What is a Gap Analysis?
A gap analysis is a structured comparison between what an organisation currently does and what an ISO standard requires. It produces a clear picture of where the organisation already meets the standard, where it partly meets it, and where it does not meet it at all. The output is a prioritised list of the work needed to close those gaps.
Gap analysis is almost always the first practical step when an organisation decides to pursue ISO certification for the first time, add a new standard to an existing system, or restore a management system that has drifted. It is the diagnostic exercise that turns an abstract ambition - we want to get certified to ISO 9001 - into a specific plan - here are the thirty things we need to write, change or record before we are ready for a certification audit.
The exercise itself is not complicated. It is a systematic walk through the clauses of the standard, asking for each requirement: do we do this, do we partly do this, or do we not do this? The answer is documented, evidence is noted where it exists, and any gaps are captured as actions. The skill is in being honest about the answers rather than talking the organisation into thinking it does more than it does.
When to Do a Gap Analysis
Gap analysis is useful at several points in the life of a management system.
Before pursuing ISO certification for the first time, a gap analysis establishes the starting position. Most organisations already do a surprising amount of what the standards require, even without calling it a management system. A gap analysis brings the existing arrangements to the surface and identifies what is missing, which is usually far less than feared.
When adding a new standard to an existing management system, the exercise is narrower. The common clauses - context, leadership, planning, support, operation, performance evaluation, improvement - are already being met by the existing system. The gap analysis focuses on the standard-specific requirements that are new, such as environmental aspects for ISO 14001 or information security controls for ISO 27001.
When a management system has been in place for some years but has quietly drifted out of step with how the organisation now runs, a gap analysis re-establishes where things actually stand. This is especially useful before a recertification audit, or after a period of organisational change such as a merger, relocation or change in scope.
When a standard is revised, a gap analysis against the new version identifies what has changed. ISO 9001:2026 is due this year and ISO 45001 is due to be revised in 2027 - organisations already certified will need to check their existing systems against the revised requirements before the transition deadline.
And as a general-purpose review tool, a gap analysis is a good annual exercise to confirm that the management system still does what it is meant to do. Some organisations build it into their internal audit programme.
How a Gap Analysis Works
A typical gap analysis follows a predictable sequence.
First, define the scope. Which standard or standards is the analysis being done against? Which parts of the organisation are in scope? If the organisation has multiple sites, does the analysis cover all of them or just one representative site?
Second, obtain the standard itself. ISO standards are copyrighted and must be purchased from ISO or an authorised distributor such as BSI. Trying to do a gap analysis without the standard itself leads to approximations based on general understanding, which almost always misses specific requirements.
Third, work through the standard clause by clause. For each requirement, assess the current state of the organisation against it. This is most effective as a combination of document review and interviews. Documents show what is supposed to happen; interviews show what actually happens. Where the two disagree, the real state is what happens in practice.
Fourth, score each requirement. A three-level scoring system works well for most organisations: fully met, partly met, not met. Some add a fourth option for requirements that are not applicable to the organisation's scope, though this should be used sparingly and with justification.
Fifth, capture the evidence and the gap. For fully met requirements, note where the evidence lives so it can be found later - which procedure, which register, which record. For partly met requirements, describe what is there and what is missing. For not met requirements, describe the gap clearly enough that someone can plan to close it.
Sixth, summarise the results. A short report summarising the overall position, the main gap areas and the priorities for action is more useful to management than a hundred-row spreadsheet they will not read.
What to Look At in a Gap Analysis
Because modern ISO management system standards share the Annex SL common structure, the areas covered by a gap analysis are broadly the same regardless of which standard is being assessed. Each of the following areas should be considered.
Context of the organisation (Clause 4): Does the organisation understand its internal and external issues? Are interested parties identified? Are their relevant needs and expectations documented? Is the scope of the management system defined and consistent with what the organisation actually does?
Leadership (Clause 5): Is top management visibly committed to the management system? Are policies established, communicated and understood? Are responsibilities and authorities assigned and communicated?
Planning (Clause 6): Are risks and opportunities identified and addressed? Are objectives set, measurable and supported by a plan? Is there a process for planning changes to the system?
Support (Clause 7): Are the resources needed to run the system available? Are competence requirements identified and met? Are workers aware of the policy and their contribution? Are communications managed? Is documented information controlled?
Operation (Clause 8): Are operational processes planned and controlled? Are requirements for products and services determined and reviewed? Are externally provided processes, products and services controlled? Is production or service provision controlled?
Performance evaluation (Clause 9): Is monitoring and measurement planned? Is customer satisfaction assessed? Is there an internal audit programme, and is it followed? Is management review taking place?
Improvement (Clause 10): Are non-conformities identified, corrected and prevented from recurring? Is continual improvement evident?
For each area, the gap analysis asks not just whether something is documented but whether it is actually happening. A policy that exists on a shelf and is not communicated is a gap, not a green tick. A risk assessment that was done three years ago and never reviewed is a gap. Being honest about these is what makes the exercise useful.
Scoring and Prioritising the Gaps
Once the walk through the standard is complete, the scored results need to be turned into an action list. Raw counts of how many requirements are fully met are useful for a headline summary, but they do not tell anyone what to do first.
Priority is usually driven by two factors. The first is how fundamental the gap is. Missing a documented procedure for managing customer complaints is more urgent than missing a minor training record. Missing a statement of applicability for ISO 27001 is more urgent than missing a few specific control documents. Gaps that affect multiple clauses or undermine several processes should be addressed first.
The second is how much effort each gap takes to close. Some gaps are simple fixes - writing a one-page procedure, adding a new field to an existing form, running a training session. Others are larger - establishing a formal internal audit programme, building a complete opportunities and risks register, putting in place an information security management system from scratch.
A simple way to structure this is a two-column table: each gap, the priority (high, medium or low), the owner, the target date and the evidence that will show the gap is closed. That becomes the gap-closure plan, which is then reviewed regularly as items are completed.
Turning the Gap Analysis into a Plan
The gap analysis report itself is a snapshot in time. It is useful for about two minutes before it starts to go out of date. What matters is the action plan that comes out of it and whether that plan is actively managed.
A good gap-closure plan is integrated into the wider management system. Actions are logged on the issues and actions register so they are not lost. Owners are assigned and timescales are agreed. Progress is reviewed at regular intervals - monthly or quarterly - until the gaps are closed. Completion of each action is verified, not just claimed.
Management review is a natural checkpoint for gap-closure progress. Some organisations treat the first post-gap-analysis management review as a project review of the implementation plan itself - what has been done, what is behind schedule, what needs additional resources. This keeps the momentum going and avoids the common pattern of a gap analysis producing enthusiasm that peters out after a few weeks.
Doing It Yourself vs Using a Consultant
Organisations often ask whether to carry out the gap analysis themselves or bring in an external consultant. Both approaches work and neither is always the right answer.
Doing it internally is cheaper and builds internal understanding of the standard. The main risk is that internal reviewers are too close to the current way of working and may mark requirements as met because they reflect what the organisation does, rather than because they actually meet the standard's wording. A careful read of the standard, discussion within the team and a willingness to be uncomfortable with the answers mitigates this.
Using a consultant brings independence and experience. A consultant who has done gap analyses against the same standard many times will spot issues that internal staff miss, and they have no emotional investment in the existing system. The main risk is that the consultant may produce a generic report that looks thorough but does not reflect the organisation's actual situation. Choosing a consultant who spends time on site and talks to staff, rather than one who emails a checklist and writes up a desk review, is usually worth the additional cost.
A common middle path is to do the initial walk-through internally using a structured template, then have a consultant review the output and suggest areas that were missed or scored too generously. This gets the benefits of both approaches without the full cost of an external engagement.
The most common mistake I see in gap analyses is scope creep. Organisations set out to assess against ISO 9001 and end up trying to redesign their whole management system at the same time. A gap analysis is a diagnostic exercise - it answers the question where do we stand. It does not answer the question what should we do about it, though it feeds into that.
Keep the two separate. First, produce an honest picture of the current state. Then, in a separate step, plan the work to close the gaps. Trying to do both at once usually means neither is done properly.
The other thing I tell clients is not to be discouraged by what the gap analysis finds. Most organisations are already meeting around two-thirds of the requirements before they start. The gap analysis tells them where the remaining third sits.
We did a gap analysis before we went for ISO 14001, and I was expecting it to be painful. It was not. Most of the things the standard asks for we were already doing, just not documenting in the way the standard wanted. A lot of the gap-closure was writing down what we already did rather than inventing new processes.
The bit that caught us out was the interested parties and environmental aspects work. Neither of those had a natural home in how we were operating. We built a register for each from scratch and it took a few months to get them right. Those were the real gaps, and the gap analysis was honest enough to tell us so.
When I audit an organisation that has recently gone through a gap analysis, the quality of the exercise is usually obvious within the first hour. A good gap analysis produces a management system that matches the evidence on the ground. A poor one produces a system that looks fine on paper but falls apart as soon as I ask for actual records.
My advice to anyone doing a gap analysis is to sample the evidence. Do not just accept that something is in place because a procedure says it is. Pick three recent examples and look at them. If the procedure says risk assessments are reviewed annually, find three risk assessments and check the dates. That level of sampling is what produces a gap analysis I can rely on when I come to audit.
Practical Compliance Guidance
The alphaZ toolkits are structured to support gap analysis even when they are not being used for the initial assessment. Each toolkit includes ISO correlation documents that map the clauses of the standard to the relevant sections of IMS1. The same correlation can be used as the framework for a gap analysis: walk through the correlation, mark each mapped section as fully met, partly met or not met, and the gap list writes itself.
Once gaps are identified, the supporting forms and registers from the toolkit are used to close them and to track progress.
| alphaZ document | How to use it |
|---|---|
| ISO 9001 Management System Toolkit | Includes the IMS1 manual and an ISO 9001 correlation document which can be used directly as a gap analysis framework against ISO 9001:2015. |
| ISO 9001, 14001, 45001 IMS Toolkit | For organisations assessing against more than one standard. Includes correlation documents for each standard, so the gap analysis can cover all three in one pass. |
| ER1 Issues and Actions Register | Central log for capturing gap-closure actions with owners, dates and status. Keeps the gap analysis output alive as a managed plan rather than a one-off report. |
| F-Q11 Company Objectives | Used to turn significant gap-closure activities into measurable objectives with timescales and owners, reviewed at management review. |
| F-Q3 Management Review | Provides the checkpoint at which gap-closure progress is reviewed by top management and priorities for the next cycle are confirmed. |
| F-IMS20 Document Register | Used to record each new procedure, policy or form created to close an identified gap, so the management system documentation grows with the gap-closure work. |
| F-IMS23 Opportunities and Risks Register | A populated risks register is often the single biggest gap identified for organisations new to ISO. This template provides the structure and the headings so the register can be built from the gap analysis onwards. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
No UK legislation specifically requires a gap analysis against an ISO standard. Organisations pursuing or maintaining certification use gap analysis as a practical planning tool rather than to meet any legal requirement.
