Inquiry about Gap Analysis
I have been following your studies and materials about ISO27001 implementation on your website. You stated on your website at https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/ that Gap analysis is done only for Annex “A” controls and that, one DOES NOT need to perform gap analysis for clauses of the main part of the standard. I believe you are referring to the mandatory management clauses from clause 4 to 10. ( Please find attached screenshot)
Now, my confusion is coming from the ISO 27001 Gap Analysis tool you provided on your website at https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/?icn=free-gap-analysis-tool-27001&ici=bottom-iso-27001-gap-analysis-tool-txt. In this Gap Analysis tool, you included the mandatory management clauses (i.e. clause 4 to 10) as part of the Gap Analysis checklist when you stated previously that Gap analysis is not performed for the mandatory management clauses.
Can you please explain why?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that the article states that "you don't need" to perform gap analysis for clauses of the main part of the standard, not that it cannot be performed.
The provided tool in our website has a different purpose than help verify the fulfillment of a standard's requirement: it can be used by organizations in order they get an overall and general feeling of where they are in the current moment, and to find out which resources they may need to employ in order to implement ISO 27001 before any real action or project is developed and implemented.
Comment as guest or Sign in
Sep 07, 2020