ISO 9001 Gap Analysis

Accidents can be caused by a lack of quality management in manufacturing

The creation of QMS documents takes a lot of time. Important aspects can be overlooked. As complexity increases, ISO9001 documentation becomes increasingly massive in quantity and variety. It helps to carry out an ISO9001 gap analysis. This is used to identify inconsistencies in the quality management system. The aim is to identify the documentary issues so that these gaps can be corrected faster and in a focused manner. Without a gap analysis, you may run the risk of failing in the certification audit. For very simple business models, the QMS should not be overly complex, so a gap analysis is not absolutely necessary. However, anyone who has created their QMS independently without a consultant should not risk submitting the documentation to a certification body without a gap analysis.

What is a Gap Analysis?

A gap analysis is often incorrectly referred to as an “internal audit”. During this analysis, the security level is analyzed based on the documentation. The requirements of the respective standard are taken into account (e.g.  ISO9001, ISO27001:2022, TISAX, ISO14001). All documents, including company records, are examined on the basis of the standard-specific catalog of requirements. The identified gaps must then be remedied before the certification audit. Contrary to some claims, a gap analysis is not a measure required by the standard. Therefore, you can apply for and successfully carry out an audit of the certification body even without a GAP analysis. Nevertheless, these gap analyzes will make you better prepared for the audit date. The fewer gaps an auditor identifies, the faster you can resolve the outstanding issues and get your certificate. If there are too many obvious gaps, the certification body can reject an audit during the preliminary inspection.

The auditors refer to weaknesses in the documentation as non-conformities. A distinction is made between small deviations (minor non-conformity) and large deviations (major non-conformity). Small deviations do not pose a risk of failing the audit. But if too many such small deviations accumulate, they can develop into a large deviation. Large deviations prevent the certification authority from issuing a certificate. Only when the organization has addressed all of its major problem areas and demonstrated compliance can the certification body issue the ISO9001 certificate.

In addition, the gap analysis of an QMS provides a number of suggestions / opportunities for improvement. It identifies areas in which areas of improvement can make it easier to implement in everyday operations.

In the following video you will learn more about gap analyzes and their effect on information security:

What can a Gap Analysis detect?

In addition to inconsistencies, a gap analysis also identifies problems in the available resources and operational evidence.

The GAP analysis has a similar effect to the interim report at school, because it tells you the level of maturity achieved by the organizational, technical and personnel measures. Some companies believe that you can buy an ISO 9001 document template from the Internet for £200 and then successfully survive a certification audit. Reality quickly catches up with these companies: Experienced auditors quickly recognize a run-of-the-mill template without reference to the business model. In such a case, the audit fails right at the beginning of stage 1.

As already mentioned, gap analysis supports compliance with ISO9001 requirements.


Here are a few examples of what this investigation can identify:


  • Failure to implement required quality control measures
  • Lack of relevance of security measures to the company
  • Need for improvement in the formulation of quality control measures
  • Missing or incomplete employee training
  • Incomplete training plans and possibly unsuitable quality awareness training
  • Lack of management reviews or internal audits
  • Incomplete or missing emergency plans
  • Incomplete risk assessment to prevent and handle potential quality problems
  • Inconsistencies in applicability & scope

A gap analysis can identify quality control risks and request appropriate countermeasures. The results of the gap analysis represent a measurement of organizational quality. The organization’s goal should be to ensure a high level of quality in the company.


How do you improve your quality management system?

You have to go through your QMS systematically. The best thing to do is to print everything out and read it step by step. You use 3 different markers (red, orange/yellow, green/blue) to mark text passages that may need to be improved or are good but can achieve considerable sustainability in operational practice through an addition. Of course, you have to sift through typos, grammar and sentence structure just like you would in school. You shouldn’t repeat this too often because you’ll quickly start to miss incorrect content. Here it helps to have a second person read through the text.

Checkliste für ISO 27001 Zertifizierung

To proceed systematically, use checklists for each area of documentation. It also helps to have the standard at hand. In the UK, BSI Knowledge is responsible for publishing the standard documentation for ISO9001. The English-language standard documentation costs around £126 (plus VAT) and can be purchased online from BSIK together with comments. This allows you to read individual things. However, this document is not the only criterion for creating an QMS.

How can you find out more about ISO 9001 certification?

On this website you will find several videos that explain the process of an ISO 9001 project as well as the certification (audit, certification body). These give you a quick insight into what you should pay attention to. But if you would like more information, you can click on this English-language ISO 9001 book from our company founder: book title: “Quality management based on ISO 9001 Strategies: A Leadership Introduction to Quality management” – also available on Amazon. The book explains briefly and concisely what you have to do to prepare your company for ISO 9001 certification and how to avoid resistance in your own organization.

Alternatively, you can take part in one of our lecture series, workshops or online courses. These events take place monthly or quarterly in English or German. The speakers are experienced lead auditors who work for various certification bodies in the UK, Germany, USA, Turkey, Netherlands  and Poland. The workshops are aimed at board members, project managers, QMS implementers and internal auditors. The online courses, on the other hand, are available for aspiring implementation experts and as employee training. The ISO 9001 implementation courses are largely in English as people from several countries take part.