Free ISO 27001 Gap Analysis Template (All 93 Annex A Controls)
A gap analysis compares what your organisation does today against what ISO 27001 asks for, so you can see exactly where the work is. This template covers every Annex A control from the 2022 revision, with columns for status, notes, owner and target remediation date.
Use it on any engagement. No email address required.
XLSX, 93 controls, dropdown status, summary counts by status and theme.
Download the template (.xlsx)Run the same 93 control assessment in Auditara free, and get the remediation report generated for you.
Start freeWhat is in the template
- All 93 Annex A controls from ISO/IEC 27001:2022, one row per control.
- Reference, control name, and theme in the first three columns.
- Status dropdown with Implemented, Partially implemented, Not implemented, and Not applicable.
- Notes, owner, and target remediation date columns for each control.
- Summary sheet with counts by status and counts by theme, calculated automatically.
- Frozen header row and clean formatting so it stays readable at 93 rows.
How to run an ISO 27001 gap analysis
- Confirm scope.Agree which parts of the business the ISMS covers. Everything outside scope is out of the gap analysis too.
- Walk the catalogue.Go through each of the 93 Annex A controls. For each one, score it against what actually exists today, not what is planned.
- Capture the evidence gap.For anything below Implemented, write a note describing what is missing. A one-line description now saves an hour later.
- Assign owners and target dates.Every gap needs a person and a deadline. Without those two, nothing moves.
- Turn it into a remediation plan.Sort by status and priority to produce a working plan you can review with the client each week.
All 93 Annex A controls
The four themes as defined in ISO/IEC 27001:2022. References and titles are the public identifiers used by the standard.
Organisational
37 controls| Ref | Control |
|---|---|
| A.5.1 | Policies for information security |
| A.5.2 | Information security roles and responsibilities |
| A.5.3 | Segregation of duties |
| A.5.4 | Management responsibilities |
| A.5.5 | Contact with authorities |
| A.5.6 | Contact with special interest groups |
| A.5.7 | Threat intelligence |
| A.5.8 | Information security in project management |
| A.5.9 | Inventory of information and other associated assets |
| A.5.10 | Acceptable use of information and other associated assets |
| A.5.11 | Return of assets |
| A.5.12 | Classification of information |
| A.5.13 | Labelling of information |
| A.5.14 | Information transfer |
| A.5.15 | Access control |
| A.5.16 | Identity management |
| A.5.17 | Authentication information |
| A.5.18 | Access rights |
| A.5.19 | Information security in supplier relationships |
| A.5.20 | Addressing information security within supplier agreements |
| A.5.21 | Managing information security in the ICT supply chain |
| A.5.22 | Monitoring, review and change management of supplier services |
| A.5.23 | Information security for use of cloud services |
| A.5.24 | Information security incident management planning and preparation |
| A.5.25 | Assessment and decision on information security events |
| A.5.26 | Response to information security incidents |
| A.5.27 | Learning from information security incidents |
| A.5.28 | Collection of evidence |
| A.5.29 | Information security during disruption |
| A.5.30 | ICT readiness for business continuity |
| A.5.31 | Legal, statutory, regulatory and contractual requirements |
| A.5.32 | Intellectual property rights |
| A.5.33 | Protection of records |
| A.5.34 | Privacy and protection of PII |
| A.5.35 | Independent review of information security |
| A.5.36 | Compliance with policies, rules and standards for information security |
| A.5.37 | Documented operating procedures |
People
8 controls| Ref | Control |
|---|---|
| A.6.1 | Screening |
| A.6.2 | Terms and conditions of employment |
| A.6.3 | Information security awareness, education and training |
| A.6.4 | Disciplinary process |
| A.6.5 | Responsibilities after termination or change of employment |
| A.6.6 | Confidentiality or non-disclosure agreements |
| A.6.7 | Remote working |
| A.6.8 | Information security event reporting |
Physical
14 controls| Ref | Control |
|---|---|
| A.7.1 | Physical security perimeters |
| A.7.2 | Physical entry |
| A.7.3 | Securing offices, rooms and facilities |
| A.7.4 | Physical security monitoring |
| A.7.5 | Protecting against physical and environmental threats |
| A.7.6 | Working in secure areas |
| A.7.7 | Clear desk and clear screen |
| A.7.8 | Equipment siting and protection |
| A.7.9 | Security of assets off-premises |
| A.7.10 | Storage media |
| A.7.11 | Supporting utilities |
| A.7.12 | Cabling security |
| A.7.13 | Equipment maintenance |
| A.7.14 | Secure disposal or re-use of equipment |
Technological
34 controls| Ref | Control |
|---|---|
| A.8.1 | User endpoint devices |
| A.8.2 | Privileged access rights |
| A.8.3 | Information access restriction |
| A.8.4 | Access to source code |
| A.8.5 | Secure authentication |
| A.8.6 | Capacity management |
| A.8.7 | Protection against malware |
| A.8.8 | Management of technical vulnerabilities |
| A.8.9 | Configuration management |
| A.8.10 | Information deletion |
| A.8.11 | Data masking |
| A.8.12 | Data leakage prevention |
| A.8.13 | Information backup |
| A.8.14 | Redundancy of information processing facilities |
| A.8.15 | Logging |
| A.8.16 | Monitoring activities |
| A.8.17 | Clock synchronization |
| A.8.18 | Use of privileged utility programs |
| A.8.19 | Installation of software on operational systems |
| A.8.20 | Networks security |
| A.8.21 | Security of network services |
| A.8.22 | Segregation of networks |
| A.8.23 | Web filtering |
| A.8.24 | Use of cryptography |
| A.8.25 | Secure development life cycle |
| A.8.26 | Application security requirements |
| A.8.27 | Secure system architecture and engineering principles |
| A.8.28 | Secure coding |
| A.8.29 | Security testing in development and acceptance |
| A.8.30 | Outsourced development |
| A.8.31 | Separation of development, test and production environments |
| A.8.32 | Change management |
| A.8.33 | Test information |
| A.8.34 | Protection of information systems during audit testing |
When a spreadsheet stops working
For a single engagement, a spreadsheet is fine. It is fast to open, easy to share, and every practitioner knows how to use one.
It stops working when you are running the same process on multiple clients, when evidence needs to be linked to specific controls, or when you need to hand a client a report that shows the current state of their programme without exporting from four different tabs.
Auditara runs the same 93 control assessment inside a workspace with remediation tracking, evidence per activity, and a gap and remediation report generated from your inputs.
FAQ
Yes. Download the spreadsheet, use it on client engagements, share it with your team. No email address required, no watermark, no license fee.
Yes. The template lists all 93 Annex A controls from ISO/IEC 27001:2022, grouped into the four themes: Organisational (37), People (8), Physical (14) and Technological (34).
The spreadsheet is a static working document. Auditara runs the same 93 control assessment inside a programme workspace, adds remediation task tracking with owners and target dates, and generates a gap and remediation report from your inputs. Free workspaces can complete one full assessment.
In-product assessments for ISO 42001 and the Bank of Ghana Cyber and Information Security Directive 2026 are on the roadmap. Standalone spreadsheet templates for those frameworks are not published yet.
Yes. Add columns, change the status values, or extend it with your own scoring. Nothing is locked. If you outgrow the spreadsheet, the same 93 controls are available inside Auditara.
Ready when the spreadsheet is not enough
One active programme, full gap assessment, Auditara-branded report. Free.
