About & Methodology

Important Disclaimer: This tool is an internal preparation aid and does NOT constitute an ISO 27001 certification or formal audit opinion. ISO 27001:2022 certification requires Stage-1 (documentation review) and Stage-2 (implementation testing) audits conducted by a certification body accredited by a member of the IAF (e.g., JAS-ANZ, UKAS, DAkkS). No self-assessment tool can replace this process.

What This Tool Does

ISO 27001 Self-Check helps in-house ISMS leads and junior GRC analysts track their organization's implementation posture against all 93 Annex A controls from ISO/IEC 27001:2022. It is designed for organizations preparing for first-time ISO 27001 certification who need to understand their gap position before engaging a certification body.

Every control in the tool includes the exact Annex A reference, the official control name, and a plain-English implementation hint drawn from ISO 27002:2022 guidance (paraphrased to avoid copyright concerns). The tool does not reproduce the standard text verbatim.

Scoring Methodology

Status Weights

Implemented = 100% (1.0)
In Progress = 50% (0.5)
Not Started = 0% (0.0)
Not Applicable = excluded from denominator

Per-Theme Maturity Tiers

Basic: 0–40%
Developing: 41–65%
Mature: 66–85%
Optimized: 86–100%

Stage-1 Audit Readiness Verdict

Ready: Composite ≥ 75% AND every applicable theme ≥ 60%
Borderline: Composite 50–74%, or one theme below 60%
Not Ready: Composite below 50%

A Stage-1 audit is a documentation review — auditors check that your policies, procedures, and records exist and are adequate. A Stage-2 audit tests whether controls are actually implemented. This tool only helps you prepare for Stage-1.

Gap Prioritization

Gaps are scored as: criticality × status_weight where Not Started = 1.0 and In Progress = 0.5. Criticality weights (1–3) reflect common audit emphasis: foundational governance and access controls carry higher criticality than operational procedural controls.

Privacy Architecture

All assessment data is stored exclusively in your browser's localStorage under the key iso27001_tracker_v1. No data is transmitted to any server. There are no analytics, no third-party scripts, and no telemetry of any kind.

localStorage is limited to approximately 5 MB per origin. At 93 controls with moderate notes, usage is typically well under 100 KB. The JSON export function allows you to back up your assessment data and transfer it to another device or share it with a colleague via secure file transfer.

The tool is suitable for deployment on a corporate intranet without any outbound data egress. To self-host, fork the repository, run npm run build, and serve the out/ directory from any static host.

ISO 27001:2022 vs 2013

This tool uses the 2022 revision exclusively. ISO 27001:2022 restructured and consolidated the 2013 Annex A from 114 controls across 14 clauses into 93 controls across 4 themes. The 2022 revision added 11 new controls (including A.5.7 Threat intelligence, A.5.23 Cloud services, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 DLP) and merged several 2013 controls.

Organizations certified under ISO 27001:2013 were required to transition to the 2022 standard by October 2025. Do not reference 2013 control numbers in any new ISMS documentation.

Companion Tools

This tool is part of Sahil Singhi's GRC portfolio. See also:

DPDP Act 2023 Self-Check — India's Digital Personal Data Protection Act 2023 compliance tracker

Several ISO 27001 controls map directly to DPDP obligations: A.8.10 (Information deletion) ↔ DPDP right to erasure; A.5.34 (Privacy and PII protection) ↔ DPDP Data Fiduciary obligations; A.5.33 (Records protection) ↔ DPDP data retention requirements.