Free Tool · No Signup Required

ISO 27001:2022 Control Gap Checker

Built by the PolicySuite team About us

23 policy-related Annex A controls. 10 minutes. Instant coverage report with recommended packs for every gap.

📋 23 controls from Annex A ⏱️ ~10 minutes 🔒 Private — answers never leave your browser

Quick answer. An ISO 27001 gap analysis checks your current controls against the 93 Annex A controls of ISO 27001:2022 and identifies which are documented, partial or missing. This free tool covers the 23 policy-related Annex A controls (the documentation layer auditors test first) and produces an instant coverage report with recommended PolicySuite packs to close every gap — no sign-up, browser-only, ten minutes.

0 of 23 answered

A.5 — Organisational controls

Quick answer. A.5 — Organisational controls — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

Policies, asset inventories, supplier relationships and incident planning — the governance backbone of an ISMS.

A.5.1 — Information security policy A top-level policy approved by leadership, communicated to staff, and reviewed at planned intervals.
A.5.2 — Roles and responsibilities Information-security responsibilities defined and allocated across the organisation.
A.5.7 — Threat intelligence A documented approach for collecting and analysing threat information relevant to the organisation.
A.5.9 — Inventory of information assets A maintained inventory of information and associated assets, with owners.
A.5.10 — Acceptable use of information Rules for acceptable use of information and associated assets, documented and communicated.
A.5.12 — Classification of information A scheme for classifying information according to confidentiality, integrity, availability, and legal requirements.
A.5.15 — Access control policy A documented access control policy based on business and security requirements.
A.5.19 — Information security in supplier relationships Processes and procedures to manage information-security risks associated with the use of suppliers.
A.5.24 — Incident management planning Incident management processes, roles and responsibilities planned, prepared and communicated.

A.6 — People controls

Quick answer. A.6 — People controls — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

Screening, training, disciplinary processes and remote working — the controls that cover how staff handle information.

A.6.1 — Background screening Verification checks on candidates proportionate to role, risk and local law.
A.6.2 — Terms and conditions of employment Employment contracts that set out information-security responsibilities.
A.6.3 — Information security awareness, education and training Regular, role-appropriate security awareness training with attendance tracked.
A.6.4 — Disciplinary process A formal, documented process for handling information-security breaches by personnel.
A.6.5 — Responsibilities after termination Information-security responsibilities that remain valid after termination or change of employment.
A.6.6 — Confidentiality / NDAs Confidentiality or non-disclosure agreements reflecting the organisation's needs for information protection.
A.6.7 — Remote working Security measures for staff working remotely to protect information accessed, processed or stored.

A.8 — Technological controls

Quick answer. A.8 — Technological controls — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

Endpoint, logging, monitoring and cryptography — the controls that need documented policies before they can be operated consistently.

A.8.1 — User endpoint devices A policy governing how laptops, phones and other endpoints are secured, configured and monitored.
A.8.2 — Privileged access rights Controls restricting and managing the allocation and use of privileged access.
A.8.15 — Logging Logs recording activities, exceptions and security events, produced and stored in line with policy.
A.8.16 — Monitoring activities Networks, systems and applications monitored for anomalous behaviour and to evaluate incidents.
A.8.19 — Installation of software on operational systems A documented procedure controlling which software can be installed on operational systems.
A.8.23 — Web filtering Access to external websites managed to reduce exposure to malicious content.
A.8.24 — Use of cryptography A cryptography policy covering algorithms, key management, and acceptable use.
0
% COVERAGE

Control area breakdown

Quick answer. Control area breakdown — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

Recommended policy packs to close your gaps

Quick answer. Recommended policy packs to close your gaps — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

Ranked by the areas where you scored lowest. Pricing is live from our pricing engine.

Questions about this tool

Quick answer. Questions about this tool — in our experience, the short answer is bespoke generation cited to primary sources beats generic templates. Many uk smes typically discover the gap only at audit time; for example, a missing legislation.gov.uk reference. Bespoke generation closes the gap pre-emptively.

Is this a substitute for a formal gap analysis?

No. It's a fast directional check to help you prioritise. A formal ISO 27001 gap analysis from a qualified consultant or certification body will cover all 93 Annex A controls plus clauses 4-10 and produce a full remediation plan with audit evidence requirements.

Does it cover all 93 Annex A controls?

We focus on 23 that most commonly require documented policies — 9 organisational (A.5), 7 people (A.6), and 7 technological (A.8) controls. The rest are technical controls a consultant is better placed to assess and where evidence depends heavily on your tech stack.

Can I use the output in an actual audit?

The PDF report is a starting point, not audit evidence. Use it to prioritise your remediation plan. Actual audit evidence requires approved, signed, and distributed policy documents plus operational records — which is what PolicySuite packs generate end-to-end.

How the ISO 27001 gap check works

Quick answer. The gap check walks ISO 27001:2022 Annex A controls and Clause 4–10 ISMS requirements, surfacing the policy artefacts and procedural evidence Stage 2 auditors expect to see. Bespoke generation typically replaces a £5,000–£15,000 consultancy engagement with a one-off £400 pack — a 12× to 38× cost reduction with the same audit-readiness.

References and primary sources

Quick answer. The guidance above is cross-referenced against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so the chain stays intact end-to-end.

In our experience, the documents that survive enterprise vendor review and ICO audits cite primary sources clause-by-clause. Many uk smes typically discover policy gaps only when the buyer’s legal team challenges a generic phrase — for example, a missing legislation.gov.uk reference or an outdated ACAS Code citation. Bespoke generation closes the gap pre-emptively.