Free tool
ISO 27001 gap assessment
ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). Certification is voluntary but increasingly demanded for enterprise and government B2B sales in Australia. This tool scores your readiness across the management-system Clauses 4-10 and the four Annex A control themes, then lists the gaps and the mandatory artefacts you still need before a certification audit.
Reference tool — not professional advice. ISO/IEC 27001 certification depends on an accredited certification body's assessment of your specific ISMS scope and risk profile. Confirm your control selection and audit readiness with a qualified ISO 27001 lead auditor or consultant before booking a certification audit.
Related tools
Frequently asked questions
- Is ISO 27001 certification mandatory in Australia?
- No — ISO/IEC 27001 certification is voluntary. But it is frequently required to win enterprise and government B2B contracts, so many Australian vendors pursue it to unlock or retain sales pipelines rather than to satisfy a law.
- What is the Statement of Applicability?
- The Statement of Applicability (SoA) is a mandatory document listing all 93 Annex A controls, stating which apply to your ISMS, and justifying every inclusion and exclusion. No certification body will certify you without a completed SoA.
- How does ISO 27001 relate to the ACSC Essential Eight?
- The Essential Eight overlaps with the Annex A technological controls — patching, multi-factor authentication, restricting admin privileges, application control and backups. Reaching Essential Eight Maturity Level 1-2 provides evidence for several ISO 27001 technological controls, though ISO covers a much broader management-system scope.
- Is the ISO 27001 standard free to read?
- No. ISO/IEC 27001:2022 is a copyrighted standard you purchase from ISO or a national standards body (in Australia, Standards Australia). This tool summarises the structure and requirements; it does not reproduce the standard text. See the ISO pages linked in the results.
Not sure which obligations apply to you?
Run the Compliance Fingerprint — a 2-minute structured assessment that maps your business to every obligation, deadline and regulator that triggers.
Build my Compliance Fingerprint →