A gap assessment is the starting point of every credible ISO 27701 implementation. It tells you where you stand before you begin, which controls already exist in some form, which ones are entirely absent, and how far you are from certification readiness. Done well, it shapes the entire programme — prioritisation, resourcing, timeline, and budget. Done poorly, it creates a false sense of confidence that collapses under audit scrutiny.
This guide explains how to structure an ISO 27701 gap assessment properly, what to examine in each control area, how to score and present the results, and — critically — how to translate those results into a realistic, prioritised implementation roadmap.
This guide covers the ISO 27701 gap assessment process for organisations that are either starting from scratch or building on an existing ISO 27001 foundation. It assumes basic familiarity with the ISO 27701 standard structure. If you are new to the standard, start with our earlier blog ‘ISO 27701 Explained’ first.
What a Gap Assessment Is — and What It Is Not
A gap assessment is a structured comparison of your current privacy management practices against the requirements of ISO 27701. It identifies the delta between where you are and where you need to be for certification.
It is not an audit. A gap assessment is an internal or advisory exercise — it carries no formal weight with a certification body and does not produce evidence for use in the actual audit. Its value is entirely internal: it gives your team an accurate picture of the work ahead so that resources, timelines, and priorities are set correctly from the start.
It is also not a one-size-fits-all exercise. The scope and depth of a gap assessment should reflect your organisation’s role (controller, processor, or both), the complexity of your PII processing activities, and your existing compliance posture.
Who Should Be Involved
A gap assessment that is run by a single person — typically a compliance manager working alone through a checklist — will miss significant gaps. Privacy obligations span legal, technical, operational, and product functions. The assessment needs input from all of them.
- Privacy / Compliance Lead — overall assessment ownership, documentation review, policy gap identification.
- Legal / DPO — legal basis analysis, processor agreement review, regulatory mapping.
- IT / Engineering — technical control assessment: encryption, access controls, deletion capabilities, logging, consent management systems.
- HR — employee data processing review, training records, background check procedures, offboarding controls.
- Product / Engineering Management — privacy by design practices, DPIA trigger process, data minimisation in product development.
- Procurement / Vendor Management — processor inventory, DPA status, sub-processor notification processes.
For smaller organisations, these roles may overlap across two or three people. The key is that every functional area that touches personal data is represented in the assessment, not just the compliance team.
Structuring the Assessment: The Control Domains
ISO 27701 gap assessments are most effectively structured around the standard’s own control domains. For a combined ISO 27001 and ISO 27701 assessment, this means working through both sets of controls. For organisations already holding ISO 27001, focus the gap assessment on the ISO 27701 extensions.
The ISO 27701-specific control domains to assess are:
| Control Domain | What to Examine |
|---|---|
| PIMS Scope and Context | Is PII processing in scope of the ISMS? Is the organisation’s role as controller, processor, or both documented? |
| Leadership and Accountability | Is a privacy officer or equivalent role defined? Is there a privacy policy? Has senior management formally endorsed the PIMS? |
| Record of Processing Activities | Does a RoPA exist? Does it cover all in-scope processing activities? Are legal basis, retention, and recipients documented for each entry? |
| Legal Basis Documentation | Is the legal basis documented for each processing activity? Are LIAs in place for legitimate interests processing? |
| Consent Management | Is a consent mechanism in place? Are consent records maintained? Is withdrawal technically implemented and tested? |
| Privacy Notices | Are privacy notices in place? Do they cover all required elements? Are they version-controlled and current? |
| Data Subject Rights | Is there a documented process for each applicable right? Are request logs maintained? Has the process been tested? |
| Data Minimisation and Purpose Limitation | Are data fields documented and justified? Is there evidence of minimisation decisions at design time? |
| Retention and Deletion | Is a retention schedule in place? Are retention periods technically enforced? Is secure deletion evidenced? |
| DPIAs | Is a DPIA process defined with documented triggers? Have DPIAs been conducted for high-risk processing activities? |
| Processor and Vendor Management | Is a processor register maintained? Are DPAs in place with all processors? Is a sub-processor notification process documented? |
| Breach Notification | Does the incident response plan cover personal data breaches? Are notification timelines defined? Has the process been tested? |
| Privacy by Design | Is there a privacy review step in the product development process? Are default settings privacy-protective? |
| Cross-Border Transfers | Is a transfer register maintained? Are SCCs or equivalent mechanisms in place for all relevant transfers? |
| Training and Awareness | Is privacy training delivered to all staff handling PII? Are completion records maintained? |
| Internal Audit and Management Review | Has an internal PIMS audit been conducted? Are management reviews documented with privacy performance data? |
Scoring the Gaps: A Simple, Usable Rating Scale
Gap assessments that produce a binary ‘compliant / non-compliant’ output are too blunt to be useful for planning. A four-level maturity rating gives compliance teams a more accurate and actionable picture.
| Rating | Label | Description |
|---|---|---|
| 0 | Not in Place | No policy, process, or technical control exists for this requirement. Full implementation required. |
| 1 | Partially in Place | Some elements exist — perhaps a policy document but no operational process, or a process that covers some but not all scenarios. Significant work required. |
| 2 | Largely in Place | The control exists and is operational but has documented gaps or lacks audit-ready evidence. Refinement and evidence-gathering required. |
| 3 | Fully in Place | The control is implemented, operational, and evidenced to audit standard. Minimal additional work required. |
Apply this rating to each control domain and, within each domain, to each specific requirement. The output is a heatmap of your compliance posture — a visual representation of where the red (0) and amber (1) concentrations are, which drives prioritisation.
The most common gap assessment failure is over-rating controls because something exists on paper. A privacy policy that was written two years ago, never reviewed, and not operationalised into actual practices is a 0 or 1, not a 3. Auditors will find the difference. Rate against operational reality, not documented intent.
The Gap Assessment Interview Guide
Document review alone is not sufficient. Many gaps exist not in documentation but in operational practice — processes that exist on paper but are not followed, technical controls that are configured but never tested, training that was delivered once and never repeated. Structured interviews with functional owners surface these operational gaps.
Questions for the Privacy / Compliance Lead
- Walk me through what happens when a data subject submits an access request. Who receives it, what system is used, and how is the response produced?
- When was the RoPA last updated? What triggered that update? Who owns it?
- Has a DPIA ever been conducted? For which processing activities? Who initiated it?
- When was the last internal PIMS audit conducted? What findings were raised and how were they closed?
Questions for IT / Engineering
- How is personal data deleted when a retention period ends? Is this automated or manual? Can you show me evidence it has happened?
- If a customer requests deletion of their account, what happens to their data in the database, in backups, and in third-party systems?
- Where are consent records stored? How would you retrieve the consent record for a specific individual if asked?
- Which third-party systems receive personal data from your platform? Do you have DPAs with all of them?
Questions for Product / Engineering Management
- Is there a privacy review step before a new feature is launched? What does that look like?
- How are data minimisation decisions made at the design stage? Is there documentation of those decisions?
- What are the default privacy settings for a new user? Who decided those defaults?
Questions for HR
- What privacy training do employees receive? When was it last updated? Where are completion records stored?
- What happens to an employee’s personal data when they leave the organisation? Is there a documented offboarding procedure?
- Do employees with access to production systems undergo background checks? Are records of those checks maintained?
Presenting the Results: The Gap Assessment Report
The gap assessment report is the primary output and the input to your implementation planning. It should be structured to be useful to two audiences: the technical team who will implement the remediation, and senior leadership who need to understand the risk and resource implications.
Report Structure
- Executive Summary — overall maturity rating, headline gaps, estimated effort to certification, and a recommendation on timeline.
- Assessment Methodology — scope, assessment period, domains reviewed, team members involved, rating scale used.
- Findings by Domain — for each control domain: current rating, specific gaps identified, risk implication, and recommended action.
- Gap Heatmap — a visual summary of ratings across all control domains, highlighting red and amber areas.
- Prioritised Remediation Plan — the findings from the gap assessment translated into a structured workplan with owners, effort estimates, and target completion dates.
- Appendices — interview notes, document review log, list of policies and artefacts reviewed.
Translating Results into a Remediation Roadmap
The gap assessment report is not the end product — the remediation roadmap is. Findings that sit in a report without being actioned do not move you toward certification. The roadmap converts gap assessment findings into a structured workplan.
Prioritisation Framework
Not all gaps are equal. Prioritise remediation in this order:
- Certification blockers first: any gap that would result in a Major Nonconformity at Stage 2 must be addressed before the audit. These are typically absent or entirely non-operational controls: no RoPA, no consent mechanism, no DPAs with processors, no internal audit conducted.
- High-risk gaps second: controls where partial implementation creates meaningful legal or reputational risk — for example, a data subject rights process that exists but has never been tested, or retention schedules that are documented but not technically enforced.
- Evidence and documentation gaps third: controls that are operationally functional but lack the documented evidence an auditor needs to verify them. These are often quick wins — a well-run process that simply has not been written up.
- Maturity improvements last: controls that are already at Level 2 and need refinement to reach Level 3. These are improvements, not blockers, and should not consume resource at the expense of the first three categories.
Roadmap Format
Structure the roadmap as a workplan with the following columns for each remediation action:
- Control Domain and specific gap being addressed.
- Remediation Action — the specific task required (e.g. ‘Draft and execute DPAs with all processors identified in the processor register’).
- Owner — the named individual responsible for completion.
- Dependencies — anything that must be completed before this action can start.
- Effort Estimate — realistic time estimate, not optimistic.
- Target Completion Date — set against your planned Stage 1 audit date and work backward.
- Status — Not Started / In Progress / Complete / Blocked.
Build your remediation roadmap in a tool that gives you visibility across all workstreams simultaneously — not a series of individual documents. Compliance programme management requires tracking dependencies across legal, technical, and operational workstreams at the same time. A shared platform or project management tool with assigned owners and due dates outperforms a static spreadsheet within weeks of starting.
Common Gap Assessment Mistakes to Avoid
- Assessing documentation instead of operations. A gap assessment that only reviews written policies without verifying that they are actually followed will give you a falsely optimistic picture. Always test against operational reality.
- Scoping too narrowly. Excluding business units, subsidiaries, or systems because they feel peripheral is a common trap. If PII flows through a system or team, it needs to be in scope.
- Running the assessment without involving IT. Technical gaps — the absence of automated retention enforcement, the lack of a consent records database, the inability to produce a portable data export — are among the most time-consuming to remediate. You need to know about them early.
- Treating the gap assessment as a one-time exercise. Organisations that conduct a gap assessment, begin remediation, and never update the assessment miss the gaps introduced by new processing activities, new vendors, and organisational changes during the implementation period. Review and update the gap assessment at least quarterly during implementation.
- Under-resourcing the remediation roadmap. Gap assessments frequently reveal more work than leadership anticipated. Presenting the roadmap without an honest conversation about the resource required to execute it leads to missed deadlines and a certification timeline that slips repeatedly.
When to Bring in External Support
Gap assessments can be run entirely internally, but there are situations where external advisory support materially improves the quality of the output:
- Your team does not have deep ISO 27701 expertise — an external advisor who has run multiple assessments will identify gaps that an internal team without that experience will miss.
- You need credibility with senior leadership — an external assessment report carries more weight in board or leadership discussions about resource allocation than a self-assessment.
- You want an independent view — internal teams have blind spots about their own processes. An external assessor who has no stake in the outcome will rate more honestly.
- You are under time pressure — an experienced external advisor can run a gap assessment in two to three weeks that would take an internal team two to three months to complete alongside operational responsibilities.
The Bottom Line
A gap assessment is not a bureaucratic prerequisite to be completed and filed. It is the foundation of your entire certification programme. The quality of your gap assessment determines the accuracy of your timeline, the appropriateness of your resource allocation, and the likelihood of passing your Stage 2 audit without Major Nonconformities.
Invest in getting the gap assessment right. The time spent on a thorough, honest, operationally-grounded gap assessment pays back many times over in avoided rework, accurate planning, and a certification journey that proceeds without avoidable surprises.
Frequently Asked Questions
No. A gap assessment is an internal or advisory exercise with no formal weight with a certification body. It exists to find your gaps before the real audit, so you can fix them in advance.
For most organisations, 2–4 weeks depending on scope, your role (controller, processor, or both), and how mature your existing ISO 27001 ISMS is.
Every function that touches personal data — privacy/compliance lead, legal/DPO, IT/engineering, HR, product/engineering management, and procurement/vendor management. A single person working through a checklist will miss significant gaps.
Score each gap, prioritise by risk and effort, and translate the findings into a remediation roadmap with owners and timelines — that roadmap becomes the plan for your implementation.