🏢
A.5 (37 controls)
Organizational Controls
Policies, roles, supplier requirements, intellectual property protection, and information classification per ISO 27001:2022 Annex A.5.
Q1 · Domain 1
Information security policies are documented, approved, and reviewed at planned intervals.
Q2 · Domain 1
Roles and responsibilities for information security are defined and communicated.
Q3 · Domain 1
Supplier and third-party security requirements are included in contracts.
Q4 · Domain 1
Processes exist to protect intellectual property and confidential information.
Q5 · Domain 1
An information classification and handling scheme is defined and enforced.
👥
A.6 (8 controls)
People Controls
Screening, security awareness, remote working policy, disciplinary process, and offboarding per ISO 27001:2022 Annex A.6.
Q1 · Domain 2
Pre-employment background screening is performed for security-relevant roles.
Q2 · Domain 2
A security awareness and training program is in place and tracked.
Q3 · Domain 2
A remote working security policy covers approved devices, connectivity, and data handling.
Q4 · Domain 2
A disciplinary process exists for employees who violate security policies.
Q5 · Domain 2
Offboarding procedures revoke access and recover assets upon termination.
🏗️
A.7 (14 controls)
Physical Controls
Physical access controls, equipment maintenance, clear desk/screen policy, cabling security, and secure disposal per ISO 27001:2022 Annex A.7.
Q1 · Domain 3
Physical access controls restrict entry to secure areas to authorised personnel only.
Q2 · Domain 3
Equipment maintenance records are maintained and maintenance performed securely.
Q3 · Domain 3
A clear desk and clear screen policy is defined and enforced.
Q4 · Domain 3
Cabling is secured against interception, interference, or damage.
Q5 · Domain 3
Secure disposal or re-use procedures are followed for media and equipment.
💻
A.8 (34 controls)
Technological Controls
Privileged access management, secrets management, data masking, vulnerability management, and network monitoring per ISO 27001:2022 Annex A.8.
Q1 · Domain 4
Privileged access rights are managed throughout their lifecycle with periodic review.
Q2 · Domain 4
Secrets (keys, tokens, passwords) are managed using a defined key management process.
Q3 · Domain 4
Data masking or anonymisation is applied in non-production environments.
Q4 · Domain 4
A vulnerability management programme scans, assesses, and remediates weaknesses.
Q5 · Domain 4
Network traffic is monitored and logged to detect anomalous activity.
📋
Cl. 5/9/10
ISMS Leadership & Audit
Top management commitment, internal audit programme, management review, nonconformity tracking, and continual improvement per ISO 27001:2022 Clauses 5, 9, and 10.
Q1 · Domain 5
Top management demonstrates commitment to the ISMS and provides necessary resources.
Q2 · Domain 5
An internal audit programme is planned, executed, and results reported to management.
Q3 · Domain 5
Management reviews of the ISMS are conducted at planned intervals.
Q4 · Domain 5
Nonconformities are tracked, root-caused, and corrective actions verified.
Q5 · Domain 5
Continual improvement objectives are set, measured, and reported.
ISO 27001 GAP ASSESSMENT SCORE
Critical
Significant ISO 27001:2022 gaps identified. Foundational controls must be implemented before pursuing certification.
Priority Actions
Annex A themes scoring below 80% require remediation before pursuing ISO 27001 certification.
Accelerate Your ISO 27001 Journey
Explore the complete ISO 27001 toolkit — scenario library, gap tracking, control mapping, and compliance evidence packages.
This assessment is self-reported and indicative only. It does not constitute legal or regulatory advice. For formal ISO 27001 certification, engage an accredited certification body.