ISO 27001 Gap Analysis Questionnaire

Company Name

Company Website

Your First Name

Your Surname

Email Address

Telephone Number (not required)

Section 1: A bit about your organisation

Status of your Organisation

Number of Employees

Annual Turnover

What sector are you in?

What sort of premises do you operate from (e.g. a factory, shared offices, owned offices, etc)?

Section 2: Your organisation's activities

Specific activity of the business (please be as detailed as you can)

Do you outsource any of your processes (i.e. use another supplier to help you provide a finished product or complete a service for your clients)?

If you answered 'yes', what is outsourced?

Roughly how many suppliers do you use (e.g. materials suppliers, recruitment companies, consultants, accountants, solicitors, etc)?

Do you use contractors for any information security activities (e.g. on-site or full IT systems support)?

Section 3: A bit about your people

Do you have an organisational chart for your company?

Does everyone, or at least key people (e.g. supervisors upwards), have job descriptions?

Does your organisation carry out appraisals for staff?

Do you keep training records and requirements for your staff, e.g. a training or competency matrix?

Do you have a formal induction process for new starters?

Section 4: Leadership

Do you have regular meetings for senior management (at least once a year)?

If ‘yes’, do you keep minutes of these meetings?

Section 5: Planning

Do you have anything written down with regards to the processes your company uses to deliver your products or services (e.g. diagrams, maps, etc)?

Does your organisation have a business plan?

If you answered ‘yes’, does it contain anything such as a SWOT analysis?

If you answered ‘yes’, does it contain anything such as a PEST or PESTLE analysis?

If you answered ‘yes’, does it contain anything such as a stakeholder analysis?

Section 6: Your information security risks

Have you considered what risks your business activities pose to the data security of your staff, suppliers and customers?

If you answered 'yes', do you keep a record of WHICH of your business activities affect information security?

If you answered 'yes', do you keep a record of HOW your business activities affect information security?

Do you have any measures in place (e.g. work practices, equipment, etc) which helps you to minimise information security risks (e.g. systems monitoring, firewalls, locked cabinets, etc)?

Does your company have any Risk Assessments and/or Risk Treatments regarding information security?

Section 7: Your business requirements

Are you aware of any specific information security laws or information security regulations that you need to adhere to regarding what you do?

If you answered 'yes', briefly say what they are

If you answered 'yes', how do you keep up with information security legal changes in your industry?

Do you have a Legal Register?

Are you currently audited by any organisation with regards to information security, e.g. Cyber Essentials Plus?

If you answered 'yes', what schemes are you audited through?

Do you currently formally audit any aspect of the business yourself?

Section 8: Operations

Do you use any software to drive your business e.g. bespoke software, shared folders, Dropbox, etc?

If you answered 'yes', what software do you use?

If something goes wrong in your business (e.g. a security breach), do you currently have a system in place to record these incidents?

Section 9: Your organisation and information security

Do you already have an information security policy?

Do you monitor your company’s information security performance e.g. number of breaches, attempted breaches, etc per year?

Has your business got any objectives/targets with regard to information security (e.g. keeping the number of breaches down to one per year, etc)?

SECTION 10: ANNEX A - ORGANISATIONAL CONTROLS

Do you have documented information security policies and procedures in place that staff are expected to follow?

Have you identified and assessed your key information security risks and recorded them?

Do you maintain an inventory of important information assets (e.g. laptops, servers, software, databases, customer data, cloud systems)?

Do you have a formal process for managing user access, including granting, reviewing and removing access when staff join, move roles or leave?

SECTION 11: ANNEX A - PEOPLE CONTROLS

Are information security responsibilities included within job roles or communicated to employees?

Do employees receive information security awareness training?

Do employment contracts, staff handbooks or agreements contain confidentiality or information security requirements?

Do you have a process for reporting information security incidents, concerns or suspected breaches?

SECTION 12: ANNEX A - PHYSICAL CONTROLS

Are offices, facilities, server rooms or other areas containing sensitive information protected from unauthorised access?

Are company laptops, mobile devices and other equipment protected when used outside the office?

Do you have procedures for securely disposing of equipment, documents or media containing sensitive information?

Are visitors, contractors or third parties controlled when accessing your premises?

SECTION 13: ANNEX A - TECHNOLOGICAL CONTROLS

Do you use technical security measures such as antivirus, endpoint protection, firewalls or security monitoring?

If Yes, briefly list the main security technologies currently in use (e.g. Microsoft Defender, Sophos, CrowdStrike, SentinelOne, MFA, SIEM, etc.).

Are software updates, patches and known vulnerabilities regularly managed?

Are backups performed and tested to ensure critical information can be recovered?

Is multi-factor authentication (MFA) used to protect important systems, cloud services or remote access?

8 + 13 =