Two useful resources for people working on ISO 27001 – a Gap Assessment and a Maturity Assessment template.
I always recommend buying the official ISO 27001 and ISO 27002 documents directly from the ISO website. Many countries have their own standards bodies (like ANSI in the U.S., BSI in the U.K., DIN in Germany, etc.) that resell ISO standards, sometimes cheaper or bundled with local adaptations. It is a great investment for reference and learning.
You might also like…
- I compiled some publicly available security maturity information in this post: Security Maturity Benchmarks
- A similar maturity assessment template based on NIST CSF 2.0 is available here
Disclaimer
- This template is provided for informational and guidance purposes only and does not constitute official certification, legal advice, or endorsement by the International Organization for Standardization (ISO).
- ISO® is a registered trademark of the International Organization for Standardization. This document is not affiliated with or approved by ISO.
- Users are responsible for interpreting and applying ISO/IEC 27001:2022 requirements in the context of their own organization and should consult with a qualified ISO auditor or certification body for formal assessments or certification processes.
When to use a Gap Assessment vs a Maturity Assessment
My recommendation is this:
- use Gap Assessment when you are planning to go for a certification audit to get an understanding of how much work is needed
- use the Maturity Assessment if there is no push for certification and you want to improve your ISMS or after a certification to measure the maturity of your controls.
