What’s the difference between an ISO 27001 risk assessment and gap analysis?

The ISO 27001 implementation and review process centres upon the risk assessment and gap analysis process. These two pivotal steps provide you with the bulk of the information you need comply with the Standard, so it’s essential that you get them right.

The problem is that the two processes are very similar, meaning organisations can easily confuse the two and jeopardise their compliance status.

In this blog, we explain the difference between a risk assessment and gap analysis, and advise you on how to complete each step effectively and in-line with your business needs.


What’s a risk assessment?

Risk assessments give organisations an indication of the threats facing them, how likely it is that each of those threats will occur and how severe the damage will be.

The process begins by creating a long list of risks, which will be given a risk score. This is calculated by assigning a number of varying degrees of probability and damage. The scenarios with the highest scores should be prioritised, with the most attention given to the ISO 27001 controls that address the relevant issues.

The Standard provides a list of everything that might help, and it’s up to you to determine which ones to implement. As such, if there are no risks that justify the use of a certain control, you don’t need to implement it.


What’s a gap analysis?

An ISO 27001 gap analysis gives organisations an overview of the progress they have made in implementing each of the Standard’s controls.

Gap analyses only need to be performed when developing a Statement of Applicability, which means you don’t need to analyse the clauses contained in the main part of the Standard, only those in Annex A.

The process can be a simple tick-box exercise, with the unchecked requirements forming the gaps that might need to be addressed (not all clauses need to be implemented). Alternatively, you could choose a more varied set of criteria other than simply implemented–not implemented. For example, you could assess whether:

  • There is no plan to implement the requirement;
  • There is a plan but it hasn’t been implemented;
  • The requirement has been partially met;
  • The requirement has been met but hasn’t been reviewed;
  • The requirement has been met and is regularly reviewed.


What’s the difference between the two?

A risk assessment helps organisations understand which of ISO 27001’s controls need to be addressed. However, it doesn’t factor in whether those controls have already been implemented, which is why a gap analysis must also be conducted.

A gap analysis shows organisations which of ISO 27001’s controls are already in place, and in some cases provides additional information about their progress in meeting the Standard’s requirements.



Read our free green paper

Free PDF download: Risk Assessment & ISO 27001Download Risk Assessment and ISO 27001 to find out more about how you can meet the Standard’s requirements. It explains:

  • Common problems you’ll face;
  • Our five-step process for producing reliable and robust results; and
  • How to use risk assessments to achieve maximum benefits.