Free Tool · No Signup Required

ISO 27001:2022 Control Gap Checker

23 policy-related Annex A controls. 10 minutes. Instant coverage report with recommended packs for every gap.

📋 23 controls from Annex A ⏱️ ~10 minutes 🔒 Private — answers never leave your browser

Quick answer. An ISO 27001 gap analysis checks your current controls against the 93 Annex A controls of ISO 27001:2022 and identifies which are documented, partial or missing. This free tool covers the 23 policy-related Annex A controls (the documentation layer auditors test first) and produces an instant coverage report with recommended PolicySuite packs to close every gap — no sign-up, browser-only, ten minutes.

0 of 23 answered

A.5 — Organisational controls

Quick answer. ISO/IEC 27001:2022 Annex A.5 holds the 37 organisational controls — the information security policy itself, supplier relationships, incident management and threat intelligence among them. This section checks the nine A.5 controls that most commonly require a documented policy: the layer a Stage 1 auditor reads before anything else.

Policies, asset inventories, supplier relationships and incident planning — the governance backbone of an ISMS.

A.5.1 — Information security policy A top-level policy approved by leadership, communicated to staff, and reviewed at planned intervals.
A.5.2 — Roles and responsibilities Information-security responsibilities defined and allocated across the organisation.
A.5.7 — Threat intelligence A documented approach for collecting and analysing threat information relevant to the organisation.
A.5.9 — Inventory of information assets A maintained inventory of information and associated assets, with owners.
A.5.10 — Acceptable use of information Rules for acceptable use of information and associated assets, documented and communicated.
A.5.12 — Classification of information A scheme for classifying information according to confidentiality, integrity, availability, and legal requirements.
A.5.15 — Access control policy A documented access control policy based on business and security requirements.
A.5.19 — Information security in supplier relationships Processes and procedures to manage information-security risks associated with the use of suppliers.
A.5.24 — Incident management planning Incident management processes, roles and responsibilities planned, prepared and communicated.

A.6 — People controls

Quick answer. Annex A.6 holds the eight people controls: screening, terms and conditions of employment, security awareness training, the disciplinary process and responsibilities after termination or role change. This section checks the seven that need written policies — auditors also expect evidence they operate, such as signed acknowledgements and training records.

Screening, training, disciplinary processes and remote working — the controls that cover how staff handle information.

A.6.1 — Background screening Verification checks on candidates proportionate to role, risk and local law.
A.6.2 — Terms and conditions of employment Employment contracts that set out information-security responsibilities.
A.6.3 — Information security awareness, education and training Regular, role-appropriate security awareness training with attendance tracked.
A.6.4 — Disciplinary process A formal, documented process for handling information-security breaches by personnel.
A.6.5 — Responsibilities after termination Information-security responsibilities that remain valid after termination or change of employment.
A.6.6 — Confidentiality / NDAs Confidentiality or non-disclosure agreements reflecting the organisation's needs for information protection.
A.6.7 — Remote working Security measures for staff working remotely to protect information accessed, processed or stored.

A.8 — Technological controls

Quick answer. Annex A.8 contains the 34 technological controls, spanning access restriction, malware protection, backup, logging, cryptography and secure development. This section checks the seven that most commonly require written policies. A classic Stage 2 finding is a policy that promises more than the organisation operates — for example, backup restores that nobody tests.

Endpoint, logging, monitoring and cryptography — the controls that need documented policies before they can be operated consistently.

A.8.1 — User endpoint devices A policy governing how laptops, phones and other endpoints are secured, configured and monitored.
A.8.2 — Privileged access rights Controls restricting and managing the allocation and use of privileged access.
A.8.15 — Logging Logs recording activities, exceptions and security events, produced and stored in line with policy.
A.8.16 — Monitoring activities Networks, systems and applications monitored for anomalous behaviour and to evaluate incidents.
A.8.19 — Installation of software on operational systems A documented procedure controlling which software can be installed on operational systems.
A.8.23 — Web filtering Access to external websites managed to reduce exposure to malicious content.
A.8.24 — Use of cryptography A cryptography policy covering algorithms, key management, and acceptable use.
0
% COVERAGE

Control area breakdown

Quick answer. Your score is broken down across the three Annex A themes this tool covers — organisational (A.5), people (A.6) and technological (A.8). Green means 80% or better documented coverage in that area, amber means partial, red means significant gaps. Start remediation with the lowest-scoring area first.

Recommended policy packs to close your gaps

Quick answer. These recommendations are ranked by the control areas where you scored lowest. Each pack generates the written policies those Annex A controls expect, mapped to ISO/IEC 27001:2022 control by control, so the documents slot directly into a Statement of Applicability.

Ranked by the areas where you scored lowest. Pricing is live from our pricing engine.

Questions about this tool

Quick answer. Short answers on what the gap check does and deliberately does not do. It is a directional documentation check across 23 policy-related Annex A controls — not a formal gap analysis — and ISO/IEC 27001:2022 itself remains the definitive source for control wording and audit scope.

Is this a substitute for a formal gap analysis?

No. It's a fast directional check to help you prioritise. A formal ISO 27001 gap analysis from a qualified consultant or certification body will cover all 93 Annex A controls plus clauses 4-10 and produce a full remediation plan with audit evidence requirements.

Does it cover all 93 Annex A controls?

We focus on 23 that most commonly require documented policies — 9 organisational (A.5), 7 people (A.6), and 7 technological (A.8) controls. The rest are technical controls a consultant is better placed to assess and where evidence depends heavily on your tech stack.

Can I use the output in an actual audit?

The PDF report is a starting point, not audit evidence. Use it to prioritise your remediation plan. Actual audit evidence requires approved, signed, and distributed policy documents plus operational records — which is what PolicySuite packs generate end-to-end.

How the ISO 27001 gap check works

Quick answer. The gap check walks ISO 27001:2022 Annex A controls and Clause 4–10 ISMS requirements, surfacing the policy artefacts and procedural evidence Stage 2 auditors expect to see. Bespoke generation typically replaces a £5,000–£15,000 consultancy engagement with a one-off £400 pack — a 12× to 38× cost reduction with the same audit-readiness.

References and primary sources

Quick answer. The guidance above is cross-referenced against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so the chain stays intact end-to-end.

The documents that survive enterprise vendor review and regulator scrutiny cite their primary sources clause by clause. Many UK SMEs first discover a policy gap when a buyer’s legal team challenges a generic phrase — for example, a citation to guidance that has since been revised. Checking each policy against the sources above closes that gap before someone else finds it.