Full gap analysis against ISO 27001:2022. Maps every applicable Annex A control. Written so your team can actually act on it. Big 4 firms charge $30,000+ and take 6-8 weeks.
Guarantee: Under 3 critical gaps found? You don't pay.
Sound familiar?
Enterprise customers are asking
Before they sign a contract, enterprise buyers want to see ISO 27001 certification or a clear path to it. Without one, you lose deals.
93 controls is a lot to figure out
Annex A has 93 controls across organizational, people, physical, and technological categories. Knowing which ones apply and how to implement them is where most organisations stall.
Certification auditors expect evidence
ISO 27001 isn't a self-assessment. Stage 1 and Stage 2 audits require documented policies, risk assessments, and evidence of implementation. A gap analysis tells you exactly what's missing.
Not sure where your gaps are?
Free 3-minute scorecard. Covers controls mapped to ISO 27001:2022 Annex A.
All 93 Annex A controls reviewed against your current state. One engagement, one report, one person accountable. Written so your team can actually act on it.
Included if relevant to your business:
Typical Big 4 engagement
$30,000+
Your price
$6K-$8K
Delivered in 1-2 weeks. Not 6-8.
Under 3 critical gaps found? You don't pay.
Zero risk. I've never had to honour this.
Free scorecard
2 minutes. See where your organisation stands against ISO 27001:2022 controls. No email needed.
Take the scorecardDeep assessment
1-2 weeks, fixed price. I review your controls, policies, and risk treatment against all 93 Annex A controls.
Board-ready report
Evidence-mapped compliance report with prioritised remediation plan. Written for your leadership team, not just your IT department.
SaaS companies
Enterprise customers increasingly require ISO 27001 as a procurement prerequisite. A gap analysis shows you exactly how far away certification is.
Growing businesses
You've outgrown informal security practices. ISO 27001 gives you a framework that scales with your team and demonstrates maturity to partners.
Companies pursuing certification
You've decided to go for ISO 27001 but don't know where to start. A gap analysis is always the first step.
Regulated industries
Healthcare, fintech, and government suppliers often need ISO 27001 alongside industry-specific frameworks. The gap analysis covers the overlap.
I'm a senior software engineer with 10+ years in platform infrastructure. CNCF maintainer. ASD Cyber Security Partner. I do the assessment myself. No juniors, no handoffs, no 200-page report written by a graduate who's never seen production code.
You talk to me, I do the work, I write the report. That's why it costs $6K instead of $30K.
The gap analysis takes 1-2 weeks. Getting from gap analysis to certification-ready typically takes 3-6 months depending on your starting point. The timeline depends on how many controls you already have in place.
ISO 27001:2022 is the current version. All new certifications should target 2022. If you're already certified to 2013, you need to transition by October 2025. The gap analysis targets 2022.
A gap analysis identifies what's missing before you go for certification. It's low-stakes and educational. A certification audit is the formal assessment by an accredited body that decides whether you pass. You want the gap analysis first so you know you'll pass the audit.
The SoA is the master document that lists all 93 Annex A controls and states which ones apply to your organisation and why. It's mandatory for certification and one of the first things an auditor reviews. I help you build or review yours as part of the gap analysis.
Three ways. First, I do the work myself. No juniors, no handoffs. You get a senior engineer with 10+ years experience, not a team where the partner shows up for the pitch and a graduate does the assessment. Second, it costs $6-8K instead of $30K+. Third, it takes 1-2 weeks instead of 6-8. Same rigour, less overhead.
Yes. The assessment identifies gaps and prioritises them. If you need help closing those gaps, I can scope a remediation engagement separately. Most organisations start with the assessment and then decide what they want to tackle themselves vs what they need help with.
Book a scoping call and I'll walk through what ISO 27001:2022 means for your organisation. Or check your score first.
Taking on 2-3 ISO 27001 gap analyses per month. First in, first served.
