Resource

Free ISO 27001 Gap Analysis Template (All 93 Annex A Controls)

A gap analysis compares what your organisation does today against what ISO 27001 asks for, so you can see exactly where the work is. This template covers every Annex A control from the 2022 revision, with columns for status, notes, owner and target remediation date.

Use it on any engagement. No email address required.

Download the spreadsheet

XLSX, 93 controls, dropdown status, summary counts by status and theme.

Download the template (.xlsx)
Or skip the spreadsheet

Run the same 93 control assessment in Auditara free, and get the remediation report generated for you.

Start free

What is in the template

  • All 93 Annex A controls from ISO/IEC 27001:2022, one row per control.
  • Reference, control name, and theme in the first three columns.
  • Status dropdown with Implemented, Partially implemented, Not implemented, and Not applicable.
  • Notes, owner, and target remediation date columns for each control.
  • Summary sheet with counts by status and counts by theme, calculated automatically.
  • Frozen header row and clean formatting so it stays readable at 93 rows.

How to run an ISO 27001 gap analysis

  1. Confirm scope.
    Agree which parts of the business the ISMS covers. Everything outside scope is out of the gap analysis too.
  2. Walk the catalogue.
    Go through each of the 93 Annex A controls. For each one, score it against what actually exists today, not what is planned.
  3. Capture the evidence gap.
    For anything below Implemented, write a note describing what is missing. A one-line description now saves an hour later.
  4. Assign owners and target dates.
    Every gap needs a person and a deadline. Without those two, nothing moves.
  5. Turn it into a remediation plan.
    Sort by status and priority to produce a working plan you can review with the client each week.

All 93 Annex A controls

The four themes as defined in ISO/IEC 27001:2022. References and titles are the public identifiers used by the standard.

Organisational

37 controls
RefControl
A.5.1Policies for information security
A.5.2Information security roles and responsibilities
A.5.3Segregation of duties
A.5.4Management responsibilities
A.5.5Contact with authorities
A.5.6Contact with special interest groups
A.5.7Threat intelligence
A.5.8Information security in project management
A.5.9Inventory of information and other associated assets
A.5.10Acceptable use of information and other associated assets
A.5.11Return of assets
A.5.12Classification of information
A.5.13Labelling of information
A.5.14Information transfer
A.5.15Access control
A.5.16Identity management
A.5.17Authentication information
A.5.18Access rights
A.5.19Information security in supplier relationships
A.5.20Addressing information security within supplier agreements
A.5.21Managing information security in the ICT supply chain
A.5.22Monitoring, review and change management of supplier services
A.5.23Information security for use of cloud services
A.5.24Information security incident management planning and preparation
A.5.25Assessment and decision on information security events
A.5.26Response to information security incidents
A.5.27Learning from information security incidents
A.5.28Collection of evidence
A.5.29Information security during disruption
A.5.30ICT readiness for business continuity
A.5.31Legal, statutory, regulatory and contractual requirements
A.5.32Intellectual property rights
A.5.33Protection of records
A.5.34Privacy and protection of PII
A.5.35Independent review of information security
A.5.36Compliance with policies, rules and standards for information security
A.5.37Documented operating procedures

People

8 controls
RefControl
A.6.1Screening
A.6.2Terms and conditions of employment
A.6.3Information security awareness, education and training
A.6.4Disciplinary process
A.6.5Responsibilities after termination or change of employment
A.6.6Confidentiality or non-disclosure agreements
A.6.7Remote working
A.6.8Information security event reporting

Physical

14 controls
RefControl
A.7.1Physical security perimeters
A.7.2Physical entry
A.7.3Securing offices, rooms and facilities
A.7.4Physical security monitoring
A.7.5Protecting against physical and environmental threats
A.7.6Working in secure areas
A.7.7Clear desk and clear screen
A.7.8Equipment siting and protection
A.7.9Security of assets off-premises
A.7.10Storage media
A.7.11Supporting utilities
A.7.12Cabling security
A.7.13Equipment maintenance
A.7.14Secure disposal or re-use of equipment

Technological

34 controls
RefControl
A.8.1User endpoint devices
A.8.2Privileged access rights
A.8.3Information access restriction
A.8.4Access to source code
A.8.5Secure authentication
A.8.6Capacity management
A.8.7Protection against malware
A.8.8Management of technical vulnerabilities
A.8.9Configuration management
A.8.10Information deletion
A.8.11Data masking
A.8.12Data leakage prevention
A.8.13Information backup
A.8.14Redundancy of information processing facilities
A.8.15Logging
A.8.16Monitoring activities
A.8.17Clock synchronization
A.8.18Use of privileged utility programs
A.8.19Installation of software on operational systems
A.8.20Networks security
A.8.21Security of network services
A.8.22Segregation of networks
A.8.23Web filtering
A.8.24Use of cryptography
A.8.25Secure development life cycle
A.8.26Application security requirements
A.8.27Secure system architecture and engineering principles
A.8.28Secure coding
A.8.29Security testing in development and acceptance
A.8.30Outsourced development
A.8.31Separation of development, test and production environments
A.8.32Change management
A.8.33Test information
A.8.34Protection of information systems during audit testing

When a spreadsheet stops working

For a single engagement, a spreadsheet is fine. It is fast to open, easy to share, and every practitioner knows how to use one.

It stops working when you are running the same process on multiple clients, when evidence needs to be linked to specific controls, or when you need to hand a client a report that shows the current state of their programme without exporting from four different tabs.

Auditara runs the same 93 control assessment inside a workspace with remediation tracking, evidence per activity, and a gap and remediation report generated from your inputs.

FAQ

Is the template really free?

Yes. Download the spreadsheet, use it on client engagements, share it with your team. No email address required, no watermark, no license fee.

Does it cover the 2022 revision of ISO 27001?

Yes. The template lists all 93 Annex A controls from ISO/IEC 27001:2022, grouped into the four themes: Organisational (37), People (8), Physical (14) and Technological (34).

What is the difference between the spreadsheet and running the assessment in Auditara?

The spreadsheet is a static working document. Auditara runs the same 93 control assessment inside a programme workspace, adds remediation task tracking with owners and target dates, and generates a gap and remediation report from your inputs. Free workspaces can complete one full assessment.

Do you have templates for ISO 42001 or Bank of Ghana CISD?

In-product assessments for ISO 42001 and the Bank of Ghana Cyber and Information Security Directive 2026 are on the roadmap. Standalone spreadsheet templates for those frameworks are not published yet.

Can I customise the spreadsheet?

Yes. Add columns, change the status values, or extend it with your own scoring. Nothing is locked. If you outgrow the spreadsheet, the same 93 controls are available inside Auditara.

Ready when the spreadsheet is not enough

One active programme, full gap assessment, Auditara-branded report. Free.