ISO 27001:2022 Gap Checker

Identify ISO 27001 Annex A control gaps before certification

Work through the 93 Annex A controls in ISO 27001:2022 across four themes and self-rate each as fully implemented, partially, or missing. Generates a gap percentage and prioritised remediation list for ISMs and security teams. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How many controls does ISO 27001:2022 have?

The 2022 revision of Annex A has 93 controls, down from 114 in the 2013 version. They are organised into four themes: Organisational (37), People (8), Physical (14), and Technological (34). This tool covers a representative subset across all four.

ISO 27001:2022 certification hinges on closing the gap between the Annex A controls you have actually implemented and the full set of 93. This checker lets you rate each control as implemented, partial, or missing and turns those ratings into a single conformity percentage plus a prioritised remediation list.

How it works

Each control you rate contributes a score:

Implemented = 1.0
Partial     = 0.5
Missing     = 0.0

conformity % = (sum of scores / number of controls) × 100

Partial controls earn half credit because a half-built control still carries material residual risk. The remediation list surfaces every Missing control first, then every Partial, grouped by the four Annex A themes so you can assign owners theme by theme.

The four Annex A themes

  • Organisational (A.5) — policies, supplier relationships, incident management, information classification. 37 controls.
  • People (A.6) — screening, terms of employment, awareness training, remote-working rules. 8 controls.
  • Physical (A.7) — secure areas, equipment, clear-desk, cabling and media handling. 14 controls.
  • Technological (A.8) — access control, cryptography, logging, secure development, and configuration management. 34 controls.

Key changes in the 2022 revision

The 2022 edition reduced the control count from 114 (in ISO 27001:2013) to 93 by merging similar controls and reorganising into the four themes above. It also added 11 new controls that reflect current threat landscapes:

  • Threat intelligence (A.5.7) — the organisation must gather, analyse, and act on threat intelligence relevant to its environment.
  • Information security for cloud services (A.5.23) — now an explicit control for cloud-specific acquisition, use, and exit processes.
  • ICT readiness for business continuity (A.5.30) — ICT continuity planning must be tested and updated.
  • Physical security monitoring (A.7.4) — premises must be monitored for unauthorised physical access.
  • Web filtering (A.8.23), secure coding (A.8.28), data masking (A.8.11), and data leakage prevention (A.8.12).

If your ISMS was certified to the 2013 standard, a transition audit is required before the deadline; checking these 11 new controls is where most transition gaps appear.

High-risk controls that auditors scrutinise

Some controls are consistently under-implemented at Stage 2 audits:

  • A.5.10 — Acceptable use of information and other assets: organisations often have a policy but cannot show it was communicated, signed, or regularly re-acknowledged.
  • A.8.5 — Secure authentication: multi-factor authentication requirements may be policy but not yet technically enforced for privileged or remote access.
  • A.5.35 — Independent review of information security: the control requires an independent review at planned intervals, not just an internal audit — the same team cannot audit its own controls and satisfy this.
  • A.8.8 — Management of technical vulnerabilities: a patch management process must be documented, operating, and producing evidence of timely patching with defined maximum windows.

Tips

Be honest about Partial: a control that exists in policy but has no evidence of operation is Partial at best. Use the remediation order as a backlog — close the Missing technological controls first, since they tend to carry the highest audit-failure risk and the most exploitable residual risk. The Statement of Applicability (SoA) must list all 93 controls with a justification for any you exclude, so start building it alongside this gap analysis.