ISMS Copilot
ISMS Copilot

ISO 27001 gap analysis with ISMS Copilot

Map your current state against ISO 27001:2022 clause 4-10 and all 93 Annex A controls.

Start Free TrialSee it in action

Annex A:2022 gap analysis against your current state

The 2013 to 2022 transition collapsed 114 Annex A controls into 93 across four themes — Organizational, People, Physical, and Technological — and added 11 new controls including threat intelligence, information security for cloud services, and data masking. ISMS Copilot walks each of the 93 controls and asks targeted questions about what you already do, then produces a control-by-control delta: implemented, partial, or absent, with the evidence each control expects. It also checks management-system conformance across clause 4 (context), clause 6 (planning and risk), clause 8 (operation), and clause 9 (performance evaluation), because auditors fail organizations on the clauses as often as on Annex A. The output feeds straight into your Statement of Applicability so every exclusion has a documented justification before the Stage 1 audit.

ISO 27001 framework details

Why teams use ISMS Copilot for ISO 27001 gap analysis

  • Get a per-control verdict across all 93 Annex A:2022 controls, not a generic checklist
  • Catch clause 4-10 management-system gaps that fail Stage 1 audits
  • Generate a defensible Statement of Applicability with justified exclusions
  • Prioritise the 11 new 2022 controls if you are transitioning from ISO 27001:2013

Free interactive ISO 27001 gap checker

Want a fast self-scored snapshot before a full ISMS Copilot engagement? The free ISO 27001 Gap Checker walks clauses 4–10 across eleven areas and returns a maturity heatmap you can export — no account, and not a substitute for the per-control Annex A:2022 delta above.

Open the free ISO 27001 Gap Checker

Frequently Asked Questions

Does it cover the 2013 to 2022 transition specifically?

Yes. ISMS Copilot maps your existing 2013-era controls onto the 93 Annex A:2022 controls, flags the 11 net-new controls, and highlights merged controls so a transition audit goes smoothly.

Does the gap analysis include the management clauses?

Yes. It assesses clause 4 through clause 10 conformance — context, leadership, planning, support, operation, performance evaluation, and improvement — not only Annex A, because certification depends on both.

Will the output map to my Statement of Applicability?

Yes. Each control verdict carries an applicability decision and justification, which ISMS Copilot assembles into a draft SoA you can review and finalise.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0