GRC — Flagship Service

ISO 27001 Gap Assessment

A hands-on, evidence-based review of your current security posture against all 93 ISO 27001:2022 Annex A controls — with a prioritised remediation roadmap your team can actually execute. The fastest way to know how far you are from certification.

AED 20,000 – 40,000 ISO 27001 Lead Auditor 2 – 3 weeks
Book a 30-min Scoping Call →
Book a 30-min Scoping Call →
Jump to FAQ

What it is

A focused, 2 – 3 week engagement that answers one question with evidence: how ready are we for ISO 27001:2022 certification today, and what does it take to get there.

We interview your team, review your existing policies and processes, observe technical controls, and measure every one of the 93 Annex A:2022 controls against its required maturity. Where a control is missing, we tell you. Where it exists but isn't documented, we tell you. Where it's documented but not implemented, we tell you the hardest way — by trying to validate it.

The deliverable is a maturity-rated gap report plus a prioritised remediation roadmap (90-day quick wins, 6-month program, 12-month full readiness). That's the input your next meeting needs: scope, effort, budget, timeline.

What this is not

Not a certification audit. Only an accredited body can audit and certify. This is diagnostic.
Not an Implementation project. We find gaps; we don't author policies or implement controls in this engagement.
Not a generic checklist. Evidence-based — we observe, interview, validate, then rate.
Not a pen test. If you need active-exploit validation of findings, pair with our Network Pen Test service.

Who this is for

1
You're exploring ISO 27001 and need to scope effort, cost, and timeline before committing to full Implementation.
2
A board directive or client contract requires ISO 27001 and you need a defensible baseline to plan from.
3
You're re-certifying in 12 months and want a mid-cycle maturity health check.
4
You ran an internal gap check but want external validation before going to an accredited body.
5
You have existing policies from a prior consultancy but no confidence they reflect reality.

What you get

  • Scope document — boundary definition, interested parties, ISMS scope agreement.
  • Gap assessment report — all 93 Annex A:2022 controls with applicability, maturity (0 – 4), current implementation, evidence observed, gap severity.
  • Remediation roadmap — prioritised 90-day / 6-month / 12-month plan with effort estimates per gap.
  • Executive summary — 2-page board-consumable posture brief with maturity heat map.
  • Implementation scope paper — what a full ISO 27001 Implementation engagement would look like for your organisation (effort, cost, timeline).
  • Walkthrough session — 90-minute live review with your technical and executive teams.

How we deliver

01
Scoping
1 – 2 days
ISMS scope workshop, interested parties, data flows, systems in scope, interview list.
02
Fieldwork — interviews & evidence
3 – 5 days
Interviews with 5 – 10 staff (IT, HR, legal, ops), policy review, technical control observation, sampling.
03
Control-by-control assessment
2 – 3 days
Every Annex A:2022 control rated on maturity 0 – 4 with evidence reference and gap severity.
04
Reporting
2 – 3 days
Gap report, remediation roadmap, executive summary, Implementation scope paper.
05
Walkthrough
90 minutes
Live session covering every critical gap + the 90-day / 6-month / 12-month roadmap.

Pricing

Published range

AED 20k – 40k

Per engagement. Written quote within 48 hours of scoping call.

What drives the price:

  • ISMS scope size (single site vs. multi-site)
  • Number of interviews required
  • Existing documentation maturity (greenfield vs. partial)
  • Sector complexity (regulated vs. general)
  • Number of in-scope technical systems

Commercial terms

  • Deposit: 50% at signing
  • Net terms: Net-30
  • Quote validity: 30 days
  • Implementation upgrade: 15% discount on Implementation fee if you roll straight over within 60 days
  • Deliverable: PDF + editable DOCX

Your cert-backed lead

Lead Assessor & ISO 27001 Lead Auditor

Manoj Prabhakaran

ISO 27001 Lead Auditor · GRC Mastery · CPTS · CDSA · Security+ · Azure Cloud Security

Focus: Gap diagnosis, maturity rating methodology, roadmap design, Implementation scoping. Unique angle: offensive-security background means technical controls get assessed by someone who knows how attackers would exploit them — not just someone reading the standard.

Frequently asked questions

How is a Gap Assessment different from a full Implementation?

A Gap Assessment measures where you are today against ISO 27001:2022 Annex A controls and produces a remediation roadmap. It does not author policies, implement controls, or prepare you for certification. That's the Implementation service. Many clients run a Gap Assessment first to scope the Implementation engagement — it de-risks budgeting and timeline conversations.

What do I walk away with?

A gap-assessment report covering all 93 Annex A:2022 controls (applicable Yes/No, current-state implementation, evidence observed, gap severity) plus a prioritised 90-day / 6-month / 12-month remediation roadmap with effort estimates for each gap. Executive summary included.

How long does it take?

3 – 5 working days of fieldwork for a single-site mid-market organisation. Plus 2 – 3 days of reporting. Delivered end-to-end in 2 – 3 weeks calendar time from scoping.

What do I need to provide?

Read-only access to key systems (HR system, Active Directory, ticketing, code repo, cloud tenant), existing policies and procedures (if any), one executive sponsor, and time for interviews with 5 – 10 staff across IT, HR, legal, and operations.

Will this show me a pass / fail?

No — ISO 27001 isn't binary. The report shows the maturity of each control on a 0 – 4 scale (non-existent, ad-hoc, defined, managed, optimised) and whether each gap is a blocker for certification. A competent accredited certification body would use similar categorisation.

Can you implement the gaps you find?

Yes — roll straight into our ISO 27001 Implementation service. Clients who do both get a 15% discount on the Implementation fee because we've already done the gap work.

Is this report useful for a certification audit?

Not directly — the accredited certification body runs its own assessment. But the gap report is extremely useful as input to remediation work before you contract the certification body. Skipping it costs most organisations months of wasted effort.

Is it useful if we're not pursuing certification?

Yes. Many clients use the gap assessment to improve their security program without pursuing a certificate. The roadmap is valuable on its own; certification is optional.

You might also need

ISO 27001 Implementation

The natural next step once you know the gaps — end-to-end implementation with accredited-body audit support.

Read full details

Risk Assessment & Risk Register

Standalone risk program — useful if you want the risk register before committing to full Implementation.

Read full details

NESA / UAE IA V2 Gap Assessment

Pair ISO 27001 Gap with NESA Gap for a combined engagement — saves time and money vs. running sequentially.

Read full details

Network Penetration Testing

Most ISO 27001 programs need pen-test evidence — we deliver it under the same engagement.

Read full details

Not sure how far you are from ISO 27001?

A 2 – 3 week gap assessment gives you a defensible baseline, a prioritised roadmap, and the numbers to plan the next step. Written quote within 48 hours.

Book a Scoping Call →
Book a Scoping Call →