Here are two useful resources for people working on ISO 27001 – a Gap Assessment and a Maturity Assessment template.
Important Note: While these templates provide a strong starting point, I highly recommend purchasing the official ISO 27001 and ISO 27002 standards from the ISO website. Many countries also have national standards bodies (such as ANSI in the U.S., BIS in India, and DIN in Germany) that resell ISO standards, sometimes at lower prices or with localized adaptations. Owning the official documents is an excellent investment for reference and continuous learning.
Both templates are pre-filled with example values to demonstrate how the templates and dashboards function. When you begin using the templates, reset all dropdowns to the values relevant to your organization.
You might also like…
- I compiled some publicly available security maturity information in this post: Security Maturity Benchmarks
- A similar maturity assessment template based on NIST CSF 2.0 is available here
Disclaimer
- This template is provided for informational and guidance purposes only and does not constitute official certification, legal advice, or endorsement by the International Organization for Standardization (ISO).
- ISO® is a registered trademark of the International Organization for Standardization. This document is not affiliated with or approved by ISO.
- Users are responsible for interpreting and applying ISO/IEC 27001:2022 requirements in the context of their own organization and should consult with a qualified ISO auditor or certification body for formal assessments or certification processes.
When to use a Gap Assessment vs a Maturity Assessment
My recommendation is this:
- do a Gap Assessment when you are planning to go for a certification audit to get an understanding of how much work is needed to get certified.
- use the Maturity Assessment when certification is not the immediate goal, or after certification, to continuously improve and assess the maturity of your ISMS.
Why Structure the Templates as Questions?
You may notice that the templates use questions instead of directly listing ISO controls or clauses.
I would have liked to include the official control/clause text but reproducing it directly would most likely violate ISO’s copyright policies. The questions are designed to align closely with ISO 27001 requirements while respecting copyright boundaries.
This is why I encourage purchasing official copies of the standards. ISO 27002 in particular, offers valuable guidance on implementing the controls and is a great resource for all security professionals.
Can the Maturity Levels be Customized?
Yes, the maturity levels are fully customizable. You can modify the descriptions and scoring criteria to suit your organization’s specific needs. If you do that, don’t forget to update the formulas in the “Requirements” tab.
The default maturity levels are based on the model used by U.S. federal agencies, known as “IG Evaluation Maturity Levels.” You can read more about it from the following page:
Should Clauses Be Assessed for Maturity?
Well, I consider clauses and controls as security requirements that must be implemented. If a clause does not apply to your organization, you can select “Not Applicable,” and it will be excluded from the maturity calculations.
Useful ISO 27001 resources
- Join iso27001security@googlegroups.com which is a very active forum for ISO 27001 topics
- Sub-reddits for discussions – r/cybersecurity, r/grc and r/ISO27001
- Follow Chris Hall on LinkedIn; his longform articles about the intricacies of ISO 27001 are a great read
- Advisera has one of the most comprehensive set of articles on ISO 27001. Start here
- Follow Andrey Prozorov; he has a lot of ISMS resources on his Patreon page here
- Mastermind Assurance has a well-regarded free ISO 27001 Lead Auditor course here
Version History and Updates
- v1.1 (27-April-2025): Minor corrections in links
- v1.0 (15-April-2025): Initial version
