How to Use AI Tools to Run an ISO 27001 Gap Assessment

A practical workflow for GRC professionals and IS managers. From control mapping to gap report in a fraction of the time

An ISO 27001 gap assessment conducted manually takes weeks. The GRC professional works through 93 controls in Annex A, interviews control owners, reviews evidence, documents the current implementation status for each control, identifies gaps, assesses the risk of each gap, and produces a prioritised remediation report. Done properly, this is painstaking work. 

AI tools do not replace the judgement required to assess whether a control is actually implemented or merely documented as implemented. What they do is compress the time spent on the mechanical parts of the process: mapping control language to evidence descriptions, drafting gap findings in consistent professional language, and prioritising gaps using risk criteria that have already been defined. 

This workflow produces a draft gap assessment report in a fraction of the manual time, with the same analyst judgement applied but at significantly greater efficiency.

The AI tool in an ISO 27001 gap assessment is the analyst's drafting assistant, not their substitute. The tool produces structured text from structured inputs. The analyst provides the inputs, verifies the outputs, and applies the judgement that determines whether the control is actually working rather than merely documented. 

Before You Start: What You Need 

The workflow assumes you have the following before involving any AI tool. These inputs are analyst work. They cannot be substituted. 

• The ISO 27001:2022 Annex A control reference list (93 controls across four themes) 

• The organisation's Statement of Applicability (SoA) if one exists, or a scope definition if starting from scratch 

• The organisation's current policy library, any existing control evidence, and the relevant regulatory context 

• Interview notes or completed self-assessment questionnaires from control owners across the relevant domains 

• A clear understanding of which controls are in scope based on the organisation's information security scope 

If any of these inputs are missing, the gap assessment cannot be conducted reliably with or without AI assistance. The AI tool works with what you give it. Garbage in produces garbage out with greater efficiency than ever before.

The common mistake in AI-assisted compliance work is using the tool to compensate for incomplete inputs. The gap assessment that is drafted quickly from inadequate evidence is not a time saving. It is a liability that will be found during the certification audit. 

The Six-Stage Workflow 

(1) Control Scope Mapping

Suggested AI Workflow: Claude or ChatGPT with SoA and scope description

PROMPT APPROACH

Provide the organisation’s scope statement alongside the ISO 27001:2022 Annex A control set. Instruct the AI to identify:

• controls applicable to the organisation’s scope

• controls that may be excluded with justification

• controls requiring heightened implementation focus

For each applicable control, request:

• control reference

•  control name

• applicability rationale

• scope-specific implementation considerations

Present the output as a structured control applicability table.

OUTPUT

A scoped applicability matrix that forms the foundation of the ISO 27001 gap assessment.

All inclusions and exclusions should be reviewed by a qualified analyst to validate scope accuracy and implementation relevance.

(2) Documentation Review & Requirement Gap Analysis

Suggested AI Workflow: Claude or ChatGPT with current ISMS documentation

PROMPT APPROACH

Provide existing ISMS policies, procedures, standards, and evidence documents alongside ISO 27001:2022 clause requirements and Annex A controls. Instruct the AI to:

• identify missing or incomplete documentation

• detect weak or non-aligned controls

• highlight outdated governance elements

• map evidence against ISO requirements

Request findings in a structured gap register with severity indicators and remediation priorities.

OUTPUT

A documentation gap assessment showing missing controls, weak evidence areas, and policy deficiencies requiring remediation before certification readiness activities begin.

(3) Risk Identification & Threat Analysis

Suggested AI Workflow: Claude, ChatGPT, or Gemini with risk scenarios and asset inventory

PROMPT APPROACH

Provide asset inventories, business context, technologies, third-party dependencies, and operational workflows. Instruct the AI to:

• identify likely threat scenarios

• map vulnerabilities to business risks

• estimate potential business impact

• recommend treatment considerations

Require outputs aligned to ISO 27005-style risk assessment methodology.

OUTPUT

An initial risk register containing identified threats, business impacts, vulnerability relationships, and recommended treatment directions for analyst review.

(4) Risk Treatment Plan Development

Suggested AI Workflow: ChatGPT or Claude with risk register and control objectives

PROMPT APPROACH

Provide identified risks alongside business priorities, regulatory obligations, and security objectives. Instruct the AI to:

• recommend proportional treatment strategies

• map treatments to Annex A controls

• suggest implementation priorities

• identify compensating controls where appropriate

Request outputs in a structured treatment planning format.

OUTPUT

A prioritised risk treatment roadmap aligned to organisational objectives, implementation feasibility, and ISO 27001 control expectations.

(5) Statement of Applicability (SoA) Generation

Suggested AI Workflow: Claude or ChatGPT with approved risk treatment decisions

PROMPT APPROACH

Provide the approved risk treatment plan together with ISO 27001 Annex A controls. Instruct the AI to generate a draft Statement of Applicability including:

• control applicability decisions

• implementation status

• justification for exclusions

• references to supporting policies and controls

Ensure outputs align to ISO 27001:2022 SoA expectations.

OUTPUT

A structured draft Statement of Applicability that can be refined by compliance specialists and validated during internal audit preparation.

(6) Audit Readiness & Evidence Preparation

Suggested AI Workflow: Claude, ChatGPT, or Gemini with ISMS documentation and evidence repository

PROMPT APPROACH

Provide policies, procedures, logs, records, training evidence, monitoring outputs, and internal audit artefacts. Instruct the AI to:

• identify missing audit evidence

• map documentation to certification requirements

• highlight inconsistent control implementation

• recommend remediation priorities before audit

Request outputs categorised by audit risk level and control domain.

OUTPUT

A certification readiness overview identifying unresolved gaps, evidence weaknesses, and priority remediation activities before the formal ISO 27001 certification audit.

The Rules That Protect Report Integrity 

ISO 27001 gap assessment reports are professional documents that inform certification decisions, regulatory submissions, and board investment decisions. The integrity rules are non-negotiable. 

• Every gap finding must trace to specific evidence or a specific interview noting absence of evidence. AI-generated findings that are not traceable to evidence are not findings. They are hypotheses. 

• Never use AI to assess whether a control is implemented or not. The implementation status assessment requires the analyst to review actual evidence, not to have the AI infer status from descriptions. 

• Risk prioritisation ratings require analyst validation against the specific organisation's risk appetite and regulatory context. The AI's prioritisation is a structured starting point, not a risk assessment. 

• The remediation roadmap requires feasibility review by someone who knows the organisation's actual capacity, budget, and constraints. AI-generated timelines are generic. 

• Do not paste client confidential information into public AI tools. Use enterprise-approved tools with appropriate data handling for sensitive client engagements. 

The ISO 27001 gap assessment report that reaches a certification body or a client board carries the analyst's professional signature. Every AI-generated element in that report must be validated against the actual evidence before the signature goes on it.