The instinct is understandable. The sequence is wrong.
Your board has decided: you are pursuing ISO 27001 certification. The CISO (or whoever owns this initiative) does what most organisations do next. They pick up the phone and call a consulting firm.
Within a week, a proposal lands in your inbox. Somewhere between 15,000 and 45,000 euros, depending on your size and the firm’s letterhead. Phase one: gap assessment. Phase two: remediation planning. Phase three: implementation support. Phase four: audit readiness review.
It looks comprehensive. It probably is. But the sequencing has a structural flaw that most organisations only recognise after they have paid for it.
What a gap assessment actually is
Before getting into the problem, it is worth being precise about the deliverable.
An ISO 27001 gap assessment maps your organisation’s current security posture against the requirements of the standard. In practical terms, that means two things:
The mandatory clauses (Sections 4 to 10). These govern how you establish, operate, and improve your Information Security Management System, covering context, leadership, planning, support, operation, performance evaluation, and continual improvement. Every organisation seeking certification must address all of them.
Annex A controls. ISO 27001:2022 contains 93 controls across four themes: organisational (37), people (8), physical (14), and technological (34). Your Statement of Applicability, one of the core certification artefacts, must account for every control: either implemented, planned, or formally excluded with a documented justification.
A gap assessment tells you where you stand against both dimensions. Which clauses have documented processes behind them. Which controls are implemented, partially implemented, or absent entirely. And crucially: where the highest-risk gaps sit relative to your operational environment.
That output is diagnostic intelligence. It is the starting point for every downstream decision: scope, remediation roadmap, resource allocation, timeline, and budget.
The problem with outsourcing the diagnosis
Consultants are not the problem. The problem is treating a diagnostic exercise as something that requires external expertise to begin.
Here is what happens when you engage a consultant before you have completed your own gap assessment:
You pay for orientation time. The first weeks of most consulting engagements are spent learning your organisation: your systems, your processes, your documentation landscape, your team. That orientation is billed at consulting day rates. It is not recoverable value.
The gap assessment becomes a deliverable, not a tool. When a consultant conducts your gap assessment, the output is their document, formatted to their template, interpreted through their methodology, presented back to you in a final session. You receive conclusions. You do not develop working knowledge of your own control posture.
Scope is set before you understand your own exposure. Remediation planning and implementation scoping happen downstream of the gap assessment. But when you have not done the diagnostic work yourself, you are negotiating scope (timelines, deliverables, day rates) without the intelligence needed to push back, challenge, or prioritise.
You become a passive recipient of a process you should own. ISO 27001 is not a project you hand to a consultant and collect the certificate at the end. The standard requires that information security is embedded in your management system: understood, operated, and maintained by your organisation. Starting the process as a passive recipient is the worst possible foundation.
What you should know before you engage anyone
The organisations that run the most efficient ISO 27001 certification programmes share a common pattern: they know their gaps before they call anyone.
They have walked through the 93 Annex A controls and mapped their current state. They know which organisational controls (access management policies, supplier relationships, incident response procedures) are documented versus assumed. They know which technological controls (vulnerability management, logging, secure configuration) are implemented consistently versus patchwork. They have a prioritised list of what needs to be built and what needs to be documented.
That intelligence transforms every subsequent conversation.
When they engage a consultant, it is for implementation expertise, not discovery. The scope is tighter. The engagement is shorter. The day rate buys specific capability, not general orientation. Organisations that arrive at a consulting engagement with a completed gap assessment typically reduce implementation consulting costs by 25 to 40% compared to organisations that outsource the full process.
More importantly, they are not learning about their own security posture from a third party. They already know it.
“Organisations that arrive at a consulting engagement with a completed gap assessment typically reduce implementation consulting costs by 25 to 40%.”
Running your own gap assessment
The practical objection is usually one of two things: either “we don’t have the internal expertise to assess against the standard” or “we don’t have time to do this properly.”
Both objections are legitimate for very small organisations with no dedicated security function. For any organisation with a CISO, a GRC team member, or a security-aware IT function, neither holds.
ISO 27001:2022 is a publicly available standard. The Annex A controls are structured and specific. A competent GRC practitioner can map current-state against each control domain without external assistance. What they typically lack is a structured framework to do it consistently, a way to record and weight the findings, and a format for turning the output into something actionable.
That is the gap a readiness platform fills, not replacing expertise, but structuring the exercise.
A structured gap assessment should produce:
- A control-by-control status map (implemented / partially implemented / not implemented / not applicable)
- A risk-weighted view of which gaps carry the most exposure
- A prioritised remediation list sequenced by effort-to-risk ratio
- Documentation of exclusion justifications for controls you are marking out of scope
- An executive summary suitable for board or senior leadership reporting
Done properly, this exercise takes a competent GRC practitioner two to three weeks for a mid-sized organisation. It costs nothing except internal time. And it produces the most valuable strategic document you will have for the entire certification journey.
When to bring in the consultant, and for what
None of this means consultants have no role in ISO 27001 certification. They do. The argument is about sequence.
Bring in external expertise when you have a completed gap assessment and a clear picture of where your capability gaps are. Use them for:
- Building controls you lack internal capability to design: access management frameworks, supplier security requirements, formal incident response playbooks.
- Documentation quality review: particularly for the Statement of Applicability, risk treatment plan, and ISMS policy suite that auditors will scrutinise.
- Internal audit preparation: a pre-certification run-through by someone who knows what lead auditors look for.
- Audit liaison: if your team has limited experience navigating the Stage 1 and Stage 2 audit process.
This is high-value, specific work. It is categorically different from orientation and discovery. That work should be completed before the first consulting invoice arrives.
The intelligence-first approach
ISO 27001 certification is a two-year commitment at minimum, not a one-time project. Organisations that treat it as something to be managed by a third party from the start tend to arrive at certification with a compliant document set and a shallow understanding of their own control environment. They pass the audit. They struggle with surveillance audits twelve months later.
Organisations that own the diagnostic work from day one arrive at certification with something more durable: an internal understanding of their information security posture, a team that has engaged with the standard in practice, and a management system that actually reflects how they operate.
The gap assessment is not a document to be received. It is an exercise to be done. Starting there, before you spend a euro on external support, is the most important decision you will make in the certification process.