SOC2ISO27001
Check ISO27001 Gap Report — Compliance Automation
Compliance teams monitor regulations across multiple jurisdictions. Manual checking creates gaps and increases regulatory risk.
42
Fields Extracted
300s
Max Processing
Common Pain Points
- Regulatory fines exceed millions per violation
- Manual monitoring misses policy changes
- Audit preparation takes weeks
- Inconsistent controls across business units
What This Template Does
AI-powered extraction using gemini-2.5-flash. Part of 113 production-ready templates.
Capabilities
- Regulatory Check
- Risk Scoring
- Audit Trail
- Audit
- Risk
Output Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "ISO 27001 Gap Analysis Report",
"description": "Schema for ISO 27001:2022 gap analysis results identifying missing and implemented controls",
"type": "object",
"required": [
"organization",
"assessment_date",
"iso_standard_version",
"compliance_score",
"risk_level"
],
"properties": {
"organization": {
"type": "string",
"description": "Legal name of the assessed organization"
},
...Quick Start
$ pip install doclayer
$ doclayer process document.pdf --agent compliance.iso-gap-report
See It In Action
Real extraction example showing input document and structured output.
Input Document
ISO 27001:2022 GAP ANALYSIS REPORT ==================================== Organization: Meridian Financial Technologies Ltd Assessment Date: 2024-04-15 Assessor: Sarah Chen, CISM, ISO 27001 Lead Auditor Assessor Organization: SecureAudit Partners LLP Report Reference: GAP-2024-MFT-001 SCOPE OF ASSESSMENT ------------------- The assessment covers the Information Security Management System (ISMS) for Meridian Financial Technologies Ltd's core banking platform operations, including data centers in
Extracted Data
{
"organization": "Meridian Financial Technologies Ltd",
"assessment_date": "2024-04-15",
"iso_standard_version": "ISO 27001:2022",
"assessor_name": "Sarah Chen, CISM, ISO 27001 Lead Auditor",
"assessor_organization": "SecureAudit Partners LLP",
"scope": "Information Security Management System (ISMS) for core banking platform operations, including data centers in London and Frankfurt, and all supporting IT infrastructure and personnel",
"controls_total": 93,
"controls_implemented": 65,
"controls_partially_implemented": 8,
"controls_not_implemented": 20,
"controls_not_applicable": 0,
"compliance_score": 0.78,
"category_scores": {
"organizational": 0.81,
"people": 0.88,
"physical": 0.89,
"technological": 0.62
},
"missing_controls": [
{
"control_id": "A.5.7",
"control_name": "Threat intelligence",
"category": "Organizational",
"priority": "HIGH",
"evidence_required": [
"Threat intelligence feeds",
"Analysis procedures",
"Integration with security operations"
],
"remediation_effort": "MEDIUM"
},
{
"control_id": "A.5.23",
"control_name": "Information security for use of cloud services",
"category": "Organizational",
"priority": "HIGH",
"evidence_required": [
"Cloud security policy",
"Vendor assessments",
"Shared responsibility matrix"
],
"remediation_effort": "MEDIUM"
},
{
"control_id": "A.5.30",
"control_name": "ICT readiness for business continuity",
"category": "Organizational",
"priority": "MEDIUM",
"evidence_required": [
"Business continuity plan",
"ICT recovery procedures",
"Test results"
],
"remediation_effort": "HIGH"
},
{
"control_id": "A.5.35",
"control_name": "Independent review of information security",
"category": "Organizational",
"priority": "MEDIUM",
"evidence_required": [
"Independent audit reports",
"Review schedule"
],
"remediation_effort": "LOW"
},
{
"control_id": "A.5.36",
"control_name": "Compliance with policies, rules and standards",
"category": "Organizational",
"priority": "LOW",
"evidence_required": [
"Compliance review records",
"Exception management process"
],
"remediation_effort": "LOW"
},
{
"control_id": "A.6.3",
"control_name": "Information security awareness, education and training",
"category": "People",
"priority": "MEDIUM",
"evidence_required": [
"Training program",
"Attendance records",
"Awareness materials"
],
"remediation_effort": "MEDIUM"
},
{
"control_id": "A.7.4",
"control_name": "Physical security monitoring",
"category": "Physical",
"priority": "MEDIUM",
"evidence_required": [
"CCTV coverage",
"Monitoring procedures",
"Incident response"
],
"remediation_effort": "MEDIUM"
},
{
"control_id": "A.8.8",
"control_name": "Management of technical vulnerabilities",
"category": "Technological",
"priority": "CRITICAL",
"evidence_required": [
"Vulnerability management procedure",
"Scanning reports",
"Patch management records"
],
"remediation_effort": "HIGH"
},
{
"control_id": "A.8.9",
"control_name": "Configuration management",
"category": "Technological",
"priority": "HIGH",
"evidence_required": [
"Configuration standards",
"Baseline documentation",
"Change records"
],
"remediation_effort": "HIGH"
},
{
"control_id": "A.8.11",
"control_name": "Data masking",
"category": "Technological",
"priority": "MEDIUM",
"evidence_required": [
"Data masking procedures",
"Implementation evidence"
],
"remediation_effort": "MEDIUM"
},
{
"control_id": "A.8.12",
"control_name": "Data leakage prevention",
"category": "Technological",
"priority": "HIGH",
"evidence_required": [
"DLP policy",
"Tool deployment",
"Monitoring reports"
],
"remediation_effort": "HIGH"
},
{
"control_id": "A.8.15",
"control_name": "Logging",
"category": "Technological",
"priority": "MEDIUM",
"evidence_required": [
"Logging policy",
"Log retention",
"Log review procedures"
],
"remediation_effort": "MEDIUM"
},
{
"control_id": "A.8.16",
"control_name": "Monitoring activities",
"category": "Technological",
"priority": "CRITICAL",
"evidence_required": [
"SIEM implementation",
"Monitoring procedures",
"Alert rules"
],
"remediation_effort": "HIGH"
},
{
"control_id": "A.8.20",
"control_name": "Networks security",
"category": "Technological",
"priority": "MEDIUM",
"evidence_required": [
"Network security policy",
"Firewall rules",
"Network diagrams"
],
"remediation_effort": "MEDIUM"
},
{
"control_id": "A.8.21",
"control_name": "Security of network services",
"category": "Technological",
"priority": "MEDIUM",
"evidence_required": [
"Service agreements",
"Security requirements",
"Monitoring"
],
"remediation_effort": "LOW"
},
{
"control_id": "A.8.22",
"control_name": "Segregation of networks",
"category": "Technological",
"priority": "HIGH",
"evidence_required": [
"Network segmentation design",
"VLAN documentation",
"Access controls"
],
"remediation_effort": "HIGH"
},
{
"control_id": "A.8.23",
"control_name": "Web filtering",
"category": "Technological",
"priority": "LOW",
"evidence_required": [
"Web filtering policy",
"Tool configuration",
"Exception process"
],
"remediation_effort": "LOW"
},
{
"control_id": "A.8.25",
"control_name": "Secure development life cycle",
"category": "Technological",
"priority": "HIGH",
"evidence_required": [
"SDLC procedures",
"Security gates",
"Code review process"
],
"remediation_effort": "HIGH"
},
{
"control_id": "A.8.28",
"control_name": "Secure coding",
"category": "Technological",
"priority": "MEDIUM",
"evidence_required": [
"Coding standards",
"Training records",
"Code review evidence"
],
"remediation_effort": "MEDIUM"
},
{
"control_id": "A.8.29",
"control_name": "Security testing in development and acceptance",
"category": "Technological",
"priority": "HIGH",
"evidence_required": [
"Testing procedures",
"Penetration test reports",
"Acceptance criteria"
],
"remediation_effort": "MEDIUM"
}
],
"implemented_controls": [
{
"control_id": "A.5.1",
"control_name": "Policies for information security",
"status": "PARTIALLY_IMPLEMENTED",
"implementation_percentage": 0.75,
"evidence_available": [
"Information security policy"
],
"last_reviewed": "2024-03-01"
},
{
"control_id": "A.5.2",
"control_name": "Information security roles and responsibilities",
"status": "IMPLEMENTED",
"implementation_percentage": 1,
"evidence_available": [
"RACI matrix",
"Job descriptions",
"Organization chart"
],
"last_reviewed": "2024-03-01"
},
{
"control_id": "A.5.4",
"control_name": "Management responsibilities",
"status": "IMPLEMENTED",
"implementation_percentage": 1,
"evidence_available": [
"Information security policy",
"Management commitment statement"
],
"last_reviewed": "2024-02-15"
},
{
"control_id": "A.5.10",
"control_name": "Acceptable use of information",
"status": "PARTIALLY_IMPLEMENTED",
"implementation_percentage": 0.6,
"evidence_available": [
"Acceptable use policy"
],
"last_reviewed": null
},
{
"control_id": "A.5.15",
"control_name": "Access control",
"status": "PARTIALLY_IMPLEMENTED",
"implementation_percentage": 0.8,
"evidence_available": [
"Access control policy"
],
"last_reviewed": null
},
{
"control_id": "A.5.18",
"control_name": "Access rights",
"status": "PARTIALLY_IMPLEMENTED",
"implementation_percentage": 0.7,
"evidence_available": [
"Access management procedures"
],
"last_reviewed": null
},
{
"control_id": "A.6.1",
"control_name": "Screening",
"status": "IMPLEMENTED",
"implementation_percentage": 1,
"evidence_available": [
"Background check procedures",
"Pre-employment verification records"
],
"last_reviewed": "2024-01-20"
},
{
"control_id": "A.7.1",
"control_name": "Physical security perimeters",
"status": "IMPLEMENTED",
"implementation_percentage": 1,
"evidence_available": [
"Building access controls",
"Security zones documentation"
],
"last_reviewed": "2024-03-10"
},
{
"control_id": "A.7.9",
"control_name": "Security of assets off-premises",
"status": "PARTIALLY_IMPLEMENTED",
"implementation_percentage": 0.5,
"evidence_available": [
"Asset management policy"
],
"last_reviewed": null
},
{
"control_id": "A.8.1",
"control_name": "User endpoint devices",
"status": "IMPLEMENTED",
"implementation_percentage": 1,
"evidence_available": [
"MDM policy",
"Endpoint protection deployment records"
],
"last_reviewed": "2024-04-01"
},
{
"control_id": "A.8.2",
"control_name": "Privileged access rights",
"status": "PARTIALLY_IMPLEMENTED",
"implementation_percentage": 0.65,
"evidence_available": [
"PAM solution deployment records"
],
"last_reviewed": null
},
{
"control_id": "A.8.5",
"control_name": "Secure authentication",
"status": "PARTIALLY_IMPLEMENTED",
"implementation_percentage": 0.85,
"evidence_available": [
"Authentication policy",
"MFA deployment records"
],
"last_reviewed": null
},
{
"control_id": "A.8.24",
"control_name": "Use of cryptography",
"status": "PARTIALLY_IMPLEMENTED",
"implementation_percentage": 0.7,
"evidence_available": [
"Cryptography policy",
"Encryption implementation records"
],
"last_reviewed": null
}
],
"critical_gaps": [
{
"control_id": "A.8.8",
"control_name": "Management of technical vulnerabilities",
"risk_impact": "High exposure to known vulnerabilities; potential data breach",
"recommended_timeline": "30 days"
},
{
"control_id": "A.8.16",
"control_name": "Monitoring activities",
"risk_impact": "Unable to detect security incidents in real-time",
"recommended_timeline": "60 days"
},
{
"control_id": "A.5.7",
"control_name": "Threat intelligence",
"risk_impact": "Reactive security posture; unable to anticipate threats",
"recommended_timeline": "45 days"
}
],
"risk_level": "MEDIUM",
"certification_readiness": "SIGNIFICANT_GAPS",
"remediation_timeline": "4-6 months",
"next_review_date": "2024-08-15",
"recommendations": [
"Prioritize implementation of vulnerability management program (A.8.8)",
"Deploy SIEM solution and establish 24/7 monitoring capability (A.8.16)",
"Subscribe to threat intelligence feeds and integrate with SOC (A.5.7)",
"Implement network segmentation for critical systems (A.8.22)",
"Establish secure SDLC practices for in-house development (A.8.25, A.8.28, A.8.29)",
"Complete deployment of privileged access management solution (A.8.2)",
"Formalize and test business continuity plans (A.5.30)"
],
"document_type": "iso_gap_analysis"
}Financial technology firm with 78% compliance score and significant gaps across 20 controls. Demonstrates comprehensive gap analysis for organization at medium risk requiring substantial remediation over 4-6 months before certification readiness.
Related Templates
AML Entity Lookup
AML Entity Lookup: Search OFAC/PEP lists and return match confidence.
KBA Check
KBA Check: Verify Knowledge-Based Authentication answers against public sources.
Privacy Notice Checker
Privacy Notice Checker: Ensure privacy notice includes required disclosures (data subject rights, contact).
Frequently Asked Questions
What documents can ISO27001 Gap Report process?
The ISO27001 Gap Report template processes compliance documents including various formats and layouts. See the instructions for specific document types supported.
How accurate is the ISO27001 Gap Report extraction?
The ISO27001 Gap Report template uses Gemini 2.5 Flash for high-accuracy extraction. Results include confidence scores for each field.
Can I customize the ISO27001 Gap Report template?
Yes, you can modify the extraction schema, add custom fields, or adjust the instructions to match your specific requirements.
Start Extracting Data Today
Process your first document in under 5 minutes. No credit card required.