial logic: some organisations will take the report and run their project themselves, and that's fine. Others will want expert help closing the gaps, and we'd like to be the firm they call. The optional expert review exists for exactly that — but every deliverable works without it.

No. The assessment runs entirely in your browser and nothing is transmitted to us — unless you explicitly request the expert review, in which case your scores and gap register (never your raw answers) are sent so a consultant can prepare for your call.

Yes. All 30 questions reference ISO/IEC 27001:2022 — the current version of the standard — including the restructured Annex A with its 93 controls across organisational, people, physical, and technological themes. The 2013 version is fully withdrawn; any new certification is conducted against 2022.

Around 15 minutes if you know your organisation's practices reasonably well. Your progress saves automatically in your browser, so you can pause and return — useful if you need to check details with a colleague.

A template gives you blank rows; this gives you answers. The tool applies a scoring model, prioritises your gaps in implementation order, and generates the report for you — work you would otherwise do manually in a spreadsheet. That said, a self-assessment of any kind is only as accurate as your answers, which is why each question defines what "implemented" looks like in evidence terms.

Not entirely, and we won't pretend otherwise. A consultant-led gap analysis involves examining your actual documents, interviewing staff, and testing whether controls work in practice — a self-assessment relies on your own judgement. What this tool does is get you 80% of the orientation at 0% of the cost: you'll know your readiness band, your weakest areas, and your priority order before you spend anything. Many organisations use exactly this sequence — self-assess first, then bring in help where the gaps are.

Start at the top of your remediation map — it's ordered deliberately, foundations first. If your score landed in the Foundation or Developing band, the management system core (scope, policy, risk methodology) is almost certainly where to begin. If you'd like a second pair of eyes, the free expert review walks you through your specific results, or you can read about our full ISO 27001 implementation service at heic.eu/iso-27001/.

Talk to an ISO 27001 Expert

Completed the assessment and ready to act on your results? Still deciding where to start? Either way, our consultants can walk you through what certification involves, help you scope your project, and answer your questions — no commitment required.

Speak to an Expert