Gap assessment and readiness assessment costs
Gap assessment vs readiness assessment vs internal audit
The three terms are often used interchangeably but they are not the same exercise.
| Exercise | Purpose | Timing | Deliverable |
|---|---|---|---|
| Gap assessment | Identify the delta between current state and Annex A 2022 | Project month 1 | Control-by-control gap register |
| Readiness assessment | Confirm operational readiness for Stage 1 audit | Project month 7 to 8 | Audit-readiness sign-off + risk areas |
| Internal audit | Mandatory ISO 9.2 internal audit programme | Before Stage 2, ongoing thereafter | Internal audit report |
A common pattern: a consultant offers a "gap and readiness assessment" combined deliverable, charges as a single line, and the team discovers in month 6 that the readiness piece was light. The two are different deliverables with different inputs, and should be named separately on the engagement letter.
Gap assessment cost bands
| Approach | Typical cost band | Day count |
|---|---|---|
| External UK consultant, SME scope | £3,000 – £8,000 | 3 – 7 days |
| External UK consultant, mid-market scope | £7,000 – £15,000 | 7 – 14 days |
| GRC platform automated baseline | £0 – £2,500 | Platform-driven, plus 1 – 3 review days |
| In-house with experienced ISMS lead | Internal time only | Roughly 4 – 8 internal days |
The GRC platform automated baseline is materially cheaper but materially shallower. It maps current evidence to controls; it does not interpret the result, recommend remediation order or assess policy quality. Most teams that lead with a platform baseline supplement it with a 2 to 3 day external review for £2,000 to £4,000.
What a gap assessment delivers
A useful gap assessment produces four things, all dated and versioned: a control-by-control status table against Annex A 2022 (93 controls in the current edition), a policy gap list with recommended document set, an evidence gap list with recommended collection cadence, and a recommended remediation order with effort estimate per item.
The 93 Annex A 2022 controls split into four themes: Organisational (37), People (8), Physical (14) and Technological (34). The assessment should report status by theme and by clause. Reports that collapse to a single "75 percent ready" headline are not actionable.
How findings flow into the remediation budget
Typical first-time gap-assessment findings split roughly as follows: 30 to 40 percent procedural, 30 percent technical, 20 to 30 percent documentation, balance training and awareness. The procedural and documentation lines tend to be lower-cost; the technical line is where the budget overrun usually appears.
| Category | Share of findings | Typical cost share |
|---|---|---|
| Procedural (documented process gaps) | 30 – 40% | 10 – 15% |
| Technical (control implementation gaps) | 30% | 55 – 65% |
| Documentation (policy and record gaps) | 20 – 30% | 10 – 15% |
| Training and awareness | 10% | 5 – 10% |
The technical findings carry the cost weight because they often require tooling, configuration time and validation. Privileged access, encryption at rest, log management and supplier security questionnaires regularly appear in the top five. Detail on the highest-impact remediation lines is on the remediation page.
When to skip a formal gap assessment
For organisations with a current SOC 2 Type II report, a current ISO 9001 management system, or a recent third-party security audit, the formal gap assessment can be replaced with a focused control-set review that maps existing evidence onto Annex A. The saving runs at £3,000 – £6,000 versus a full SME gap assessment, and the residual exercise typically takes 2 to 4 days.
Where to read next
For the cost lines that flow out of typical gap-assessment findings, see the remediation page. For the GRC platforms that offer automated gap-assessment baselines, see the tooling page. For the broader cost-driver context, see the cost drivers page.