What is an ISO 27701:2025 gap analysis?
A gap analysis compares your current privacy practices against the requirements of ISO 27701:2025 to identify where you already comply and where work is needed. It is the essential first step of any implementation project, providing the baseline from which you plan, resource and prioritise your path to certification.
Without a gap analysis, organisations risk two costly mistakes: underestimating the work involved (leading to missed deadlines and budget overruns) or over-engineering areas where they are already compliant (wasting time and resources).
The analysis covers both the management system requirements in Clauses 4 to 10 and the applicable Annex A privacy controls. Since ISO 27701:2025 is now a standalone certifiable standard, your gap analysis must assess the full scope of requirements independently, not just the privacy-specific additions.
How do you conduct a gap analysis step by step?
A thorough gap analysis follows a structured process. Rushing through it or relying on assumptions undermines the value of the entire exercise.
Step 1: Define your scope
Before assessing anything, establish the boundaries of your PIMS. Determine which parts of your organisation, processes, systems and data are in scope. Consider:
- Which business functions process PII?
- What types of PII do you process (customer data, employee data, supplier data)?
- Are you acting as a PII controller, processor or both?
- Which locations, systems and third parties are involved?
Step 2: Assess management system requirements (Clauses 4 to 10)
Work through each management system clause and evaluate your current position against every requirement. For each requirement, record:
- Current state — What you have in place today
- Gap identified — What is missing or insufficient
- Maturity level — Not started, partially implemented, fully implemented
- Evidence available — What documentation or records exist
Step 3: Assess Annex A controls
Evaluate each Annex A control against your current practices. The controls are organised into three tables: PII controller controls, PII processor controls and shared security controls. Only assess the controls relevant to your role (controller, processor or both).
Step 4: Score and categorise gaps
Assign a maturity score to each requirement and control. A simple traffic-light system works well:
| Score | Meaning | Typical Action |
|---|---|---|
| Green | Fully implemented and evidenced | Maintain and monitor |
| Amber | Partially implemented or lacking evidence | Close the gap — may need documentation, formalisation or additional evidence |
| Red | Not started or fundamentally missing | Plan and implement from scratch |
Step 5: Prioritise and plan
Not all gaps carry equal weight. Prioritise based on:
- Certification risk — Gaps in mandatory requirements (management system clauses) are more critical than gaps in controls you may exclude from your Statement of Applicability
- Business risk — Gaps that expose the organisation to regulatory penalties or data breaches should be addressed urgently
- Effort and dependencies — Some gaps require cultural change or third-party cooperation, which takes longer
The output of your gap analysis should be a prioritised implementation plan with timelines, resource requirements and clear ownership for each action item.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What should you assess in each clause area?
The table below provides a practical checklist of what to look for when assessing each management system clause during your gap analysis.
| Clause | Key Questions to Ask |
|---|---|
| Clause 4: Context | Have you identified all interested parties? Is the scope of your PIMS clearly defined and documented? Do you understand the PII processing context? |
| Clause 5: Leadership | Is there a privacy policy approved by top management? Are roles and responsibilities for privacy clearly assigned? Is there evidence of management commitment? |
| Clause 6: Planning | Do you have a privacy risk assessment methodology? Is there a risk register with current entries? Is there a Statement of Applicability? Are privacy objectives defined and measurable? |
| Clause 7: Support | Are staff competent in their privacy roles? Is there a training and awareness programme? Is documented information controlled (version control, approval, distribution)? |
| Clause 8: Operation | Are operational processes planned and controlled? Are risk assessments conducted at planned intervals? Is risk treatment being implemented as planned? |
| Clause 9: Performance | Are you monitoring and measuring the effectiveness of your PIMS? Have internal audits been conducted? Has a management review taken place? |
| Clause 10: Improvement | Is there a process for handling nonconformities? Are corrective actions tracked to completion? Is there evidence of continual improvement? |
What are common gaps by organisation type?
Different organisations tend to encounter different gap profiles. Understanding your likely weak areas before you start helps focus the assessment.
Organisations new to management systems
If your organisation has never implemented an ISO management system, expect significant gaps in:
- Risk assessment methodology and risk register
- Internal audit programme
- Management review process
- Documented information control
- Corrective action and continual improvement processes
These are structural requirements that underpin the entire PIMS. They require new processes, not just documentation of existing practices.
Organisations with ISO 27001 already in place
If you already hold ISO 27001, your management system framework is largely established. Typical gaps focus on privacy-specific areas:
- PII processing context and purpose limitation documentation
- Data subject rights handling procedures
- Privacy-specific risk assessment criteria
- Controller and processor role definitions
- Privacy impact assessments
Organisations transitioning from ISO 27701:2019
If you are transitioning from the 2019 edition, your gap analysis should focus on the structural changes in the 2025 edition. See our transition guide for the full breakdown of changes. Common gaps include:
- Updated Annex A control structure (the 2025 edition reorganises controls significantly)
- New standalone management system requirements that were previously inherited from ISO 27001
- Updated risk assessment approach reflecting the standalone nature of the standard
Organisations with strong GDPR compliance
GDPR-mature organisations often have solid privacy practices but may lack the formal management system structure ISO 27701:2025 requires. The Annex D GDPR mapping helps identify where existing GDPR work satisfies ISO 27701 requirements. Typical gaps include:
- Formalised risk assessment methodology (rather than ad-hoc DPIAs)
- Internal audit programme covering the full PIMS
- Structured management review process with recorded decisions
- Statement of Applicability for Annex A controls
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
How does ISMS.online accelerate your gap analysis?
ISMS.online transforms the gap analysis from a manual, spreadsheet-based exercise into a guided, structured assessment that saves time and produces more actionable results.
- Pre-built assessment framework — Every clause and Annex A control is already mapped in the platform, so you assess against the full standard without building your own checklist
- Maturity scoring — Rate each requirement using a consistent maturity model, with the platform automatically highlighting your highest-priority gaps
- Gap-to-action tracking — Convert gap findings directly into action items with owners, due dates and status tracking
- Evidence linking — Attach existing evidence to requirements during the assessment, so you know exactly what you have and what you still need
- Progress dashboards — Visualise your compliance posture at a glance and track improvement over time
- Implementation templates — For every gap you identify, ISMS.online provides template policies, procedures and documentation to close it faster
For the next steps after your gap analysis, see our guide to getting started with ISO 27701:2025 implementation, which covers the full journey from assessment through to certification.
Why Choose ISMS.online for Your Gap Analysis?
- Comprehensive standard coverage — Assess against every clause and Annex A control without building your own assessment framework from scratch
- Guided assessment process — Step-by-step guidance ensures nothing is missed, even if you are conducting your first management system gap analysis
- Instant prioritisation — Automated scoring highlights your most critical gaps so you know where to focus resources first
- Seamless transition to implementation — Gap findings convert directly into implementation tasks within the same platform, avoiding data loss between assessment and action
- Multi-framework support — If you plan to implement ISO 27701 alongside ISO 27001 or other standards, ISMS.online maps overlapping requirements so you assess once and satisfy multiple frameworks
- Collaboration built in — Assign assessment sections to different team members and track progress centrally
- Trusted by thousands of organisations — ISMS.online has helped companies of all sizes conduct gap analyses and achieve ISO certification
FAQs
How long does an ISO 27701:2025 gap analysis take?
A typical gap analysis takes two to four weeks, depending on the size and complexity of your organisation. Smaller organisations with a focused scope may complete it in one to two weeks. Larger organisations with multiple business units, extensive data processing and existing management systems may need four weeks or more.
Should we conduct the gap analysis internally or hire a consultant?
Both approaches work. Internal assessments are cost-effective and build organisational knowledge, but may miss gaps if team members lack experience with ISO management systems. A consultant brings expertise and objectivity but at a higher cost. Many organisations take a hybrid approach: conduct the initial assessment internally using a platform like ISMS.online and then engage a consultant to validate findings.
Can we use our ISO 27001 gap analysis as a starting point?
Yes. If you already hold ISO 27001, your management system clauses are largely in place and your gap analysis can focus on the privacy-specific requirements and Annex A controls. However, you should still review the management system clauses, as ISO 27701:2025 includes privacy-specific nuances that ISO 27001 does not cover.
What deliverable should the gap analysis produce?
The primary output is a prioritised list of gaps with maturity scores, mapped to the standard’s requirements and controls. This should feed directly into an implementation plan with timelines, resource estimates and ownership. In ISMS.online, this output is generated automatically as you complete the assessment.
How often should we repeat the gap analysis?
A full gap analysis is typically done once during initial implementation and again when transitioning between editions (e.g., from 2019 to 2025). After certification, regular internal audits serve a similar purpose. However, repeating a focused gap analysis annually or after significant organisational changes is good practice to ensure your PIMS remains current.
