Rules Mate

Free tool

ISO 27001 gap assessment

ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). Certification is voluntary but increasingly demanded for enterprise and government B2B sales in Australia. This tool scores your readiness across the management-system Clauses 4-10 and the four Annex A control themes, then lists the gaps and the mandatory artefacts you still need before a certification audit.

Last verified: 1 July 2026
Management system — Clauses 4-10

The certifiable requirements. Certification bodies fail Stage 1 audits most often on missing clause artefacts.

Documented ISMS scope

Clause 4 — the boundaries and applicability of your information security management system.

Leadership commitment + information security policy

Clause 5 — top-management commitment, assigned roles, and an approved information security policy.

Information security risk assessment

Clause 6.1.2 — a documented risk assessment methodology with recorded results.

Risk treatment plan

Clause 6.1.3 — treatment options selected, risk owners assigned, residual risk accepted.

Statement of Applicability (SoA)

Clause 6.1.3(d) — which of the 93 Annex A controls apply, justifying inclusions and exclusions.

Support — resources, competence, awareness, documented information

Clause 7 — trained staff, an awareness programme, and controlled documented information.

Internal audit programme

Clause 9.2 — planned internal audits of the ISMS against ISO 27001 and your own requirements.

Management review records

Clause 9.3 — top-management reviews ISMS performance at planned intervals, with records.

Annex A controls — 93 controls in 4 themes

Assess each theme at a high level. Your Statement of Applicability records which of the 93 controls apply.

Organizational controls (37)

Policies, roles + responsibilities, supplier relationships, incident management, threat intelligence.

People controls (8)

Screening, terms of employment, awareness, disciplinary process, remote working.

Physical controls (14)

Secure areas, equipment protection, clear desk / clear screen, secure disposal.

Technological controls (34)

Access control, cryptography, malware protection, backup, logging + monitoring, secure development.

Reference tool — not professional advice. ISO/IEC 27001 certification depends on an accredited certification body's assessment of your specific ISMS scope and risk profile. Confirm your control selection and audit readiness with a qualified ISO 27001 lead auditor or consultant before booking a certification audit.

Related tools

Frequently asked questions

Is ISO 27001 certification mandatory in Australia?
No — ISO/IEC 27001 certification is voluntary. But it is frequently required to win enterprise and government B2B contracts, so many Australian vendors pursue it to unlock or retain sales pipelines rather than to satisfy a law.
What is the Statement of Applicability?
The Statement of Applicability (SoA) is a mandatory document listing all 93 Annex A controls, stating which apply to your ISMS, and justifying every inclusion and exclusion. No certification body will certify you without a completed SoA.
How does ISO 27001 relate to the ACSC Essential Eight?
The Essential Eight overlaps with the Annex A technological controls — patching, multi-factor authentication, restricting admin privileges, application control and backups. Reaching Essential Eight Maturity Level 1-2 provides evidence for several ISO 27001 technological controls, though ISO covers a much broader management-system scope.
Is the ISO 27001 standard free to read?
No. ISO/IEC 27001:2022 is a copyrighted standard you purchase from ISO or a national standards body (in Australia, Standards Australia). This tool summarises the structure and requirements; it does not reproduce the standard text. See the ISO pages linked in the results.

Not sure which obligations apply to you?

Run the Compliance Fingerprint — a 2-minute structured assessment that maps your business to every obligation, deadline and regulator that triggers.

Build my Compliance Fingerprint →