Purpose
This gap analysis identifies the delta between Maelstrom AI’s current information security practices and full ISO 27001:2022 compliance, providing a roadmap to certification.
Status: Initial gap analysis completed January 2025; updated February 2026 Next Review: 2026-11-21 (track gap closure progress) Target Certification: Will pursue when commercially justified
Executive Summary
Current State
ISMS Maturity: Developing (Level 2 of 5)
- Level 1. Ad-hoc security (no formal processes)
- Level 2. Documented processes, some implementation ← We are here
- Level 3. Fully implemented, measured
- Level 4. Managed and continuously improving
- Level 5. Optimised and industry-leading
Strengths:
- Zero knowledge architecture (inherent privacy protection)
- Strong secure development lifecycle (SLSA Level 3, automated scanning)
- Transparent documentation (public ISMS)
- Cloud-native infrastructure (Cloudflare security features)
Gaps:
- ISMS processes operational but not yet mature (first audit cycle completed Feb 2026)
- Sole operator (limited resources for some controls)
- Some controls planned but not yet implemented (risk assessment, secret scanning, supplier review)
ISO 27001 Clauses: Compliance Status
Clause 4: Context of the Organisation
| Requirement | Status | Evidence | Gap | Action Needed |
|---|---|---|---|---|
| 4.1: External/internal issues | ✅ Compliant | Context Analysis | None | Annual review |
| 4.2: Interested parties | ✅ Compliant | Documented in context analysis | None | Annual review |
| 4.3: ISMS scope | ✅ Compliant | ISMS Scope | None | Review if services change |
Overall: 100% compliant
Clause 5: Leadership
| Requirement | Status | Evidence | Gap | Action Needed |
|---|---|---|---|---|
| 5.1: Leadership commitment | ✅ Compliant | ISMS Owner assigned, documentation complete, Management Review #1 conducted 15 Feb 2026 | None | Continue quarterly reviews |
| 5.2: Information security policy | ✅ Compliant | Information Security Policy | None | Annual review |
| 5.3: Roles & responsibilities | ✅ Compliant | Roles & Responsibilities | None | Update when roles change |
Overall: 100% compliant
Clause 6: Planning
| Requirement | Status | Evidence | Gap | Action Needed |
|---|---|---|---|---|
| 6.1.1: Risk assessment | ⚠️ Partial | Risk Methodology defined | First formal assessment pending | Conduct risk assessment |
| 6.1.2: Risk treatment | ⚠️ Partial | Risk Register documented | Treatments documented but some not yet implemented | Implement planned treatments |
| 6.1.3: Info security objectives | ✅ Compliant | Objectives defined in policy | None | Track metrics quarterly |
| 6.2: Planning changes | ✅ Compliant | Change Management | None | Continue following process |
Overall: 75% compliant Gaps: Risk management processes defined but not yet mature (first cycle pending)
Clause 7: Support
| Requirement | Status | Evidence | Gap | Action Needed |
|---|---|---|---|---|
| 7.1: Resources | ✅ Compliant | Staffing, tools allocated | None | Annual budget review |
| 7.2: Competence | ✅ Compliant | Competence record established (15 Feb 2026); CISSP, Security+, PenTest+, SecurityX held | None | Maintain certification currency |
| 7.3: Awareness | ✅ Compliant | Security awareness maintained through professional certifications (sole operator) | None | Annual review |
| 7.4: Communication | ✅ Compliant | Signal, email, meetings | None | Continue |
| 7.5: Documented information | ✅ Compliant | Full ISMS documentation | None | Maintain version control |
Overall: 100% compliant
Clause 8: Operation
| Requirement | Status | Evidence | Gap | Action Needed |
|---|---|---|---|---|
| 8.1: Operational planning | ✅ Compliant | Procedures documented | None | Follow procedures |
| 8.2: Risk assessment | ⚠️ Partial | Process defined | First assessment pending | Conduct quarterly assessments |
| 8.3: Risk treatment | ⚠️ Partial | Treatments planned | Some treatments not yet implemented | See Annex A gaps below |
Overall: 65% compliant Gaps: Operations planned but not yet fully executed (ISMS recently established)
Clause 9: Performance Evaluation
| Requirement | Status | Evidence | Gap | Action Needed |
|---|---|---|---|---|
| 9.1: Monitoring & measurement | ⚠️ Partial | Metrics defined (incidents, vulnerabilities); some tracked via management review | Not yet collected systematically | Implement regular metrics reporting |
| 9.2: Internal audit | ✅ Compliant | Internal Audit #1 and #2 completed (Feb 2026) | None | Annual audit minimum |
| 9.3: Management review | ✅ Compliant | Management Review #1 conducted 15 Feb 2026 | None | Quarterly reviews scheduled |
Overall: 80% compliant Gap: Metrics collection not yet systematic (monitoring and measurement partially implemented)
Clause 10: Improvement
| Requirement | Status | Evidence | Gap | Action Needed |
|---|---|---|---|---|
| 10.1: Nonconformity & corrective action | ⚠️ Partial | Process defined; audit findings identified from Internal Audit #1-2 | Corrective actions being addressed | Continue addressing findings |
| 10.2: Continual improvement | ⚠️ Partial | Improvement mindset embedded; management review conducted | Formal tracking developing | Track improvements in quarterly management reviews |
Overall: 65% compliant Gaps: First improvement cycle underway; needs further demonstration over time
Annex A Controls: Gap Analysis
Summary (from Statement of Applicability):
- ✅ Implemented: ~80 controls (86%)
- 🔄 Partially Implemented: ~3 controls (3%)
- 📋 Planned: ~2 controls (2%)
- ❌ Not Applicable: ~8 controls (9%)
Note: Approximate figures; the exact breakdown is maintained in the Statement of Applicability. ISO 27001:2022 Annex A contains 93 controls total.
Critical Gaps (Partially Implemented or Planned)
1. A.5.2: Information Security Roles and Responsibilities
Status: 🔄 Partially Implemented Gap: Roles defined but not yet formalised with signed acknowledgments Priority: Medium Action: Implement role acknowledgment process Owner: Security Lead
2. A.5.23: Information Security for Use of Cloud Services
Status: 🔄 Partially Implemented Gap: Cloudflare/GitHub contracts in place, but no formal supplier review process yet conducted Priority: Medium Action: Conduct first supplier review (Cloudflare, GitHub) Owner: Security Lead
3. A.8.8: Management of Technical Vulnerabilities
Status: 🔄 Partially Implemented Gap: Automated scanning (Dependabot, cargo audit) in place; manual audit log cleanup not yet automated Priority: Low Action: Implement automated audit log cleanup (Cloudflare Worker cron job) Owner: Security Lead
4. A.8.12: Data Leakage Prevention
Status: 📋 Planned Gap: No automated secret scanning in commits (currently relying on code review) Priority: Medium Action: Implement GitHub secret scanning (already available, needs configuration) Owner: Security Lead
5. A.8.16: Monitoring Activities
Status: 🔄 Partially Implemented Gap: Cloudflare logs monitored ad-hoc; no systematic review process Priority: Medium Action: Implement weekly log review process Owner: Security Lead
6. A.5.25: Assessment and Decision on Information Security Events
Status: 📋 Planned Gap: Incident response procedure defined but not yet tested (no real incidents or drills) Priority: High Action: Conduct tabletop incident response exercise Owner: Security Lead
7. A.5.7: Threat Intelligence
Status: 📋 Planned Gap: Ad-hoc monitoring of security advisories; no systematic threat intelligence process Priority: Low Action: Implement weekly review of CERT/CISA advisories Owner: Security Lead
Roadmap to Certification
Q1 2025 (Jan-Mar), Foundation (COMPLETED - PARTIAL)
Focus: Execute ISMS processes for first time
Deliverables:
- ✅ Complete ISMS documentation (Done: Jan 2025)
- ✅ Implement automated KV backups (Done: Jan 2025, provii-backup deployed)
- ❌ Conduct first risk assessment (deferred to Q1 2026)
- ❌ Deliver security awareness training to all staff (deferred to Q1 2026)
- ❌ Implement training record tracking (deferred to Q1 2026)
- ❌ Conduct first internal audit (deferred to Q1 2026)
- ❌ Implement GitHub secret scanning (deferred to Q1 2026)
- ❌ Conduct incident response tabletop exercise (deferred to Q1 2026)
Outcome: Documentation foundation established; operational execution deferred
Q2-Q4 2025, Operational Execution (NOT COMPLETED)
Note: The originally planned Q2-Q4 2025 milestones were not completed. These items have been consolidated into the revised 2026 roadmap below.
Q1 2026 (Jan-Mar), Foundation and Operational Maturity
Focus: Execute ISMS processes, close gaps from 2025
Deliverables:
- Conduct first internal audit (Internal Audit #1 and #2 completed Feb 2026)
- Conduct first management review (Management Review #1, 15 Feb 2026)
- Establish competence record and training tracking (7 evidence records created 15 Feb 2026)
- Establish quarterly review calendar (dates set Feb 2026)
- Conduct first risk assessment (with quarterly review cycle)
- Implement GitHub secret scanning
- Conduct incident response tabletop exercise
- Conduct first supplier review (Cloudflare, GitHub)
- Implement monthly metrics reporting
- Address internal audit findings
Outcome: First audit cycle completed; risk assessment and operational controls outstanding
Q2 2026 (Apr-Jun), Continuous Improvement
Focus: Close remaining gaps, demonstrate improvement
Deliverables:
- Second quarterly risk assessment (first must complete in Q1)
- Implement automated audit log cleanup
- Formalise role acknowledgment process
- Implement weekly log review process
- Implement systematic threat intelligence monitoring
- Track security metrics consistently (incidents, vulnerabilities)
- Second management review (quarterly)
- Address all outstanding non-conformities
- Collect evidence per Evidence Checklist
Outcome: ISMS processes refined and measured
Future, Certification Audit (When Commercially Justified)
Focus: Achieve ISO 27001:2022 certification
Activities:
- Pre-audit readiness review (gap analysis update)
- Select certification body and schedule audit
- Stage 1 audit (documentation review)
- Address any Stage 1 findings
- Stage 2 audit (on-site/virtual, full ISMS assessment)
- Address any Stage 2 findings
- Receive certification (if successful)
Outcome: ISO 27001:2022 aligned (certification pursued when commercially justified)
Gap Closure Metrics
Baseline (Jan 2025):
- Clause compliance: ~65% (documentation complete, operations starting)
- Annex A implementation: 91% (85 of 93 controls implemented)
- Risk management maturity: 1 (process defined, not yet executed)
- Audit maturity: 0 (no audits conducted)
Current (Feb 2026):
- Clause compliance: ~88% (leadership, support, evaluation significantly improved)
- Annex A implementation: ~91% (no new controls implemented since baseline)
- Risk management maturity: 1 (process defined, first assessment still pending)
- Audit maturity: 2 (2 internal audits completed, management review conducted)
Target (before certification audit):
- Clause compliance: 100% (all operations mature)
- Annex A implementation: 95%+ (all planned controls implemented)
- Risk management maturity: 3 (quarterly assessments conducted, treatments effective)
- Audit maturity: 3+ (multiple audit cycles completed, findings addressed)
Tracking: Review this gap analysis quarterly, update status
Risk-Based Prioritisation
Completed
Conduct first internal audit, ✅ Internal Audit #1 and #2 completed (Feb 2026)Conduct management review, ✅ Management Review #1 conducted (15 Feb 2026)Deliver security training, ✅ Maintained via professional certifications (CISSP, Security+, PenTest+, SecurityX)
High Priority (Must fix before certification)
- Conduct first risk assessment, ISO 27001 requires risk management
- Test incident response, Verify capability before real incident
- Implement quarterly risk assessments, Demonstrate risk management
Medium Priority (Improves compliance posture)
- Implement GitHub secret scanning, Prevent credential leaks
- Conduct supplier review (Cloudflare, GitHub), Verify supplier security posture
- Implement weekly log review, Improve threat detection
- Formalise role acknowledgments, Documented accountability
Low Priority (Nice-to-have)
- Automate audit log cleanup, Operational efficiency
- Systematic threat intelligence, Proactive threat awareness
Resource Requirements
Staffing
Q1-Q2 2026 (ISMS execution and certification preparation):
- Security Lead: 60% time (ISMS execution, audits, certification preparation)
- ISMS Owner: 25% time (oversight, approvals, management review, certification audit participation)
- Developer: 10% time (implement controls, automation)
Certification audit (when pursued):
- Security Lead: 80% time (certification audit support)
- ISMS Owner: 30% time (certification audit participation)
- External auditor fees: Budget $10,000-$20,000 AUD (estimate for small organisation)
Budget
Annual (ISMS operations):
- Internal labour: As above (existing staff)
- Tools: $0 (GitHub, Cloudflare, password manager already in use)
- Training: Maintained via professional certifications
Certification (when pursued):
- Certification audit: $10,000-$20,000 AUD
- Audit preparation consulting (optional): $5,000-$10,000 AUD
Success Criteria
ISMS is ready for certification when:
✅ All ISO 27001 clauses implemented:
- Context, leadership, planning, support, operation, evaluation, improvement
✅ 95%+ Annex A controls implemented:
- Remaining N/A controls justified
- Planned controls completed
✅ Operational maturity demonstrated:
- 2+ internal audits completed
- All non-conformities addressed
- Quarterly risk assessments conducted
- Management review completed
✅ Evidence collected:
- Per Evidence Checklist
- Organised and accessible
✅ Team ready:
- All staff trained
- Policies acknowledged
- Interview preparation complete
Related Documents
- Statement of Applicability - Detailed control status
- Internal Audit Program - Audit schedule and checklist
- Evidence Collection Checklist - What to prepare for audit
- Management Review - Annual review process
Document Information
- Version. 2.0
- Gap Analysis Date. 2025-01-13 (initial), 2026-05-21 (updated)
- Owner. ISMS Owner
- Review Frequency. Quarterly (track progress)
- Next Review. 2026-11-21
- Classification. Public