Documentation
How to use this tool, practical use cases, and technical notes.
The ISO 27001 Control Mapper is designed to be completed in 5–10 minutes as a focused session. Here is a complete step-by-step guide to using the tool effectively, including how to interpret outputs and integrate them into your broader ISO 27001 program.
Step 1 — Open the Tool
Navigate to the tool at pentesterworld.com/tools/iso-27001-compliance-checker. The workspace loads immediately in your browser with a live counter showing 0 controls mapped and a list of all 8 Annex A controls ready for assessment.
No login is required. No data is collected. The tool is ready to use immediately.
Step 2 — Understand the Control Layout
Each control card in the tool displays:
Field | What It Shows |
|---|---|
Control ID | The Annex A reference (e.g., A.5.1, A.8.8) |
Control Name | The official ISO 27001:2022 control title |
Theme | Organizational or Technological |
Guidance text | A plain-English description of what the control requires |
Select button | Marks the control as mapped in your SoA |
Step 3 — Assess Each Control Against Your ISMS
For each control, ask three questions before selecting it:
Question 1 — Is this control applicable to your ISMS scope? ISO 27001 allows organizations to exclude Annex A controls if there is a documented justification. However, all 8 controls in this tool are broadly applicable to virtually every organization — exclusion of any of these would require a strong, auditable justification.
Question 2 — Is the control implemented? "Implemented" means the control is actively operating, not merely documented in a policy. For example, A.8.2 (Privileged access rights) is only implemented if privileged accounts are actually restricted and monitored — not just if a policy says they should be.
Question 3 — Do you have evidence of implementation? Auditors will ask for evidence. Before marking a control, confirm that evidence exists and is retrievable.
Implementation status definitions:
Status | Definition | SoA Notation |
|---|---|---|
Implemented | Control is fully operational with evidence | ✅ Applicable — Implemented |
Partially implemented | Control exists but has gaps | ⚠️ Applicable — In progress |
Planned | Control not yet implemented; on roadmap | 🔲 Applicable — Planned |
Not applicable | Control excluded with documented justification | ❌ Not applicable — Justified |
Step 4 — Add Implementation Details
For each control you select, add implementation details that an auditor can trace. The tool provides space to note:
Which system, tool, or process delivers the control
Where the evidence is stored
When the control was last reviewed or tested
Example implementation notes per control:
Control | Good Implementation Note |
|---|---|
A.5.1 | "Information Security Policy v2.3, approved by CISO 14 March 2025, stored in Confluence. Annual review due March 2026." |
A.8.2 | "Privileged access managed via CyberArk PAM. Quarterly access reviews completed. Exception register maintained in Jira." |
A.8.8 | "Vulnerability scans run weekly via Tenable Nessus. Critical findings remediated within 72h per SLA. Monthly trending report to CISO." |
A.8.16 | "SIEM deployed (Splunk). 24/7 alert monitoring by SOC. Playbooks reviewed quarterly. Last tabletop: November 2024." |
Step 5 — Track Your Mapping Progress
The live counter at the top of the tool updates as you select controls, showing:
X controls mapped (out of 8 shown)Use this as a quick-reference indicator for your session. A complete mapping session should result in all 8 controls having either a selected status with implementation notes, or a documented exclusion justification.
Step 6 — Export via "Copy Mapping"
Click the "Copy mapping" button to export your current control mapping state to the clipboard. Paste this output into:
Your Statement of Applicability document (the ISO 27001 SoA is a mandatory deliverable)
An internal ISMS control register spreadsheet
A risk treatment plan document
A pre-audit briefing pack for your certification body
A board-level security report showing ISMS implementation progress
Step 7 — Iterate as Your ISMS Matures
ISO 27001 is a continual improvement framework — your control mapping is never "done." Revisit this tool when:
You complete implementation of a previously planned control
A significant organizational change occurs (new product, new geography, merger)
An internal audit identifies a control gap
A new risk is identified that requires additional controls
Your certification body issues a nonconformity during a surveillance audit
Recommended review cadence:
Trigger | Recommended Action |
|---|---|
Quarterly | Quick pass on Technological controls (A.8.x) to verify still implemented |
Annually | Full SoA review; update all control statuses and evidence pointers |
After incident | Review relevant controls for adequacy |
After major system change | Update controls affected by the change |
Before certification audit | Full review; ensure all evidence is current and retrievable |
The ISO 27001 Control Mapper is designed to be completed in 5–10 minutes as a focused session. Here is a complete step-by-step guide to using the tool effectively, including how to interpret outputs and integrate them into your broader ISO 27001 program.
Step 1 — Open the Tool
Navigate to the tool at pentesterworld.com/tools/iso-27001-compliance-checker. The workspace loads immediately in your browser with a live counter showing 0 controls mapped and a list of all 8 Annex A controls ready for assessment.
No login is required. No data is collected. The tool is ready to use immediately.
Step 2 — Understand the Control Layout
Each control card in the tool displays:
Field | What It Shows |
|---|---|
Control ID | The Annex A reference (e.g., A.5.1, A.8.8) |
Control Name | The official ISO 27001:2022 control title |
Theme | Organizational or Technological |
Guidance text | A plain-English description of what the control requires |
Select button | Marks the control as mapped in your SoA |
Step 3 — Assess Each Control Against Your ISMS
For each control, ask three questions before selecting it:
Question 1 — Is this control applicable to your ISMS scope? ISO 27001 allows organizations to exclude Annex A controls if there is a documented justification. However, all 8 controls in this tool are broadly applicable to virtually every organization — exclusion of any of these would require a strong, auditable justification.
Question 2 — Is the control implemented? "Implemented" means the control is actively operating, not merely documented in a policy. For example, A.8.2 (Privileged access rights) is only implemented if privileged accounts are actually restricted and monitored — not just if a policy says they should be.
Question 3 — Do you have evidence of implementation? Auditors will ask for evidence. Before marking a control, confirm that evidence exists and is retrievable.
Implementation status definitions:
Status | Definition | SoA Notation |
|---|---|---|
Implemented | Control is fully operational with evidence | ✅ Applicable — Implemented |
Partially implemented | Control exists but has gaps | ⚠️ Applicable — In progress |
Planned | Control not yet implemented; on roadmap | 🔲 Applicable — Planned |
Not applicable | Control excluded with documented justification | ❌ Not applicable — Justified |
Step 4 — Add Implementation Details
For each control you select, add implementation details that an auditor can trace. The tool provides space to note:
Which system, tool, or process delivers the control
Where the evidence is stored
When the control was last reviewed or tested
Example implementation notes per control:
Control | Good Implementation Note |
|---|---|
A.5.1 | "Information Security Policy v2.3, approved by CISO 14 March 2025, stored in Confluence. Annual review due March 2026." |
A.8.2 | "Privileged access managed via CyberArk PAM. Quarterly access reviews completed. Exception register maintained in Jira." |
A.8.8 | "Vulnerability scans run weekly via Tenable Nessus. Critical findings remediated within 72h per SLA. Monthly trending report to CISO." |
A.8.16 | "SIEM deployed (Splunk). 24/7 alert monitoring by SOC. Playbooks reviewed quarterly. Last tabletop: November 2024." |
Step 5 — Track Your Mapping Progress
The live counter at the top of the tool updates as you select controls, showing:
X controls mapped (out of 8 shown)Use this as a quick-reference indicator for your session. A complete mapping session should result in all 8 controls having either a selected status with implementation notes, or a documented exclusion justification.
Step 6 — Export via "Copy Mapping"
Click the "Copy mapping" button to export your current control mapping state to the clipboard. Paste this output into:
Your Statement of Applicability document (the ISO 27001 SoA is a mandatory deliverable)
An internal ISMS control register spreadsheet
A risk treatment plan document
A pre-audit briefing pack for your certification body
A board-level security report showing ISMS implementation progress
Step 7 — Iterate as Your ISMS Matures
ISO 27001 is a continual improvement framework — your control mapping is never "done." Revisit this tool when:
You complete implementation of a previously planned control
A significant organizational change occurs (new product, new geography, merger)
An internal audit identifies a control gap
A new risk is identified that requires additional controls
Your certification body issues a nonconformity during a surveillance audit
Recommended review cadence:
Trigger | Recommended Action |
|---|---|
Quarterly | Quick pass on Technological controls (A.8.x) to verify still implemented |
Annually | Full SoA review; update all control statuses and evidence pointers |
After incident | Review relevant controls for adequacy |
After major system change | Update controls affected by the change |
Before certification audit | Full review; ensure all evidence is current and retrievable |