How ISO 27001 Certification Works: ISMS and Gap Analysis

Thinking about expanding your business internationally? Maybe you’re based in the EU and need to get compliant to move upmarket. That means it’s time to talk about ISO 27001 certification. As the international standard for information security and data privacy, ISO 27001 applies to organizations of any size, type, or industry.

Importantly, ISO 27001 defines requirements to establish and maintain an information security management system and information security risk management. This pertains to financial systems, intellectual property, personally identifiable information, third-party data, and other protected data.

Setting up an ISMS is the crux of ISO 27001. And you may be wondering…

What is an ISMS?

An information security management system. It is also the basis of your ISO 27001 compliance. The organization’s management protects confidentiality, availability, and integrity of information by securing people, processes, and technologies.


Information and systems are kept private and safe from unauthorized access (people, processes, or entities)

This aspect of the ISMS involves tangible controls like multi-factor authentication, security tokens, and data encryption. It may also involve special training for individuals with access to restricted or classified data.


Data and systems are accessible to authorized users

Availability typically requires the maintenance and monitoring of your systems. From preventing bottlenecks and redundancy to assuring business continuity and upgrading software and hardware systems, the availability of your data should prevent data loss and disaster recovery.


Data is complete and accurate

Finally, the integrity of your data examines trustworthiness. This aspect is vague. Ideally, businesses limit access to confidential data to certain roles or processes. If you have limited access to your confidential data, the protection leads to ISMS integrity. Fewer people and processes touching your data means that there is a lower chance of error, and the data can be trusted.

What kind of document is an ISMS?

An ISMS can be created in a variety of formats, from Word docs to PDFs and spreadsheets. It should be editable and change as your business grows.

Think of an ISMS as an overarching framework for auditors and the internal organization. Your ISMS should describe the purpose of each company policy, and the scope of that policy. It acts as an application letter for ISO 27001 by defining exactly what requirements your company fulfills through policies, practices, and procedures.

Ultimately, you’ll end up with a document specifying the governance of your systems. It should be shorter and more specific than an information security policy, for example, and focus on management and oversight. This document will establish a governance model to protect and secure your scoped systems.

Read our complete ISO 27001 Guide for Founders here.

Scoping ISO 27001

When you’re looking at implementing any new compliance framework, you’ll need to consider the scope of the controls. Simply, think about which sectors of your organization will need to comply with ISO 27001 and implement an ISMS. If you’re a startup, it’s likely that ISO 27001 will apply to your entire organization.

When your team is scoping ISO 27001, they will identify specific requirements that need to be implemented. These controls are chosen from Annex A, or the list of ISO 27001 requirements, and listed in the Statement of Applicability in your ISMS.

The scope is less of a consideration when you’re leading a smaller organization or a start-up; you can consider every team and/or control within the scope.

Statement of Applicability

ISO 27001 asks businesses to include a Statement of Applicability (SoA) as part of the ISMS. Your SoA, like an ISMS, can be held in a Word document, PDF, or variety of formats.

The statement should include:

  • List of ISO 27001 controls,
  • If the controls have been implemented or not,
  • The reason to include or exclude the controls,
  • and a description of control implementation.

The SoA should be reviewed and updated at least annually. While the statement itself probably will not change drastically from year to year, the underlying information within your ISMS should. As your business grows, the information security policies protecting data will evolve and your SoA includes information on those changes.

Gap Analysis

After determining the scope of ISO 27001 compliance, assess your organization’s current security posture. Comparing this to ISO 27001 requirements will identify the gaps that need to be filled.

If your company has been operating for a couple of years, it’s likely that you already have some best practices in place. For instance, having a formal hiring process is fairly common. Before diving into each specific control, you’ll need to understand where the biggest gaps are and how to prioritize them.

If you do not have compliance specialists in-house, it’s likely that you’ll need to hire a consultant to execute the gap analysis. The consultant or specialist will assess existing policies, procedures, and practices. Then examine their alignment with ISO 27001 requirements. Based on the findings, your business can address deficiencies in information security and mitigate potential breaches.

The findings of a gap analysis should include:

  • The scope of the ISMS and how it will meet business objectives
  • An overview of the current state of information security
  • Gaps between current practices and ISO 27001 requirements
  • A plan to implement ISO 27001 ISMS and the amount of effort required

This is the first step in the ISO 27001 certification process, which will help the organization move into strategically implementing controls. Stay tuned for our next post, which will cover the implementation process.

Share this post with your network: