ISO 27001:2022 certification hinges on closing the gap between the Annex A controls you have actually implemented and the full set of 93. This checker lets you rate each control as implemented, partial, or missing and turns those ratings into a single conformity percentage plus a prioritised remediation list.
How it works
Each control you rate contributes a score:
Implemented = 1.0
Partial = 0.5
Missing = 0.0
conformity % = (sum of scores / number of controls) × 100
Partial controls earn half credit because a half-built control still carries material residual risk. The remediation list surfaces every Missing control first, then every Partial, grouped by the four Annex A themes so you can assign owners theme by theme.
The four Annex A themes
- Organisational (A.5) — policies, supplier relationships, incident management, information classification. 37 controls.
- People (A.6) — screening, terms of employment, awareness training, remote-working rules. 8 controls.
- Physical (A.7) — secure areas, equipment, clear-desk, cabling and media handling. 14 controls.
- Technological (A.8) — access control, cryptography, logging, secure development, and configuration management. 34 controls.
Key changes in the 2022 revision
The 2022 edition reduced the control count from 114 (in ISO 27001:2013) to 93 by merging similar controls and reorganising into the four themes above. It also added 11 new controls that reflect current threat landscapes:
- Threat intelligence (A.5.7) — the organisation must gather, analyse, and act on threat intelligence relevant to its environment.
- Information security for cloud services (A.5.23) — now an explicit control for cloud-specific acquisition, use, and exit processes.
- ICT readiness for business continuity (A.5.30) — ICT continuity planning must be tested and updated.
- Physical security monitoring (A.7.4) — premises must be monitored for unauthorised physical access.
- Web filtering (A.8.23), secure coding (A.8.28), data masking (A.8.11), and data leakage prevention (A.8.12).
If your ISMS was certified to the 2013 standard, a transition audit is required before the deadline; checking these 11 new controls is where most transition gaps appear.
High-risk controls that auditors scrutinise
Some controls are consistently under-implemented at Stage 2 audits:
- A.5.10 — Acceptable use of information and other assets: organisations often have a policy but cannot show it was communicated, signed, or regularly re-acknowledged.
- A.8.5 — Secure authentication: multi-factor authentication requirements may be policy but not yet technically enforced for privileged or remote access.
- A.5.35 — Independent review of information security: the control requires an independent review at planned intervals, not just an internal audit — the same team cannot audit its own controls and satisfy this.
- A.8.8 — Management of technical vulnerabilities: a patch management process must be documented, operating, and producing evidence of timely patching with defined maximum windows.
Tips
Be honest about Partial: a control that exists in policy but has no evidence of operation is Partial at best. Use the remediation order as a backlog — close the Missing technological controls first, since they tend to carry the highest audit-failure risk and the most exploitable residual risk. The Statement of Applicability (SoA) must list all 93 controls with a justification for any you exclude, so start building it alongside this gap analysis.