Security Tools

ISO 27001 Compliance Checker

Check applications for ISO 27001 compliance.

intermediate5-10 minutesRuns in your browser

Interactive workspace

Inputs stay on your device — nothing is sent to our servers unless you choose to share.

Client-side only

0 controls mapped

ISO/IEC 27001:2022 Annex A

Live
Map Annex A controls to your Statement of Applicability. Add implementation details auditors can trace to evidence.

Documentation

How to use this tool, practical use cases, and technical notes.

The ISO 27001 Control Mapper is designed to be completed in 5–10 minutes as a focused session. Here is a complete step-by-step guide to using the tool effectively, including how to interpret outputs and integrate them into your broader ISO 27001 program.

Step 1 — Open the Tool

Navigate to the tool at pentesterworld.com/tools/iso-27001-compliance-checker. The workspace loads immediately in your browser with a live counter showing 0 controls mapped and a list of all 8 Annex A controls ready for assessment.

No login is required. No data is collected. The tool is ready to use immediately.

Step 2 — Understand the Control Layout

Each control card in the tool displays:

Field

What It Shows

Control ID

The Annex A reference (e.g., A.5.1, A.8.8)

Control Name

The official ISO 27001:2022 control title

Theme

Organizational or Technological

Guidance text

A plain-English description of what the control requires

Select button

Marks the control as mapped in your SoA

Step 3 — Assess Each Control Against Your ISMS

For each control, ask three questions before selecting it:

Question 1 — Is this control applicable to your ISMS scope? ISO 27001 allows organizations to exclude Annex A controls if there is a documented justification. However, all 8 controls in this tool are broadly applicable to virtually every organization — exclusion of any of these would require a strong, auditable justification.

Question 2 — Is the control implemented? "Implemented" means the control is actively operating, not merely documented in a policy. For example, A.8.2 (Privileged access rights) is only implemented if privileged accounts are actually restricted and monitored — not just if a policy says they should be.

Question 3 — Do you have evidence of implementation? Auditors will ask for evidence. Before marking a control, confirm that evidence exists and is retrievable.

Implementation status definitions:

Status

Definition

SoA Notation

Implemented

Control is fully operational with evidence

✅ Applicable — Implemented

Partially implemented

Control exists but has gaps

⚠️ Applicable — In progress

Planned

Control not yet implemented; on roadmap

🔲 Applicable — Planned

Not applicable

Control excluded with documented justification

❌ Not applicable — Justified

Step 4 — Add Implementation Details

For each control you select, add implementation details that an auditor can trace. The tool provides space to note:

  • Which system, tool, or process delivers the control

  • Where the evidence is stored

  • When the control was last reviewed or tested

Example implementation notes per control:

Control

Good Implementation Note

A.5.1

"Information Security Policy v2.3, approved by CISO 14 March 2025, stored in Confluence. Annual review due March 2026."

A.8.2

"Privileged access managed via CyberArk PAM. Quarterly access reviews completed. Exception register maintained in Jira."

A.8.8

"Vulnerability scans run weekly via Tenable Nessus. Critical findings remediated within 72h per SLA. Monthly trending report to CISO."

A.8.16

"SIEM deployed (Splunk). 24/7 alert monitoring by SOC. Playbooks reviewed quarterly. Last tabletop: November 2024."

Step 5 — Track Your Mapping Progress

The live counter at the top of the tool updates as you select controls, showing:

X controls mapped  (out of 8 shown)

Use this as a quick-reference indicator for your session. A complete mapping session should result in all 8 controls having either a selected status with implementation notes, or a documented exclusion justification.

Step 6 — Export via "Copy Mapping"

Click the "Copy mapping" button to export your current control mapping state to the clipboard. Paste this output into:

  • Your Statement of Applicability document (the ISO 27001 SoA is a mandatory deliverable)

  • An internal ISMS control register spreadsheet

  • A risk treatment plan document

  • A pre-audit briefing pack for your certification body

  • A board-level security report showing ISMS implementation progress

Step 7 — Iterate as Your ISMS Matures

ISO 27001 is a continual improvement framework — your control mapping is never "done." Revisit this tool when:

  • You complete implementation of a previously planned control

  • A significant organizational change occurs (new product, new geography, merger)

  • An internal audit identifies a control gap

  • A new risk is identified that requires additional controls

  • Your certification body issues a nonconformity during a surveillance audit

Recommended review cadence:

Trigger

Recommended Action

Quarterly

Quick pass on Technological controls (A.8.x) to verify still implemented

Annually

Full SoA review; update all control statuses and evidence pointers

After incident

Review relevant controls for adequacy

After major system change

Update controls affected by the change

Before certification audit

Full review; ensure all evidence is current and retrievable