ISMS Copilot
Free tool

ISO 27001 Gap Checker (Clauses 4–10)

Self-score your ISMS against the 11 core requirement areas of ISO/IEC 27001:2022 management-system clauses 4–10. Get a maturity heatmap and a prioritised focus list — a starting point for your gap analysis, not an audit.

This is a self-assessment aid, not a certification, audit or conformity statement. It does not reproduce ISO/IEC 27001:2022 clause titles or normative requirements — for those, refer to the standard from your national standards body and confirm conformity with a competent auditor.

Overall maturity: Not answered

0 of 11 areas answered

Clause 4
Not answered
Clause 5
Not answered
Clause 6
Not answered
Clause 7
Not answered
Clause 8
Not answered
Clause 9
Not answered
Clause 10
Not answered

Where to focus first

No weak areas flagged from what you answered — keep evidencing and reviewing. This is still not a conformity statement.

Rate each area honestly on how established and evidenced it is today.

Clause 4

Business setting and stakeholder needs

You have mapped relevant internal/external factors and stakeholder expectations that affect the management system.

Management-system boundary choices

You have written down where the system applies, what is included or excluded, and key links to teams, sites, services and suppliers.

Clause 5

Executive backing, direction and ownership

Senior leaders actively support the system, security direction is approved, and accountable owners are named for key activities.

Clause 6

Risk workflow and control-selection record

You use a repeatable method to identify and handle information-security risks, record which controls are relevant, and keep a plan for risk-reduction work.

Security goals and managed change

You set measurable security goals with owners and timelines, and significant system changes are prepared before they are made.

Clause 7

People, skills and communication basics

The system has enough people and tools; staff know what is expected of them; and recurring internal/external messages are planned.

Documents and records kept under control

Key files and evidence are created, approved, versioned, protected and available to the right people when needed.

Clause 8

Day-to-day running of the security system

Risk work and selected safeguards are carried out in practice, kept current, and coordinated with outsourced activities.

Clause 9

Checking whether the system works

You choose useful indicators, review the results, and use them to judge whether the management system is doing its job.

Scheduled independent checks and leadership review

Planned internal checks are performed by suitable people, and senior leaders periodically review results, issues and decisions.

Clause 10

Issue handling and ongoing improvement

Problems are logged, causes are addressed, follow-up is tracked, and the system is improved over time.

Important

This tool gives you a structured self-assessment to orient a gap analysis. It is not legal advice, not an audit, and not a certification or statement of conformity. ISO 27001 conformity must be confirmed through your own evidence and a competent auditor; some requirements are not captured by this questionnaire.

FAQ

Does a good score here mean we are ISO 27001 compliant?
No. This is a self-assessment to help you see where to focus. Conformity with ISO/IEC 27001:2022 depends on your actual evidence and is determined by a competent auditor — not by a self-rating tool.
Why clauses 4–10 and not Annex A?
Clauses 4–10 are commonly used to structure management-system reviews. Annex A controls are selected through your risk work and applicability record — use our separate Annex A Control Finder for those.
Are these the official ISO clause titles?
No. We deliberately do not reproduce ISO/IEC 27001:2022 clause titles or normative text. Each area is our own plain-English description of what that part of the standard asks you to do. Consult the standard via your national standards body for the official wording.
Do you store my answers?
No. Scoring runs entirely in your browser. There is no form gate; JSON/CSV export and the printable report are generated locally.

By ISMS Copilot. Structured around ISO/IEC 27001:2022 management-system clauses 4–10. Requirement-area descriptions are original editorial content; refer to the standard from your national standards body for official titles and normative requirements.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0