Free Tool · No Signup Required

ISO 27001:2022 Control Gap Checker

Built by the PolicySuite team About us

23 policy-related Annex A controls. 10 minutes. Instant coverage report with recommended packs for every gap.

📋 23 controls from Annex A ⏱️ ~10 minutes 🔒 Private — answers never leave your browser
0 of 23 answered

A.5 — Organisational controls

Policies, asset inventories, supplier relationships and incident planning — the governance backbone of an ISMS.

A.5.1 — Information security policy A top-level policy approved by leadership, communicated to staff, and reviewed at planned intervals.
A.5.2 — Roles and responsibilities Information-security responsibilities defined and allocated across the organisation.
A.5.7 — Threat intelligence A documented approach for collecting and analysing threat information relevant to the organisation.
A.5.9 — Inventory of information assets A maintained inventory of information and associated assets, with owners.
A.5.10 — Acceptable use of information Rules for acceptable use of information and associated assets, documented and communicated.
A.5.12 — Classification of information A scheme for classifying information according to confidentiality, integrity, availability, and legal requirements.
A.5.15 — Access control policy A documented access control policy based on business and security requirements.
A.5.19 — Information security in supplier relationships Processes and procedures to manage information-security risks associated with the use of suppliers.
A.5.24 — Incident management planning Incident management processes, roles and responsibilities planned, prepared and communicated.

A.6 — People controls

Screening, training, disciplinary processes and remote working — the controls that cover how staff handle information.

A.6.1 — Background screening Verification checks on candidates proportionate to role, risk and local law.
A.6.2 — Terms and conditions of employment Employment contracts that set out information-security responsibilities.
A.6.3 — Information security awareness, education and training Regular, role-appropriate security awareness training with attendance tracked.
A.6.4 — Disciplinary process A formal, documented process for handling information-security breaches by personnel.
A.6.5 — Responsibilities after termination Information-security responsibilities that remain valid after termination or change of employment.
A.6.6 — Confidentiality / NDAs Confidentiality or non-disclosure agreements reflecting the organisation's needs for information protection.
A.6.7 — Remote working Security measures for staff working remotely to protect information accessed, processed or stored.

A.8 — Technological controls

Endpoint, logging, monitoring and cryptography — the controls that need documented policies before they can be operated consistently.

A.8.1 — User endpoint devices A policy governing how laptops, phones and other endpoints are secured, configured and monitored.
A.8.2 — Privileged access rights Controls restricting and managing the allocation and use of privileged access.
A.8.15 — Logging Logs recording activities, exceptions and security events, produced and stored in line with policy.
A.8.16 — Monitoring activities Networks, systems and applications monitored for anomalous behaviour and to evaluate incidents.
A.8.19 — Installation of software on operational systems A documented procedure controlling which software can be installed on operational systems.
A.8.23 — Web filtering Access to external websites managed to reduce exposure to malicious content.
A.8.24 — Use of cryptography A cryptography policy covering algorithms, key management, and acceptable use.
0
% COVERAGE

Control area breakdown

Recommended policy packs to close your gaps

Ranked by the areas where you scored lowest. Pricing is live from our pricing engine.

Questions about this tool

Is this a substitute for a formal gap analysis?

No. It's a fast directional check to help you prioritise. A formal ISO 27001 gap analysis from a qualified consultant or certification body will cover all 93 Annex A controls plus clauses 4-10 and produce a full remediation plan with audit evidence requirements.

Does it cover all 93 Annex A controls?

We focus on 23 that most commonly require documented policies — 9 organisational (A.5), 7 people (A.6), and 7 technological (A.8) controls. The rest are technical controls a consultant is better placed to assess and where evidence depends heavily on your tech stack.

Can I use the output in an actual audit?

The PDF report is a starting point, not audit evidence. Use it to prioritise your remediation plan. Actual audit evidence requires approved, signed, and distributed policy documents plus operational records — which is what PolicySuite packs generate end-to-end.