CTF Challenge #5: Find the ISO 27001 Gaps Before Your Auditor Does
Difficulty: Intermediate–Advanced | Reading time: 10 minutes | Product tie-in: ISO 27001 SMB Starter Pack ($147)
TL;DR
- ISO 27001 certification is increasingly a commercial prerequisite for technology vendors, financial services suppliers, and anyone handling sensitive data
- This challenge presents a real company's security documentation and asks you to identify the ISO 27001 non-conformities before the external auditor does
- Finding these gaps yourself is far cheaper than finding them during a Stage 2 audit
- The lil.business ISO 27001 SMB Starter Pack gives you the gap assessment templates to do this systematically
Why SMBs Are Pursuing ISO 27001
ISO 27001 is the international standard for Information Security Management Systems (ISMS). Certification tells clients, partners, and regulators that your security controls are independently verified.
According to the ISO Survey 2024, Australian ISO 27001 certifications grew 24% year-on-year — driven by financial services, professional services, and cloud technology suppliers [1].
For many SMBs, the trigger is a procurement requirement: an enterprise client or government agency won't proceed without certification or evidence of ISMS compliance.
The challenge is that most SMBs approach certification by buying tools and writing policies — without first understanding what ISO 27001 actually requires. This challenge fixes that.
The Company: Apex CloudSync
Apex CloudSync is a 28-person SaaS startup building workflow automation tools for accountants. They store client data on AWS (Sydney region). Annual recurring revenue: $3.2M. They have committed to ISO 27001 certification within 12 months as a condition of a new enterprise client contract.
They have shared the following documentation package with you for pre-audit review.
The Evidence: 8 Documents, 8 Questions
Review each piece of evidence and identify whether it meets ISO 27001:2022 requirements.
Evidence 1: Risk Assessment Register
Apex has a spreadsheet labelled "Risk Register." It lists 12 risks with columns for "Risk Description," "Likelihood (1–5)," and "Impact (1–5)." The register was created 18 months ago. It has not been updated since. There is no column for risk treatment decisions or owners.
Is this ISO 27001 compliant?
A) Yes — a risk register with likelihood and impact scores meets the requirement
B) No — ISO 27001 Clause 6.1 requires risk assessment to be performed at planned intervals, and risk treatment decisions (accept/treat/transfer/avoid) with owners must be documented [2]
C) Partially — frequency of review is a recommendation, not a requirement
D) Yes — the 18-month age is fine because no material changes have occurred
Evidence 2: Information Security Policy
Apex has a two-paragraph "Security Policy" document in their internal wiki. It states: "Apex takes security seriously and all staff are expected to use strong passwords and keep information confidential." It is not dated, not signed by management, and not version-controlled.
Is this ISO 27001 compliant?
A) Yes — having any written security policy meets the requirement
B) No — ISO 27001 Clause 5.2 requires the policy to be approved by top management, communicated to staff, available to interested parties, reviewed at planned intervals, and aligned to the organisation's context [2]
C) Partially — the content is sufficient, only the approval and dating are missing
D) The policy meets the spirit of the requirement even without formal approval
Evidence 3: Asset Inventory
Apex's IT person maintains a spreadsheet of laptops and servers. Cloud infrastructure (AWS accounts, S3 buckets, RDS instances, IAM roles) is not included. SaaS tools used by staff (Slack, Notion, Figma, HubSpot) are not listed.
Is this ISO 27001 compliant?
A) Yes — hardware assets are the primary scope of an asset inventory
B) No — ISO 27001 Annex A Control 5.9 requires an inventory of information assets, which includes cloud infrastructure, data stores, and third-party SaaS applications that process organisational information [2]
C) Partially — hardware is the foundation; cloud and SaaS can be added later
D) SaaS tools are vendor-managed so they are excluded from the asset inventory
Evidence 4: Supplier Management
Apex has contracts with AWS, Stripe, Intercom, and five other vendors. The contracts include standard commercial terms but no specific security clauses. No vendor security assessments have been performed. No process exists for reviewing vendor security.
Is this ISO 27001 compliant?
A) Yes — AWS and Stripe have their own ISO 27001 certifications, so they don't need to be assessed
B) No — ISO 27001 Annex A Control 5.19–5.22 requires documented supplier security requirements, security screening proportionate to risk, contractual security obligations, and a supplier monitoring/review process [2]
C) Partially — the fact that major vendors are certified covers most of the requirement
D) Supplier management is only required for ML2 scope, not baseline ISMS certification
Evidence 5: Access Control
Apex uses AWS IAM. The audit log shows 6 former employees have active AWS console access. Three current staff have root account credentials. IAM roles are shared between team members for convenience.
Is this ISO 27001 compliant?
A) Yes — AWS IAM is a recognised access control system
B) No — ISO 27001 Annex A Control 5.18 requires access rights to be provisioned, modified, and revoked based on the "need to know" principle, and Control 8.2 requires use of privileged access rights to be restricted and controlled [2]
C) Partially — the issue is the former employees; current access practices are common in startups
D) Root account use is acceptable for small teams with no dedicated security staff
Evidence 6: Cryptography Policy
Apex's developer documentation states "use HTTPS everywhere." No formal cryptography policy exists. The team uses a mix of encryption methods across different services. No policy governs key management.
Is this ISO 27001 compliant?
A) Yes — "HTTPS everywhere" addresses the primary cryptography risk
B) No — ISO 27001 Annex A Control 8.24 requires a defined cryptography policy covering the use of cryptographic controls and key management lifecycle [2]
C) Partially — HTTPS covers transport encryption; at-rest encryption policy can follow
D) Cryptography policy requirements only apply to businesses handling payment card data
Evidence 7: Business Continuity and Availability
Apex has AWS automated backups configured for their RDS database. No documented recovery time objective (RTO) or recovery point objective (RPO) exists. No disaster recovery plan exists. The backups have never been tested.
Is this ISO 27001 compliant?
A) Yes — automated backups on a cloud platform meet availability requirements
B) No — ISO 27001 Annex A Control 5.30 requires ICT readiness planning including RTOs, RPOs, and tested recovery procedures [2]
C) Partially — automated backups are sufficient; RTOs are enterprise-level requirements
D) Cloud-managed backups are vendor responsibility and don't require separate documentation
Evidence 8: Internal Audit
Apex has never conducted an internal ISMS audit. They plan to have their external certification auditor perform the first audit.
Is this ISO 27001 compliant?
A) Yes — the external auditor performs both internal and external audit functions for SMBs
B) No — ISO 27001 Clause 9.2 requires internal audits to be conducted at planned intervals by the organisation, separate from and prior to external certification audits [2]
C) Partially — for a first certification, the external auditor can perform initial gap analysis
D) Internal audits are a requirement only after initial certification is obtained
ISO 27001 SMB Starter Pack — $147
Gap assessment templates, policy frameworks, and an implementation roadmap. Skip months of research — start your audit-ready documentation today.
Get the Starter Pack →The Answers
Every piece of evidence has a non-conformity. Before a Stage 2 certification audit, these would result in major findings:
- Risk Register — Non-conforming. No treatment decisions, no owners, not reviewed at planned intervals.
- Security Policy — Non-conforming. Not approved by management, not dated, not version-controlled.
- Asset Inventory — Non-conforming. Cloud infrastructure and SaaS tools missing.
- Supplier Management — Non-conforming. No security requirements in contracts, no vendor assessment process.
- Access Control — Non-conforming. Active former-employee access and root credential sharing are direct violations.
- Cryptography Policy — Non-conforming. "Use HTTPS" is not a cryptography policy.
- Business Continuity — Non-conforming. No RTOs/RPOs, no tested recovery procedures.
- Internal Audit — Non-conforming. ISO 27001 requires internal audits to be conducted by the organisation, not just the external auditor.
The Gap Assessment Is the Work
Most organisations fail their first ISO 27001 Stage 2 audit not because they lack security controls — but because they lack documented evidence that they operate those controls consistently. The standard is as much about evidence and process as it is about technology.
The lil.business ISO 27001 SMB Starter Pack gives you structured gap assessment templates covering all major Clauses and Annex A controls, with pre-built evidence checklist templates so you know exactly what an auditor will look for before they arrive.
$147 — Get the ISO 27001 SMB Starter Pack
FAQ
For a 20–50 person business starting from scratch, ISO 27001 certification typically takes 9–18 months from initial gap assessment to certification. The largest time investment is building the evidence portfolio and operating controls consistently for a review period. Starting with a gap assessment compresses this timeline significantly.
Yes — if your target customers include enterprise accounts, financial services, or government. ISO 27001 removes a major objection in the sales cycle, accelerates procurement approvals, and demonstrates security maturity. ROI is typically realised in the first or second enterprise contract it enables.
The 2022 version restructured and reduced Annex A from 114 to 93 controls, added new controls for threat intelligence, cloud security, and data masking, and reorganised controls into four themes rather than 14 domains. Certifications issued under the 2013 standard must transition to 2022 by October 2025.
Yes, many SMBs achieve ISO 27001 certification with a single internal champion and external support. The key is having the right templates and gap assessment methodology from the start — rather than discovering major gaps during the Stage 2 audit.
References
[1] ISO, "ISO Survey of Certifications 2024," ISO, 2025. [Online]. Available: https://www.iso.org/the-iso-survey.html
[2] ISO/IEC, "ISO/IEC 27001:2022 — Information Security Management Systems," ISO, 2022. [Online]. Available: https://www.iso.org/standard/27001
[3] ACSC, "Information Security Manual," ASD, 2024. [Online]. Available: https://www.cyber.gov.au/ism
[4] BSI Group, "ISO 27001 Certification Guide," BSI, 2024. [Online]. Available: https://www.bsigroup.com/en-AU/iso-27001-information-security/
Find your gaps before the auditor does. The lil.business ISO 27001 SMB Starter Pack — $147, instant download.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →