Information Security Management — ISO/IEC 27001:2022
ISO 27001:2022 Gap Assessment Tool
A comprehensive self-assessment covering all 93 Annex A controls across 4 themes, plus 23 ISMS clause requirements (Clauses 4–10). Rate each control for applicability, implementation status, and maturity. Generate a Statement of Applicability (SoA) and prioritised gap action plan — ready for certification preparation or internal audit.
93Annex A Controls
4Control Themes
11New 2022 Controls
SoAExport Ready
0 / 93 assessed
◆
Annex A Themes
Controls Assessed
0 / 93
◆
ISMS Clauses
Requirements Assessed
0 / 23
A5
A.5 Organisational Controls
5.1Policies for information security
▼
Standard Requirement
Information security policies shall be defined, approved by management, published, communicated and reviewed at planned intervals.
Evidence to Examine
Signed IS policy; distribution records; review minutes
Audit & Assessment Guidance
Verify a documented IS policy exists, approved at board/executive level. Check it has been communicated to all staff. Confirm review cycle (annually minimum) and evidence of last review.
Applicability
Implementation Status
Maturity Level
5.2Information security roles and responsibilities
▼
Standard Requirement
Information security roles and responsibilities shall be defined and allocated according to the organisation's needs.
Evidence to Examine
RACI matrix; job descriptions with IS responsibilities; org chart
Audit & Assessment Guidance
Confirm ISMS roles are assigned (CISO/ISM, data owner, system owner, incident coordinator). Check role descriptions. Verify no critical role gaps.
Applicability
Implementation Status
Maturity Level
5.3Segregation of duties
▼
Standard Requirement
Conflicting duties and conflicting areas of responsibility shall be segregated.
Evidence to Examine
SOD matrix; access control configuration; workflow approval logs
Audit & Assessment Guidance
Review access controls and approval workflows. Confirm no single person can initiate and approve the same transaction. Check IT SOD (developer ≠ production access).
Applicability
Implementation Status
Maturity Level
5.4Management responsibilities
▼
Standard Requirement
Management shall require all personnel to apply information security in accordance with established policies.
Evidence to Examine
Management security communications; disciplinary records for IS violations
Audit & Assessment Guidance
Confirm management actively enforces security policies. Check evidence of management communications and consequence management for violations.
Applicability
Implementation Status
Maturity Level
5.5Contact with authorities
▼
Standard Requirement
The organisation shall establish and maintain contact with relevant authorities.
Verify documented contacts for law enforcement, data protection regulator, and CERT. Confirm contact details are current and notification processes exist.
Applicability
Implementation Status
Maturity Level
5.6Contact with special interest groups
▼
Standard Requirement
The organisation shall establish and maintain contact with special interest groups.
Verify a threat intelligence process exists with identified sources (OSINT, vendor advisories, ISACs). Check intelligence feeds into risk assessments and control decisions.
Applicability
Implementation Status
Maturity Level
5.8Information security in project management
▼
Standard Requirement
Information security shall be integrated into project management.
Evidence to Examine
Project management framework; security checklist in project templates; PIR records
Audit & Assessment Guidance
Review project methodology to confirm security requirements are assessed at initiation. Verify security sign-off is required before go-live.
Applicability
Implementation Status
Maturity Level
5.9Inventory of information and other associated assets
▼
Standard Requirement
An inventory of information and other associated assets, including owners, shall be developed and maintained.
Evidence to Examine
Asset register; owner assignments; last review date
Audit & Assessment Guidance
Verify an asset register exists covering information assets, hardware, software, and services. Confirm owners are assigned and inventory is current.
Applicability
Implementation Status
Maturity Level
5.10Acceptable use of information and other associated assets
▼
Standard Requirement
Rules for the acceptable use of information and other associated assets shall be identified, documented and implemented.
Evidence to Examine
Acceptable use policy; staff acknowledgement records; BYOD policy
Audit & Assessment Guidance
Confirm an acceptable use policy (AUP) exists covering email, internet, devices, and data. Verify staff have acknowledged it.
Applicability
Implementation Status
Maturity Level
5.11Return of assets
▼
Standard Requirement
Personnel and other interested parties shall return all organisational assets upon change or termination.
Evidence to Examine
Offboarding checklist; asset return receipts; leaver records
Audit & Assessment Guidance
Verify offboarding process includes asset return checklist. Check recent termination records for asset returns (laptops, tokens, badges, keys).
Applicability
Implementation Status
Maturity Level
5.12Classification of information
▼
Standard Requirement
Information shall be classified according to the organisation's information security needs.
Evidence to Examine
Classification policy; scheme document; sample of labelled documents
Audit & Assessment Guidance
Confirm a classification scheme exists (e.g., Public/Internal/Confidential/Restricted). Verify information assets are classified in practice.
Applicability
Implementation Status
Maturity Level
5.13Labelling of information
▼
Standard Requirement
An appropriate set of procedures for information labelling shall be developed and implemented.
Evidence to Examine
Labelling procedures; DLP tool configuration; sample labelled documents and emails
Audit & Assessment Guidance
Verify procedures for applying classification labels to documents, emails, and data stores. Check consistency of labelling in practice.
Applicability
Implementation Status
Maturity Level
5.14Information transfer
▼
Standard Requirement
Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities.
Evidence to Examine
Data transfer policy; email encryption config; secure FTP setup; data sharing agreements
Audit & Assessment Guidance
Confirm policies govern data transferred internally and externally. Check email encryption, secure file transfer, and NDAs/data transfer agreements with third parties.
Applicability
Implementation Status
Maturity Level
5.15Access control
▼
Standard Requirement
Rules to control physical and logical access to information and other associated assets shall be established and implemented.
Evidence to Examine
Access control policy; IAM procedures; JML process; access review records
Audit & Assessment Guidance
Verify access control policy exists aligned to least privilege and need-to-know. Check user provisioning/deprovisioning procedures. Review access review frequency.
Applicability
Implementation Status
Maturity Level
5.16Identity management
▼
Standard Requirement
The full lifecycle of identities shall be managed.
Evidence to Examine
Identity management procedures; unique account policy; PAM records
Audit & Assessment Guidance
Confirm procedures cover identity creation, modification, and deletion. Check identities are unique (no shared accounts). Verify privileged identities are separately managed.
Applicability
Implementation Status
Maturity Level
5.17Authentication information
▼
Standard Requirement
Allocation and management of authentication information shall be controlled by a management process.
Evidence to Examine
Password policy; MFA configuration evidence; default credential change records
Audit & Assessment Guidance
Verify password policy meets minimum requirements (length, complexity, history). Check MFA is enforced for remote access and privileged accounts. Confirm default credentials are changed.
Applicability
Implementation Status
Maturity Level
5.18Access rights
▼
Standard Requirement
Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed.
Review access request and approval workflow. Confirm access is reviewed at planned intervals (quarterly/annually). Verify access is revoked promptly on departure.
Applicability
Implementation Status
Maturity Level
5.19Information security in supplier relationships
▼
Standard Requirement
Processes and procedures to manage the information security risks associated with the use of suppliers' products or services shall be defined and implemented.
Confirm a supplier security policy exists. Verify security requirements are included in supplier contracts. Check supplier assessment process.
Applicability
Implementation Status
Maturity Level
5.20Addressing information security within supplier agreements
▼
Standard Requirement
Relevant information security requirements shall be established and agreed with each supplier.
Evidence to Examine
Supplier contracts with security schedules; SLA monitoring records; right-to-audit clauses
Audit & Assessment Guidance
Review a sample of supplier contracts. Confirm security clauses cover data protection, access controls, incident notification, right-to-audit, and subcontractor management.
Applicability
Implementation Status
Maturity Level
5.21Managing information security in the ICT supply chain
▼
Standard Requirement
Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
5.22Monitoring, review and change management of supplier services
▼
Standard Requirement
The organisation shall regularly monitor, review and manage changes to supplier information security practices and service delivery.
Evidence to Examine
Supplier review meeting minutes; supplier KPI dashboards; change notification records
Audit & Assessment Guidance
Confirm supplier performance reviews include security metrics. Verify process for managing security-impacting changes from suppliers. Check supplier incident notification records.
Applicability
Implementation Status
Maturity Level
5.23Information security for use of cloud services
NEW 2022
▼
Standard Requirement
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation's information security requirements.
Verify a cloud security policy exists. Check cloud service risk assessments are conducted before adoption. Confirm data residency, encryption, and exit procedures are addressed.
Applicability
Implementation Status
Maturity Level
5.24Information security incident management planning and preparation
▼
Standard Requirement
The organisation shall plan and prepare for managing information security incidents by defining, establishing and communicating incident management processes, roles and responsibilities.
Evidence to Examine
Incident response plan; RACI for IR; contact lists; tabletop exercise records
Audit & Assessment Guidance
Confirm an incident response plan (IRP) exists with defined roles, escalation paths, and communication procedures. Verify the plan has been tested.
Applicability
Implementation Status
Maturity Level
5.25Assessment and decision on information security events
▼
Standard Requirement
The organisation shall assess information security events and decide if they are to be categorised as information security incidents.
Evidence to Examine
Event classification criteria; triage process documentation; event log samples
Audit & Assessment Guidance
Verify an event triage process exists with clear criteria for escalating events to incidents. Check all events are logged and assessed.
Applicability
Implementation Status
Maturity Level
5.26Response to information security incidents
▼
Standard Requirement
Information security incidents shall be responded to in accordance with the documented procedures.
Review a sample of past incidents to confirm they were handled per the IRP. Check evidence of containment, eradication, recovery, and lessons learned.
Applicability
Implementation Status
Maturity Level
5.27Learning from information security incidents
▼
Standard Requirement
Knowledge gained from information security incidents shall be used to strengthen and improve information security controls.
Evidence to Examine
Post-incident review reports; risk register updates; control improvement records
Audit & Assessment Guidance
Confirm a lessons-learned process feeds back into risk assessments and control improvements. Check recurring incident types have resulted in permanent control changes.
Applicability
Implementation Status
Maturity Level
5.28Collection of evidence
▼
Standard Requirement
The organisation shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
Evidence to Examine
Evidence handling procedures; log retention policy; chain of custody forms
Audit & Assessment Guidance
Verify forensic evidence handling procedures exist. Confirm chain of custody process. Check log retention periods are sufficient to support investigations.
Applicability
Implementation Status
Maturity Level
5.29Information security during disruption
▼
Standard Requirement
The organisation shall plan how to maintain information security at an appropriate level during disruption.
Evidence to Examine
BCP/DRP documentation; security controls in DR environment; DR test records with security validation
Audit & Assessment Guidance
Confirm BCP/DRP includes information security requirements. Verify security controls are maintained in DR scenarios. Check failover security configuration.
Applicability
Implementation Status
Maturity Level
5.30ICT readiness for business continuity
NEW 2022
▼
Standard Requirement
ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
Evidence to Examine
RTO/RPO definitions; DR procedures; recovery test reports with results vs objectives
Audit & Assessment Guidance
Verify RTO/RPO requirements are defined. Confirm ICT recovery capabilities meet business requirements. Check recovery tests have been conducted and results documented.
Applicability
Implementation Status
Maturity Level
5.31Legal, statutory, regulatory and contractual requirements
▼
Standard Requirement
Legal, statutory, regulatory and contractual requirements relevant to information security shall be identified, documented and kept up to date.
Evidence to Examine
Legal and regulatory register; compliance calendar; legal review records
Audit & Assessment Guidance
Confirm a legal register exists covering data protection laws, sector regulations, and contractual requirements. Verify it is maintained and reviewed for changes.
Applicability
Implementation Status
Maturity Level
5.32Intellectual property rights
▼
Standard Requirement
The organisation shall implement appropriate procedures to protect intellectual property rights.
Evidence to Examine
Software asset management records; licence register; employment contracts with IP clause
Audit & Assessment Guidance
Verify software licence management process. Check unlicensed software is prohibited. Confirm IP ownership is addressed in employment contracts.
Applicability
Implementation Status
Maturity Level
5.33Protection of records
▼
Standard Requirement
Records shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release.
Evidence to Examine
Records management policy; retention schedule; secure destruction records; access controls on records
Audit & Assessment Guidance
Confirm records management policy covers retention periods, storage requirements, and destruction procedures. Verify records are protected against tampering.
Applicability
Implementation Status
Maturity Level
5.34Privacy and protection of personal information
▼
Standard Requirement
The organisation shall identify and meet the requirements regarding the preservation of privacy and protection of personal information.
Evidence to Examine
Privacy policy; DPIA records; data subject request procedures; DPO appointment
Audit & Assessment Guidance
Verify a privacy policy and data protection compliance programme exist. Check DPIAs are conducted. Confirm DPO appointed if required.
Applicability
Implementation Status
Maturity Level
5.35Independent review of information security
▼
Standard Requirement
The organisation's approach to managing information security and its implementation shall be reviewed independently at planned intervals.
Confirm independent reviews (internal audit, external assessment) of the ISMS are conducted. Verify findings are tracked and remediated.
Applicability
Implementation Status
Maturity Level
5.36Compliance with policies, rules and standards
▼
Standard Requirement
Compliance with the organisation's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
Evidence to Examine
Compliance review reports; non-compliance records and remediation; management review minutes
Audit & Assessment Guidance
Verify compliance reviews are conducted for information security policies. Check non-compliance is escalated and remediated. Confirm management review includes compliance status.
Applicability
Implementation Status
Maturity Level
5.37Documented operating procedures
▼
Standard Requirement
Operating procedures for information processing facilities shall be documented and made available to personnel who need them.
Evidence to Examine
IT operations procedures; document management system with version control; procedure review records
Audit & Assessment Guidance
Confirm documented procedures exist for key IT operations (backups, patch management, user administration, incident response). Verify procedures are accessible and current.
Applicability
Implementation Status
Maturity Level
A6
A.6 People Controls
6.1Screening
▼
Standard Requirement
Background verification checks on all candidates for employment shall be carried out prior to joining the organisation and on an ongoing basis.
Confirm pre-employment screening policy exists. Verify checks include identity, employment history, qualifications, and criminal record (where legally permissible). Check enhanced screening for privileged roles.
Applicability
Implementation Status
Maturity Level
6.2Terms and conditions of employment
▼
Standard Requirement
Employment contracts shall state the personnel's and the organisation's responsibilities for information security.
Evidence to Examine
Employment contract templates; signed contracts; confidentiality agreement templates
Audit & Assessment Guidance
Review employment contract templates. Confirm they include information security responsibilities, confidentiality obligations, data protection requirements, and acceptable use acknowledgement.
Applicability
Implementation Status
Maturity Level
6.3Information security awareness, education and training
▼
Standard Requirement
Personnel and relevant interested parties shall receive appropriate information security awareness, education and training.
Evidence to Examine
Training programme records; completion statistics; phishing simulation results; role-based training requirements
Audit & Assessment Guidance
Verify a security awareness programme exists with defined training requirements by role. Check completion rates. Confirm training covers phishing, social engineering, password security, and data handling.
Applicability
Implementation Status
Maturity Level
6.4Disciplinary process
▼
Standard Requirement
A formal and communicated disciplinary process shall exist to take action against personnel who have committed an information security policy violation.
Evidence to Examine
HR disciplinary policy with IS violations; communication records; anonymised disciplinary records
Audit & Assessment Guidance
Confirm HR disciplinary process includes information security violations. Verify process is communicated to all staff. Check past violations have been handled consistently.
Applicability
Implementation Status
Maturity Level
6.5Responsibilities after termination or change of employment
▼
Standard Requirement
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated and enforced.
Evidence to Examine
Post-employment clauses in contracts; offboarding checklist; access revocation records
Audit & Assessment Guidance
Verify post-employment confidentiality obligations are in employment contracts. Check offboarding process communicates continuing obligations. Verify access is revoked on termination.
Applicability
Implementation Status
Maturity Level
6.6Confidentiality or non-disclosure agreements
▼
Standard Requirement
Confidentiality or non-disclosure agreements reflecting the organisation's needs for the protection of information shall be identified, documented, regularly reviewed and signed.
Evidence to Examine
NDA templates; signed NDA register; third-party NDA records; review date of agreement templates
Audit & Assessment Guidance
Confirm NDA/confidentiality agreements are used for employees, contractors, and third parties with access to sensitive information. Verify agreements are current and signed.
Applicability
Implementation Status
Maturity Level
6.7Remote working
▼
Standard Requirement
Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organisation's premises.
Verify remote working policy exists. Check controls include VPN, encrypted devices, secure Wi-Fi requirements, and clear screen/desk policy. Verify MDM for remote devices.
Applicability
Implementation Status
Maturity Level
6.8Information security event reporting
▼
Standard Requirement
The organisation shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
Confirm staff know how to report security events. Verify reporting mechanisms (helpdesk, email, hotline). Check all reports are acknowledged and tracked.
Applicability
Implementation Status
Maturity Level
A7
A.7 Physical Controls
7.1Physical security perimeters
▼
Standard Requirement
Security perimeters shall be defined and used to protect areas that contain information and other associated assets.
Evidence to Examine
Site floor plan with security zones; physical security policy; site survey records
Audit & Assessment Guidance
Verify physical security zones are defined (public, reception, office, data centre). Confirm perimeter security controls are proportionate to risk of each area.
Applicability
Implementation Status
Maturity Level
7.2Physical entry
▼
Standard Requirement
Secure areas shall be protected by appropriate entry controls and access points.
Evidence to Examine
Access control system records; visitor log; entry control procedures; CCTV at entry points
Physical security for offices, rooms and facilities shall be designed and implemented.
Evidence to Examine
Office security assessment; server room access logs; clean desk policy; physical security audit records
Audit & Assessment Guidance
Verify offices housing sensitive equipment or information have appropriate physical security (locked doors, clean desk). Check server room/data centre access controls.
Applicability
Implementation Status
Maturity Level
7.4Physical security monitoring
NEW 2022
▼
Standard Requirement
Premises shall be continuously monitored for unauthorised physical access.
Evidence to Examine
CCTV coverage map; recording retention configuration; alarm system test records; monitoring procedures
Audit & Assessment Guidance
Verify CCTV covers all entry/exit points and sensitive areas. Confirm recordings are retained appropriately (typically 30–90 days). Check intruder alarm system is in place and tested.
Applicability
Implementation Status
Maturity Level
7.5Protecting against physical and environmental threats
▼
Standard Requirement
Protection against physical and environmental threats, such as natural disasters, malicious attack or accidents shall be designed and implemented.
Evidence to Examine
Environmental controls documentation; UPS/generator test records; fire suppression system maintenance; environmental monitoring alerts
Audit & Assessment Guidance
Verify controls exist for environmental threats (flood, fire, temperature). Check UPS and generator provision. Confirm fire suppression system in server rooms. Review environmental monitoring.
Applicability
Implementation Status
Maturity Level
7.6Working in secure areas
▼
Standard Requirement
Security measures for working in secure areas shall be designed and implemented.
Evidence to Examine
Secure area working procedures; access control records; clean desk compliance records
Audit & Assessment Guidance
Confirm procedures govern behaviour in secure areas (no photography, clean desk, no unauthorised visitors). Check secure area access is restricted to authorised personnel.
Applicability
Implementation Status
Maturity Level
7.7Clear desk and clear screen
▼
Standard Requirement
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and implemented.
Evidence to Examine
Clear desk/screen policy; screen lock configuration; compliance spot-check records
Audit & Assessment Guidance
Verify clear desk and screen policies exist. Check compliance through spot-checks or audit records. Confirm screen lock is configured on all workstations.
Applicability
Implementation Status
Maturity Level
7.8Equipment siting and protection
▼
Standard Requirement
Equipment shall be sited securely and protected.
Evidence to Examine
Equipment placement policy; data centre specifications; workstation placement assessment
Audit & Assessment Guidance
Verify servers and network equipment are appropriately located (temperature controlled, cable management). Check workstations are positioned to prevent shoulder surfing in public areas.
Verify policy governs off-site use of equipment. Confirm laptops and mobile devices are encrypted. Check processes for reporting lost/stolen devices. Verify remote wipe capability.
Applicability
Implementation Status
Maturity Level
7.10Storage media
▼
Standard Requirement
Storage media shall be managed through its lifecycle of acquisition, use, transportation and disposal.
Evidence to Examine
Media management policy; USB control configuration; media destruction certificates; media register
Audit & Assessment Guidance
Confirm removable media policy exists (USB controls, encryption). Verify media destruction records for disposed media. Check media labelling and handling procedures.
Applicability
Implementation Status
Maturity Level
7.11Supporting utilities
▼
Standard Requirement
Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.
Verify UPS provision for critical systems. Check generator capacity and test records. Confirm telecoms/internet redundancy. Review utility failure response procedures.
Applicability
Implementation Status
Maturity Level
7.12Cabling security
▼
Standard Requirement
Cables carrying power or data or supporting information services shall be protected from interception, interference or damage.
Verify network cabling is protected (conduit, locked cabinets, labelled). Check patch panels are in locked cabinets. Confirm power cabling is segregated from network cabling.
Applicability
Implementation Status
Maturity Level
7.13Equipment maintenance
▼
Standard Requirement
Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
Evidence to Examine
Equipment maintenance schedule; maintenance records; authorised maintainer list; data protection during maintenance procedures
Audit & Assessment Guidance
Verify a maintenance schedule exists for all hardware. Check records of preventive maintenance. Confirm maintenance is by authorised personnel and data is protected during maintenance.
Applicability
Implementation Status
Maturity Level
7.14Secure disposal or re-use of equipment
▼
Standard Requirement
Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
Evidence to Examine
Equipment disposal policy; data sanitisation procedures; destruction certificates; disposal records log
Audit & Assessment Guidance
Confirm data sanitisation process exists before equipment disposal or re-use. Check certificates of destruction for hard drives. Verify NIST 800-88 or equivalent standard is applied.
Applicability
Implementation Status
Maturity Level
A8
A.8 Technological Controls
8.1User endpoint devices
▼
Standard Requirement
Information stored on, processed by or accessible via user endpoint devices shall be protected.
Confirm privileged access is restricted to named individuals with documented justification. Check PAM solution is deployed. Verify privileged accounts are reviewed quarterly. Confirm privileged sessions are logged.
Applicability
Implementation Status
Maturity Level
8.3Information access restriction
▼
Standard Requirement
Access to information and application system functions shall be restricted in accordance with the established access control policy.
Verify role-based access control is implemented. Check access is based on need-to-know. Confirm access restrictions are enforced at application and database level.
Applicability
Implementation Status
Maturity Level
8.4Access to source code
▼
Standard Requirement
Read and write access to source code, development tools and software libraries shall be appropriately managed.
Confirm source code repositories have access controls restricting who can read, write, and merge code. Check production access is restricted to operations. Verify code review requirements.
Applicability
Implementation Status
Maturity Level
8.5Secure authentication
▼
Standard Requirement
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the access control policy.
Verify MFA is enforced for all remote access, privileged accounts, and sensitive applications. Check password policy meets requirements. Confirm session timeout is configured.
Applicability
Implementation Status
Maturity Level
8.6Capacity management
▼
Standard Requirement
The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
Confirm capacity monitoring is in place for servers, networks, and storage. Check capacity thresholds trigger alerts. Verify capacity planning reviews are conducted.
Applicability
Implementation Status
Maturity Level
8.7Protection against malware
▼
Standard Requirement
Protection against malware shall be implemented and supported by appropriate user awareness.
Verify anti-malware is deployed on all endpoints and servers. Check definitions are automatically updated. Confirm email and web filtering include anti-malware scanning. Review malware incident records.
Applicability
Implementation Status
Maturity Level
8.8Management of technical vulnerabilities
▼
Standard Requirement
Information about technical vulnerabilities of information systems in use shall be obtained, the organisation's exposure evaluated and appropriate measures taken.
Confirm a vulnerability management programme exists with regular scanning. Check patch SLAs by severity (Critical: 7 days, High: 30 days). Verify remediation tracking. Confirm penetration testing is conducted.
Applicability
Implementation Status
Maturity Level
8.9Configuration management
NEW 2022
▼
Standard Requirement
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
Verify a CMDB or equivalent exists. Check security baselines (CIS benchmarks or equivalent) are applied. Confirm deviations from baseline require approval.
Applicability
Implementation Status
Maturity Level
8.10Information deletion
NEW 2022
▼
Standard Requirement
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
Evidence to Examine
Data retention and deletion policy; retention schedule; deletion execution records; automated deletion tool configuration
Audit & Assessment Guidance
Confirm data retention and deletion policy exists with defined retention periods. Verify deletion is performed when retention period expires. Check automated deletion tools or manual processes.
Applicability
Implementation Status
Maturity Level
8.11Data masking
NEW 2022
▼
Standard Requirement
Data masking shall be used in accordance with the organisation's access control policy and other related policies, and business requirements, taking applicable legislation into consideration.
Evidence to Examine
Data masking policy; masking tool configuration; test environment data validation; non-production data handling records
Audit & Assessment Guidance
Verify sensitive data (PII, payment data) is masked or pseudonymised in non-production environments. Check data masking tools are deployed. Confirm masking is applied before data is provided to development/test teams.
Applicability
Implementation Status
Maturity Level
8.12Data leakage prevention
NEW 2022
▼
Standard Requirement
Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
Evidence to Examine
DLP solution deployment; DLP policy configuration; DLP alert logs; incident records for DLP violations
Audit & Assessment Guidance
Verify DLP controls are deployed covering email, web, removable media, and cloud uploads. Check DLP policies match data classification. Review DLP alert response process.
Applicability
Implementation Status
Maturity Level
8.13Information backup
▼
Standard Requirement
Backup copies of information, software and system images shall be taken and tested regularly in accordance with the agreed backup policy.
Evidence to Examine
Backup policy; backup schedule configuration; restoration test records with results; backup success monitoring logs
Audit & Assessment Guidance
Confirm backup policy exists covering frequency, retention, off-site storage, and encryption. Verify backup restoration is tested at least annually. Check backup success rate monitoring.
Applicability
Implementation Status
Maturity Level
8.14Redundancy of information processing facilities
▼
Standard Requirement
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
Evidence to Examine
Redundancy design documents; failover test records; HA configuration; RTO/RPO compliance evidence
Audit & Assessment Guidance
Verify redundancy requirements are defined for critical systems (HA, failover, load balancing). Confirm redundancy is implemented and tested. Check RTO/RPO are met in failover tests.
Applicability
Implementation Status
Maturity Level
8.15Logging
▼
Standard Requirement
Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
Verify logging is enabled for all critical systems covering authentication, access, changes, and errors. Confirm log retention meets requirements. Check log integrity protection. Verify SIEM is deployed.
Applicability
Implementation Status
Maturity Level
8.16Monitoring activities
NEW 2022
▼
Standard Requirement
Networks, systems and applications shall be monitored and anomalies evaluated.
Evidence to Examine
Monitoring platform configuration; alert rules; SOC procedures; incident response time records
Audit & Assessment Guidance
Confirm continuous monitoring of networks, systems, and applications is in place. Verify alerts are generated for anomalous activity. Check SOC or monitoring team coverage and response times.
Applicability
Implementation Status
Maturity Level
8.17Clock synchronisation
▼
Standard Requirement
The clocks of information processing systems used by the organisation shall be synchronised to approved time sources.
Evidence to Examine
NTP configuration on all systems; time synchronisation monitoring; time source documentation
Audit & Assessment Guidance
Verify all systems use NTP with authoritative time sources. Check time synchronisation is monitored. Confirm time zone management for geographically distributed systems.
Applicability
Implementation Status
Maturity Level
8.18Use of privileged utility programs
▼
Standard Requirement
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
Confirm privileged utilities (debug tools, OS utilities, admin tools) are restricted to authorised administrators. Check usage is logged. Verify non-admins cannot access privileged utilities.
Applicability
Implementation Status
Maturity Level
8.19Installation of software on operational systems
▼
Standard Requirement
Procedures and measures shall be implemented to securely manage software installation on operational systems.
Evidence to Examine
Software installation policy; application whitelisting configuration; change management records for software installation
Audit & Assessment Guidance
Verify a software installation policy restricts who can install software on production systems. Check application whitelisting is deployed. Confirm change management is required for software installation.
Applicability
Implementation Status
Maturity Level
8.20Networks security
▼
Standard Requirement
Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
Verify network security policy exists. Check firewalls, IDS/IPS are deployed and configured. Confirm network segmentation separates critical systems. Verify DMZ for internet-facing services.
Applicability
Implementation Status
Maturity Level
8.21Security of network services
▼
Standard Requirement
Security mechanisms, service levels and service requirements of all network services shall be identified, implemented and monitored.
Evidence to Examine
Network service security requirements; service monitoring dashboards; ISP/network provider SLAs with security requirements
Audit & Assessment Guidance
Verify network service agreements include security requirements. Check network services (DNS, DHCP, remote access) are secured and monitored. Confirm service level monitoring is in place.
Applicability
Implementation Status
Maturity Level
8.22Segregation of networks
▼
Standard Requirement
Groups of information services, users and information systems shall be segregated in networks.
Confirm network segmentation is implemented using VLANs, firewalls, or physical separation. Check production, development, and test environments are segregated. Verify guest network is isolated.
Applicability
Implementation Status
Maturity Level
8.23Web filtering
NEW 2022
▼
Standard Requirement
Access to external websites shall be managed to reduce exposure to malicious content.
Evidence to Examine
Web filtering solution deployment; category block list; bypass request process; web filtering logs
Audit & Assessment Guidance
Verify web filtering/proxy is deployed restricting access to malicious and inappropriate sites. Check categories are appropriately configured. Confirm bypass requests are controlled.
Applicability
Implementation Status
Maturity Level
8.24Use of cryptography
▼
Standard Requirement
Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
Confirm cryptography policy covers approved algorithms, key lengths, and key management. Verify encryption is applied to data at rest and in transit. Check key lifecycle management procedures.
Applicability
Implementation Status
Maturity Level
8.25Secure development lifecycle
▼
Standard Requirement
Rules for the secure development of software and systems shall be established and applied.
Verify an SSDLC policy exists. Check security requirements are defined at design stage. Confirm SAST/DAST tools are used. Verify security testing is conducted before release.
Applicability
Implementation Status
Maturity Level
8.26Application security requirements
▼
Standard Requirement
Information security requirements shall be identified, specified and approved when developing or acquiring applications.
Verify security requirements are documented for all application development/procurement. Check OWASP Top 10 is addressed. Confirm security requirements sign-off is required before development starts.
Applicability
Implementation Status
Maturity Level
8.27Secure system architecture and engineering principles
▼
Standard Requirement
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation.
Evidence to Examine
Security architecture principles document; design review records; architecture approval process
Audit & Assessment Guidance
Confirm security architecture principles are documented (defence in depth, least privilege, zero trust). Verify architects apply principles in system design. Check design review process includes security.
Applicability
Implementation Status
Maturity Level
8.28Secure coding
NEW 2022
▼
Standard Requirement
Secure coding principles shall be applied to software development.
Evidence to Examine
Secure coding standards; code review checklists with security items; developer security training records; SAST scan results
Audit & Assessment Guidance
Verify a secure coding standard is documented and communicated to developers. Check code reviews include security checks. Confirm developers receive secure coding training.
Applicability
Implementation Status
Maturity Level
8.29Security testing in development and acceptance
▼
Standard Requirement
Security testing processes shall be defined and implemented in the development and acceptance phases.
Evidence to Examine
Security testing policy; test results for recent releases; defect tracking records; sign-off on security testing before go-live
Audit & Assessment Guidance
Confirm security testing is embedded in the SDLC (unit testing, integration, UAT, pen testing). Check security test results are tracked and remediated before production release.
Applicability
Implementation Status
Maturity Level
8.30Outsourced development
▼
Standard Requirement
The organisation shall direct, monitor and review the activities related to outsourced system development.
Evidence to Examine
Outsourced development contracts with security clauses; code review records; acceptance test results
Audit & Assessment Guidance
Verify contracts with outsourced development partners include security requirements. Check code reviews are conducted on outsourced code. Confirm security testing is required before acceptance.
Applicability
Implementation Status
Maturity Level
8.31Separation of development, test and production environments
▼
Standard Requirement
Development, testing and production environments shall be separated and secured.
Evidence to Examine
Environment separation architecture; data masking in test/dev; change promotion process; access controls per environment
Audit & Assessment Guidance
Confirm development, test, and production environments are physically or logically separated. Verify production data is not used in test/development (or is masked). Check changes move through environments via controlled process.
Applicability
Implementation Status
Maturity Level
8.32Change management
▼
Standard Requirement
Changes to information processing facilities and information systems shall be subject to change management procedures.
Verify a formal change management process exists covering request, assessment, approval, testing, implementation, and post-implementation review. Check all production changes are logged.
Applicability
Implementation Status
Maturity Level
8.33Test information
▼
Standard Requirement
Test information shall be appropriately selected, protected and managed.
Evidence to Examine
Test data management policy; data masking tool outputs; test environment access controls; test data disposal records
Audit & Assessment Guidance
Verify test data is either synthetic or has been anonymised/masked. Confirm access to test environments with real data is restricted. Check test data is disposed of after use.
Applicability
Implementation Status
Maturity Level
8.34Protection of information systems during audit testing
▼
Standard Requirement
Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed to minimise disruptions to business processes.
Evidence to Examine
Audit planning documentation; agreed scope and access controls; audit tool controls; post-audit access revocation records
Audit & Assessment Guidance
Confirm IT audit activities are agreed in advance with system owners. Verify read-only access is used where possible. Check audit tools are controlled. Confirm audit activities are logged.
Applicability
Implementation Status
Maturity Level
CL4
Clause 4: Context
4.1Understanding the organisation and its context
▼
Standard Requirement
The organisation shall determine external and internal issues relevant to its purpose that affect its ability to achieve the intended outcomes of its ISMS.
Evidence to Examine
Context analysis document; PESTLE or SWOT analysis; management review records
Audit & Assessment Guidance
Verify a PESTLE or equivalent analysis has been conducted. Confirm internal and external issues are documented and reviewed. Check linkage to scope and risk assessment.
Applicability
Implementation Status
Maturity Level
4.2Understanding the needs and expectations of interested parties
▼
Standard Requirement
The organisation shall determine interested parties that are relevant to the ISMS and their requirements related to information security.
Evidence to Examine
Interested parties register; requirements analysis; stakeholder communication records
Audit & Assessment Guidance
Confirm interested parties (customers, regulators, staff, partners) are identified. Verify their information security requirements are documented and considered in the ISMS.
Applicability
Implementation Status
Maturity Level
4.3Determining the scope of the ISMS
▼
Standard Requirement
The organisation shall determine the boundaries and applicability of the ISMS to establish its scope.
Evidence to Examine
Scope statement document; scope justification; management approval of scope
Audit & Assessment Guidance
Verify the ISMS scope document is defined, approved, and publicly available. Check scope boundaries are clearly stated and exclusions are justified.
Applicability
Implementation Status
Maturity Level
4.4Information security management system
▼
Standard Requirement
The organisation shall establish, implement, maintain and continually improve an ISMS including the processes needed and their interactions.
Evidence to Examine
ISMS documentation set; process flowcharts; continual improvement log
Audit & Assessment Guidance
Confirm the ISMS is established with documented processes, policies, and procedures. Verify continual improvement mechanisms are in place.
Applicability
Implementation Status
Maturity Level
CL5
Clause 5: Leadership
5.1Leadership and commitment
▼
Standard Requirement
Top management shall demonstrate leadership and commitment with respect to the ISMS.
Evidence to Examine
Management sign-off on ISMS policy; resource allocation records; management review meeting records
Audit & Assessment Guidance
Verify top management is visibly committed to the ISMS. Check information security objectives are aligned to business objectives. Confirm management resources are allocated.
Applicability
Implementation Status
Maturity Level
5.2Policy
▼
Standard Requirement
Top management shall establish an information security policy that is appropriate to the purpose of the organisation.
Evidence to Examine
Signed information security policy; communication evidence; policy review records
Audit & Assessment Guidance
Confirm the information security policy is approved by top management, communicated to all staff, and reviewed at planned intervals.
Applicability
Implementation Status
Maturity Level
5.3Organisational roles, responsibilities and authorities
▼
Standard Requirement
Top management shall ensure that responsibilities and authorities for roles relevant to information security are assigned and communicated.
Evidence to Examine
RACI matrix; role assignment letters; organisational chart with security roles
Audit & Assessment Guidance
Verify all ISMS roles are defined, assigned to named individuals, and communicated. Confirm the CISO or equivalent role has direct access to top management.
Applicability
Implementation Status
Maturity Level
CL6
Clause 6: Planning
6.1Actions to address risks and opportunities
▼
Standard Requirement
The organisation shall plan actions to address risks and opportunities, including information security risk assessment and risk treatment.
Confirm a risk assessment process is defined and applied. Verify a risk register exists with identified risks, owners, likelihood, impact, and treatment decisions.
Applicability
Implementation Status
Maturity Level
6.2Information security objectives
▼
Standard Requirement
The organisation shall establish information security objectives at relevant functions and levels.
Evidence to Examine
Information security objectives document; KPI tracking; management review reports with objectives progress
Audit & Assessment Guidance
Verify measurable information security objectives are defined, communicated, and monitored. Confirm objectives are aligned to the information security policy and business strategy.
Applicability
Implementation Status
Maturity Level
6.3Planning of changes
▼
Standard Requirement
When the organisation determines the need for changes to the ISMS, the changes shall be carried out in a planned manner.
Confirm changes to the ISMS are planned, approved, and reviewed. Verify change management process covers ISMS changes.
Applicability
Implementation Status
Maturity Level
CL7
Clause 7: Support
7.1Resources
▼
Standard Requirement
The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS.
Evidence to Examine
ISMS budget allocation; staff resource plan; tool and technology investments
Audit & Assessment Guidance
Verify adequate budget, personnel, and tools are allocated to the ISMS. Check resource adequacy is reviewed in management review.
Applicability
Implementation Status
Maturity Level
7.2Competence
▼
Standard Requirement
The organisation shall ensure that persons doing work under the ISMS are competent on the basis of appropriate education, training or experience.
Evidence to Examine
Competency requirements matrix; training records; certification records (CISSP, CISM, ISO 27001 LA)
Audit & Assessment Guidance
Confirm competency requirements are defined for ISMS roles. Verify training plans address competency gaps. Check certifications and qualifications records.
Applicability
Implementation Status
Maturity Level
7.3Awareness
▼
Standard Requirement
Persons doing work under the organisation's control shall be aware of the information security policy, their contribution to the ISMS, and the implications of not conforming.
Evidence to Examine
Awareness training records; completion rates by department; phishing simulation results
Audit & Assessment Guidance
Verify all staff complete information security awareness training. Check awareness covers the policy, their role, and consequences of non-compliance. Confirm completion tracking.
Applicability
Implementation Status
Maturity Level
7.4Communication
▼
Standard Requirement
The organisation shall determine the need for internal and external communications relevant to the ISMS.
Evidence to Examine
ISMS communication plan; internal security bulletins; external breach notification procedure
Audit & Assessment Guidance
Confirm a communication plan exists for ISMS-related communications (internal security updates, external notifications, regulatory reports). Verify communication channels are defined.
Applicability
Implementation Status
Maturity Level
7.5Documented information
▼
Standard Requirement
The organisation's ISMS shall include documented information required by the standard and determined by the organisation as being necessary for the effectiveness of the ISMS.
Evidence to Examine
Document register; version-controlled documents; document management system; mandatory documents list
Audit & Assessment Guidance
Verify all mandatory ISMS documents are present, controlled, and current. Check document management system. Confirm version control and access controls are applied.
Applicability
Implementation Status
Maturity Level
CL8
Clause 8: Operation
8.1Operational planning and control
▼
Standard Requirement
The organisation shall plan, implement, control and maintain the processes needed to meet information security requirements.
Evidence to Examine
Operational procedures; process execution records; control implementation evidence
Audit & Assessment Guidance
Verify operational processes are documented and followed. Check controls are implemented as planned in the risk treatment plan.
Applicability
Implementation Status
Maturity Level
8.2Information security risk assessment
▼
Standard Requirement
The organisation shall perform information security risk assessments at planned intervals or when significant changes occur.
Evidence to Examine
Risk assessment records with dates; trigger-based reassessment records; risk register last review date
Audit & Assessment Guidance
Confirm risk assessments are conducted at least annually or following significant changes. Verify methodology is consistent. Check risk register is current.
Applicability
Implementation Status
Maturity Level
8.3Information security risk treatment
▼
Standard Requirement
The organisation shall implement the information security risk treatment plan.
Evidence to Examine
Risk treatment plan with implementation status; risk owner acceptance records; treatment tracking log
Audit & Assessment Guidance
Verify risk treatment actions from the risk treatment plan are implemented. Confirm residual risk is accepted by risk owners. Check treatment progress is tracked.
Applicability
Implementation Status
Maturity Level
CL9
Clause 9: Evaluation
9.1Monitoring, measurement, analysis and evaluation
▼
Standard Requirement
The organisation shall evaluate the information security performance and the effectiveness of the ISMS.
Verify security metrics and KPIs are defined and measured. Confirm results are reported to management. Check measurements inform decisions.
Applicability
Implementation Status
Maturity Level
9.2Internal audit
▼
Standard Requirement
The organisation shall conduct internal audits at planned intervals to provide information on whether the ISMS conforms to requirements and is effectively implemented.
Confirm an internal audit programme exists with annual ISMS audits. Verify auditors are independent. Check audit reports and finding tracking.
Applicability
Implementation Status
Maturity Level
9.3Management review
▼
Standard Requirement
Top management shall review the ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
Evidence to Examine
Management review meeting records; agenda and minutes; action tracking; attendance of top management
Audit & Assessment Guidance
Verify management review meetings are held at least annually. Confirm agenda covers all required items (audit results, objectives, risk, incidents). Check minutes and action tracking.
Applicability
Implementation Status
Maturity Level
CL10
Clause 10: Improvement
10.1Continual improvement
▼
Standard Requirement
The organisation shall continually improve the suitability, adequacy and effectiveness of the ISMS.
Confirm a continual improvement process is in place. Verify improvements are identified from audits, incidents, metrics, and management review and tracked to completion.
Applicability
Implementation Status
Maturity Level
10.2Nonconformity and corrective action
▼
Standard Requirement
When a nonconformity occurs, the organisation shall react, take corrective action, and review effectiveness of the corrective action.
Evidence to Examine
Nonconformity log; corrective action records; root cause analysis; effectiveness verification records
Audit & Assessment Guidance
Verify a nonconformity and corrective action process exists. Check all nonconformities are recorded, root cause analysed, corrective actions implemented and verified.
Applicability
Implementation Status
Maturity Level
ISO 27001:2022 Gap Assessment —
—Compliance
—
Calculating…
0Fully Implemented
0Largely Implemented
0Partially Implemented
0Not Implemented
Compliance by Theme
Statement of Applicability (SoA)
Assessed Annex A controls
Control
Name
Status
Applicable
Recommended Action
Prioritised Gap Action Plan
Partially & Not Implemented controls
ISO 27001 Implementation & Audit Support
CTC Global delivers ISO 27001:2022 gap assessments, ISMS implementation advisory, and cybersecurity audit training for organisations seeking certification or maintaining compliance — across Pakistan and UAE.