Loading...
Loading...
Fifteen questions across the four Annex A themes — Organisational, People, Physical, Technological. Get a maturity score per theme and a written gap report by email. Aligned to the 2022 revision.
ISO 27001:2022 is the international benchmark for Information Security Management Systems. For Malaysian organisations pursuing certification — whether driven by enterprise customer due diligence, BNM-regulated entity expectations, government tender prerequisites, or simply the ambition to mature the cybersecurity function — the practical questions are always the same. Where am I against the standard? What is my realistic remediation roadmap? How long will it take to be audit-ready?
This gap checker answers the first question in five minutes. Fifteen carefully chosen questions, calibrated to the four Annex A 2022 themes, scored to produce a directional maturity per theme. The output is a maturity score, a written gap report sent to your email, and a recommended next step. It will not replace a full gap assessment, but it will tell you very quickly whether you are six months from audit-ready or eighteen.
This is a free educational tool. nCrypt's own ISO 27001 certification is currently undergoing audit. We deliver formal ISMS readiness, gap assessment and audit-prep support in our own right.
Fifteen questions, five minutes, four maturity tiers. Calibrated to ISO 27001:2022 Annex A.
This is a free educational tool. nCrypt's own ISO 27001 certification is currently undergoing audit. We deliver formal ISMS readiness, gap assessment and audit-prep support in our own right.
The 2022 revision restructured Annex A into four themes — Organisational (37 controls), People (8 controls), Physical (14 controls) and Technological (34 controls). The restructuring was not cosmetic. It reflects the modern understanding that an ISMS sits on four legs of governance, human factors, physical environment and technology — and a weakness in any one of them undermines the others.
Organisational covers policies, roles, segregation of duties, contact with authorities, threat intelligence, supplier relationships, ICT readiness for business continuity, cloud services and information classification. The most consequential newly introduced controls in 2022 sit in this theme — A.5.7 threat intelligence and A.5.23 cloud services in particular.
People covers screening, terms and conditions of employment, awareness, education and training, disciplinary process, responsibilities after termination, confidentiality agreements, and remote working. The remote working control (A.6.7) was elevated in 2022 to reflect the post-pandemic reality.
Physical covers physical security perimeters, physical entry, securing offices and rooms, working in secure areas, clear desk, equipment siting, security of off-site assets, storage media, supporting utilities, cabling, equipment maintenance, secure disposal, and the newly introduced physical security monitoring (A.7.4).
Technological is the largest theme — endpoint, identity, access, configuration, change, capacity, malware, vulnerability, logging, monitoring, network, web filtering, cryptography, secure development, secure deployment, separation of environments, test data, data masking, data leakage prevention, backup, redundancy, ICT readiness for business continuity, and information deletion. Several of the 11 newly introduced controls in 2022 sit here.
ISO 27001:2022 is the latest revision of the international standard for Information Security Management Systems. The most visible change from the 2013 edition is the Annex A control set — restructured from the previous 14 control domains and 114 controls into four themes (Organisational, People, Physical, Technological) and 93 controls, with 11 newly introduced controls covering threat intelligence, cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. Organisations certified to the 2013 standard had until October 2025 to transition to the 2022 edition.
No. The tool is a 15-question directional gap check that maps your current state to the four Annex A themes and emails you a written gap report. A formal gap assessment ahead of certification audit involves evidence-based review against all 93 controls and the ISO 27001 management clauses (Clauses 4-10), interviews with control owners, and an assessor's professional judgement on adequacy. Treat the tool as a fast directional check before commissioning a formal gap assessment.
nCrypt's own ISO 27001 certification is currently undergoing audit. We deliver ISMS readiness, gap assessment and audit-prep support to Malaysian customers today, and we apply the same controls discipline internally that we recommend externally.
Information security managers, ISMS leads, IT directors, CIOs and CISOs at organisations either pursuing initial ISO 27001 certification, transitioning from the 2013 to the 2022 revision, or maintaining an existing certification and wanting a directional health check between surveillance audits.
Your overall maturity score, your maturity per Annex A theme (Organisational, People, Physical, Technological), the specific Annex A controls most likely to be the gap behind your low-scoring questions, the typical evidence an external assessor would expect to see, and the suggested remediation sequence. The report is generated from your answers and emailed to the address you provide.
The tool above is the directional version. For a full evidence-based assessment scoped to certification audit expectations, we are happy to scope on a 30-minute call.
ISO 27001 Compliance Hub