ISO 27001 Gap Analysis

1 - But my starting point for now is to check what they have according the iso 27001. Sort of gap analysis? Current situation. I am kind of in the not knowing how to start this.. I mean do you make a list of all these clauses + annex A and check if they have it documented etc? Or is it more then that?

Answer: For a Gap Analysis you do not only evaluate if they have the requirements documented, but also if the processes and controls are also generating the proper records. To help you with a gap analysis, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

2 - What about the maturity? Do I have to measure also the maturity? And how do you do that?
I hope you can give me some advice on how to start this because it is not quite clear to me.

Answer: ISO 27001 does not require performing maturity measurements, but it requires performance measurements, which can be used as parameters to evaluate maturity.

This article will provide you further explanation about ISO 27001 and performance measurement:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/