Free ISO 27001 gap analysis covering all 93 Annex A controls. Score your readiness and get a prioritised remediation checklist. Results in under 10 minutes.
ISO/IEC 27001:2022 is the international standard for an information security management system (ISMS). It sets out how to manage information security through governance, risk assessment and a set of controls, so that protection is deliberate and reviewed rather than ad hoc.
No. This is a free self-assessment based on your own answers. It gives you a readiness signal and highlights gaps. ISO 27001 certification is awarded only by an accredited certification body after a formal external audit. This tool cannot grant, guarantee or substitute for that.
ISO 27001:2022 groups its 93 Annex A controls into four themes: organisational (37 controls), people (8), physical (14) and technological (34). This tool covers all four, plus the governance and risk requirements from the standard's main clauses.
You answer 24 questions across six areas, each scored from 1 (weakest) to 4 (strongest). We normalise your total to a 0 to 100 scale, where all weakest answers score 0 and all strongest answers score 100. There is no hidden floor, so the score reflects your real answers.
There is no pass mark in this tool, and a high score here does not mean you are certified. A strong score (76 to 100) suggests you are likely close to certification-ready, but only a formal audit against the full standard can confirm that.
About five to ten minutes. There are 24 questions, with four plain-language options each. No technical knowledge is needed.
Yes. The questions use plain business language and apply to organisations of any size, including charities and non-profits. ISO 27001 scales to your context, and so does this assessment.
It varies by size and scope. Independent UK guides commonly cite first-year costs in the low tens of thousands of pounds and a timeline of roughly six to twelve months for organisations starting fresh. Treat published figures as indicative and get a quote from an accredited body for your situation.
They are separate but complementary. UK GDPR requires appropriate technical and organisational measures to keep personal data secure (Article 5(1)(f) and Article 32). A well-run ISMS is strong evidence that you are meeting that duty, though ISO 27001 certification is not itself a legal requirement.
We use your details to send your results and to contact you about related services, with your consent, and you can unsubscribe at any time. See our privacy policy for how we handle your information. Your individual answers are not published.