“Stand up an ISMS without staring at a blank page.”
Editor's note
Give the tool your organization profile, key assets, and existing controls. It drafts an ISMS scope statement, builds a risk register with treatments, and produces an ISO/IEC 27001:2022 Annex A control mapping plus a remediation plan — the backbone of your certification project.
Tagged
§ Section I
Tell the tool what you build, the stack you run on, the data you hold, and which teams, products, and systems belong inside your ISMS. The scope statement an auditor reads first is only as good as this input, so be concrete about inclusions and exclusions.
Paste a quick inventory of key systems and data stores, then describe what you already do for security — SSO, MFA, backups, access reviews, on-call. Honesty here matters: the assessment is more useful when it knows what's informal or missing.
In under a minute you receive a drafted ISMS scope, a risk register mapped to Annex A, an applicability assessment across all four control themes, a readiness score, and a prioritized remediation plan you can hand straight to your team.
§ Section II
You've been asked for ISO 27001 by an enterprise prospect and need to know the real distance to certification before you commit budget. The readiness score and gap list turn a vague 'we should get certified' into a concrete plan.
You own the management system day to day and need to keep the risk register, SoA, and remediation backlog current. Re-run the assessment after each scope change to catch drift before the surveillance audit does.
You want to understand the engineering cost of certification — which Technological controls (A.8) are already covered by your stack and which need new work — without sitting through a week of consultant discovery calls.
You run readiness across multiple clients and want a fast, consistent first pass that maps free-text context onto Annex A. Use it to draft the initial gap analysis, then spend your billable hours on judgment and remediation instead of data entry.
§ Section III
ISO/IEC 27001:2022, the current revision. Its Annex A reorganizes controls into 93 controls across four themes — Organizational (A.5), People (A.6), Physical (A.7), and Technological (A.8). The tool maps your risks to these 2022 references, not the retired 2013 numbering.
No. It's a fast readiness assessment that shows you where you stand and what to fix first. Certification still requires an accredited certification body to run a Stage 1 and Stage 2 audit. Many teams use this output to brief a consultant or auditor more efficiently — and to avoid paying for hours of basic gap analysis.
The Statement of Applicability (SoA, clause 6.1.3 d) records which Annex A controls apply, their status, and the justification for including or excluding each one. The tool generates the applicability assessment that feeds your SoA — you review it, adjust the judgments, and formalize the document.
Each assessment costs 10 credits. New accounts start with 10 free credits, so your first run is on us. There's no per-seat license and no commitment — run it again whenever your scope or controls change.
No, and that's where many teams underestimate it. ISO 27001 is a management system. Beyond Annex A controls, you need a defined scope, a risk assessment and treatment plan, an SoA, internal audits, and management reviews (clauses 4–10). The tool flags these management-system gaps, which are the most common reasons a Stage 2 audit stalls.
Partly. The readiness summary and control status give you a clear, organized view you can draw on when answering vendor security reviews. For a customer-facing assurance artifact, though, an actual certificate or a SOC 2 report carries more weight — this tool gets you to that point faster.