← Back to blog
Plain Compliance

The 20 questions that reveal most ISO 27001 gaps

You don’t need to read the whole standard to find your biggest compliance gaps. These 20 plain-English questions surface most of them.

  • iso-27001
  • getting-started

Most ISO 27001 gaps aren’t exotic. They’re the everyday things that never got written down: who has access to what, what happens when someone leaves, whether anyone has ever tested a backup. You can surface the majority of them by answering a short set of plain-English questions about how your business actually works.

Here are the kinds of questions we ask — and why each one matters.

People and access

  1. How do new staff get access to the systems they need?
  2. What happens to that access when someone leaves?
  3. Who has administrator rights, and why?
  4. How do you handle passwords and multi-factor authentication?

These map to access control and onboarding/offboarding — among the most common gaps auditors find, because the process usually lives in someone’s head.

Suppliers and dependencies

  1. Which suppliers could seriously affect your business if they failed?
  2. What data do those suppliers hold or process for you?
  3. How do you check a new supplier before relying on them?

A control you can’t evidence is a control you don’t have.

Devices and data

  1. What would happen if a developer laptop was lost or compromised?
  2. Are company devices encrypted?
  3. Where does your sensitive data actually live?
  4. How is data backed up — and how do you know the backups work?

Change and operations

  1. Who can change production systems, and how is that approved?
  2. How do you keep software and systems patched?
  3. How do you know if something suspicious is happening?

Incidents and continuity

  1. What do you do when something goes wrong?
  2. Who decides it’s an “incident”, and who gets told?
  3. If your main system went down, how would you keep working?

Governance

  1. Who owns information security in your business?
  2. How do you make sure staff know the basics?
  3. How often do you actually review any of this?

Turning answers into a gap analysis

None of these questions mention a control number — but every answer maps to one. That’s the whole idea behind Plain Compliance: you describe your business, and we handle the translation to ISO 27001.

Want to see your own answers turned into a first-pass gap analysis? Start for free.

Compliance starts with a conversation.

Answer around 20 plain-English questions and get a first-pass ISO 27001 gap analysis built around your business.

Start your free gap analysis