How many controls does ISO 27001:2022 have?

The 2022 revision of Annex A has 93 controls, down from 114 in the 2013 version. They are organised into four themes: Organisational (37), People (8), Physical (14), and Technological (34). This tool covers a representative subset across all four.

How is the gap percentage calculated?

Each control rated Implemented scores 1, Partial scores 0.5, and Missing scores 0. The conformity percentage is the sum of scores divided by the number of controls rated. A higher percentage means fewer gaps before a certification audit.

Is a self-assessment enough for certification?

No. Certification requires a Stage 1 and Stage 2 audit by an accredited certification body, plus a documented ISMS, risk assessment, and Statement of Applicability. This tool is a readiness aid to find and close gaps before you book that audit.

What is the difference between Annex A and the main clauses?

Clauses 4 to 10 are the mandatory management-system requirements you must meet. Annex A is the catalogue of 93 security controls you select from via your Statement of Applicability. Both must be addressed, but Annex A is where most operational gaps appear.

Does my data leave the browser?

No. All ratings and the resulting gap score are computed locally in your browser with JavaScript. Nothing is sent to a server, so you can assess sensitive control posture privately.

ISO 27001:2022 Gap Checker

ISO 27001:2022 certification hinges on closing the gap between the Annex A controls you have actually implemented and the full set of 93. This checker lets you rate each control as implemented, partial, or missing and turns those ratings into a single conformity percentage plus a prioritised remediation list.

How it works

Each control you rate contributes a score:

Implemented = 1.0
Partial     = 0.5
Missing     = 0.0

conformity % = (sum of scores / number of controls) × 100

Partial controls earn half credit because a half-built control still carries material residual risk. The remediation list surfaces every Missing control first, then every Partial, grouped by the four Annex A themes so you can assign owners theme by theme.

The four Annex A themes

Organisational (A.5) — policies, supplier relationships, incident management, information classification.
People (A.6) — screening, terms of employment, awareness training, remote-working rules.
Physical (A.7) — secure areas, equipment, clear-desk, cabling and media handling.
Technological (A.8) — access control, cryptography, logging, secure development, and configuration management.

Tips

Be honest about Partial: a control that exists in policy but has no evidence of operation is Partial at best. Use the remediation order as a backlog — close the Missing technological controls first, since they tend to carry the highest audit-failure risk and the most exploitable residual risk.