ISO 27001:2022 Control Gap Checker
23 policy-related Annex A controls. 10 minutes. Instant coverage report with recommended packs for every gap.
Quick answer. An ISO 27001 gap analysis checks your current controls against the 93 Annex A controls of ISO 27001:2022 and identifies which are documented, partial or missing. This free tool covers the 23 policy-related Annex A controls (the documentation layer auditors test first) and produces an instant coverage report with recommended PolicySuite packs to close every gap — no sign-up, browser-only, ten minutes.
Control area breakdown
Quick answer. Your score is broken down across the three Annex A themes this tool covers — organisational (A.5), people (A.6) and technological (A.8). Green means 80% or better documented coverage in that area, amber means partial, red means significant gaps. Start remediation with the lowest-scoring area first.
Recommended policy packs to close your gaps
Quick answer. These recommendations are ranked by the control areas where you scored lowest. Each pack generates the written policies those Annex A controls expect, mapped to ISO/IEC 27001:2022 control by control, so the documents slot directly into a Statement of Applicability.
Ranked by the areas where you scored lowest. Pricing is live from our pricing engine.
📄 Get the full PDF report
Detailed gap analysis, mapped to ISO 27001:2022 Annex A controls, with a prioritised remediation checklist. Sent straight to your inbox.
Questions about this tool
Quick answer. Short answers on what the gap check does and deliberately does not do. It is a directional documentation check across 23 policy-related Annex A controls — not a formal gap analysis — and ISO/IEC 27001:2022 itself remains the definitive source for control wording and audit scope.
Is this a substitute for a formal gap analysis?
No. It's a fast directional check to help you prioritise. A formal ISO 27001 gap analysis from a qualified consultant or certification body will cover all 93 Annex A controls plus clauses 4-10 and produce a full remediation plan with audit evidence requirements.
Does it cover all 93 Annex A controls?
We focus on 23 that most commonly require documented policies — 9 organisational (A.5), 7 people (A.6), and 7 technological (A.8) controls. The rest are technical controls a consultant is better placed to assess and where evidence depends heavily on your tech stack.
Can I use the output in an actual audit?
The PDF report is a starting point, not audit evidence. Use it to prioritise your remediation plan. Actual audit evidence requires approved, signed, and distributed policy documents plus operational records — which is what PolicySuite packs generate end-to-end.
How the ISO 27001 gap check works
Quick answer. The gap check walks ISO 27001:2022 Annex A controls and Clause 4–10 ISMS requirements, surfacing the policy artefacts and procedural evidence Stage 2 auditors expect to see. Bespoke generation typically replaces a £5,000–£15,000 consultancy engagement with a one-off £400 pack — a 12× to 38× cost reduction with the same audit-readiness.
References and primary sources
Quick answer. The guidance above is cross-referenced against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so the chain stays intact end-to-end.
- ISO/IEC 27001:2022 — the international information-security standard most policy frameworks map to.
- NCSC Cyber Essentials — UK government cyber baseline for security policies.
- NIST Cybersecurity Framework 2.0 — the GOVERN-extended framework cross-walked to ISO and SOC 2.
- NIST SP 800-53 — federal control library referenced in cyber-compliance overlays.
- CISA cybersecurity best practices — US federal cyber-hygiene baseline for SMBs.
The documents that survive enterprise vendor review and regulator scrutiny cite their primary sources clause by clause. Many UK SMEs first discover a policy gap when a buyer’s legal team challenges a generic phrase — for example, a citation to guidance that has since been revised. Checking each policy against the sources above closes that gap before someone else finds it.