Independent cost guide. Not affiliated with any certification body or compliance platform. Estimates based on published rates and practitioner experience. Always obtain a formal quote.

ISO 27001 Gap Analysis Cost - What to Expect

The gap analysis is the go/no-go decision point that sets your budget, timeline, and scope. Here is what it costs, what you get, and how to evaluate the quality of different delivery models.

Updated April 2026

Gap Analysis Cost by Delivery Model

Consultant On-Site

$8,000-$20,000

3-8 days on-site interviewing staff, reviewing systems, and assessing documentation. Includes written report with prioritised findings.

Best for: Organisations with complex IT, multiple locations, or sensitive industries

Consultant Remote

$5,000-$15,000

Video-based interviews, shared screen walkthroughs, document review via secure portal. 20-30% cheaper than on-site.

Best for: Cloud-native organisations, remote-first teams, budget-conscious SMEs

Platform-Assisted

$2,000-$5,000

Self-assessment using compliance platform (Vanta, Drata, Sprinto) control mapping. Plus internal time for completion.

Best for: Tech-savvy teams with some ISMS experience

What a Good Gap Analysis Delivers

  • Control-by-control assessment: Every one of the 93 Annex A controls rated as: fully implemented, partially implemented, not implemented, or not applicable (with justification).
  • Clause 4-10 maturity assessment: ISMS governance requirements (context, leadership, planning, support, operation, evaluation, improvement) assessed against the standard.
  • Risk-rated findings: Gaps prioritised by impact (high/medium/low) with estimated remediation effort in hours and cost.
  • Remediation roadmap: Sequenced plan showing which gaps to address first, dependencies between controls, and recommended timeline.
  • Scope recommendation: Clear advice on what should and should not be in scope for certification, with cost implications of broader vs narrower scope.
  • Budget estimate: Total estimated cost to achieve certification based on your current maturity, including consultant, platform, audit, and internal resource estimates.

How to Evaluate Gap Analysis Quality

Signs of a Quality Assessment

  • Control-by-control mapping (not just high-level themes)
  • Effort estimates in hours, not vague "low/medium/high"
  • Clear scope recommendation with cost implications
  • Risk-rated findings (not just a list of gaps)
  • References to specific ISO 27001:2022 clause numbers
  • Includes interviews with multiple stakeholders

Red Flags

  • Generic report that could apply to any company
  • No interviews conducted (document review only)
  • Completed in less than 1 day (too superficial)
  • No remediation effort estimates
  • Consultant is also selling implementation services (bias risk)
  • References ISO 27001:2013 instead of 2022

The Gap Analysis Is Your Budget Validation Point

Before the gap analysis, your budget is an estimate. After the gap analysis, you have data. This is where you decide:

Go

Gaps are manageable, budget is realistic, timeline works. Proceed to implementation.

Adjust

Gaps are larger than expected. Narrow scope, extend timeline, or increase budget.

Wait

Maturity is too low. Address fundamental gaps first, then reassess in 6-12 months.

Implementation Cost

What comes after gap analysis

Consultant Costs

Day rates for gap analysis engagement

DIY vs Platform

Platform-assisted gap analysis options

Frequently Asked Questions

What does an ISO 27001 gap analysis involve?
A gap analysis assesses your current security posture against all 93 Annex A controls and clauses 4-10 of the standard. It typically takes 2-6 weeks and involves document review, staff interviews, system walkthroughs, and policy assessment. The output is a gap report with prioritised findings, remediation effort estimates, and a recommended implementation roadmap.
Can I do a gap analysis myself?
Yes, using free checklists or a compliance platform. However, professional gap analyses are more thorough and objective. An experienced consultant will identify gaps you might miss, provide accurate effort estimates, and benchmark your maturity against industry peers. DIY gap analysis is suitable for organisations with internal ISO 27001 experience.
How long does a gap analysis take?
Consultant-led: 1-3 weeks for the assessment, then 1-2 weeks for report writing. Total elapsed time: 2-6 weeks. Platform-assisted: 1-2 weeks of self-assessment using the platform's control mapping. The timeline depends on organisation size, number of stakeholders to interview, and complexity of IT environment.
Is a gap analysis required for ISO 27001?
Not formally required by the standard, but universally recommended by consultants and certification bodies. Without a gap analysis, you risk discovering major gaps during implementation or, worse, during the Stage 1 audit. A gap analysis sets your budget, timeline, and scope correctly from the start.