Free ISO 27001:2022 Readiness Assessment

ISO 27001:2022 Readiness Assessment

2-Minute ISO 27001:2022 Readiness Assessment

Are you ready for your audit? Answer these 20 questions to get an instant readiness score and identify your blind spots.

A.5 Organizational Controls Governance, Risk, and Policy

1. Policies (A.5.1): Do we have a formal set of information security policies that have been approved by top management and communicated to all staff?

2. Roles & Responsibilities (A.5.2): Are information security roles and responsibilities (like a CISO or risk owner) formally defined and assigned?

3. Asset Management (A.5.9): Do we maintain an inventory of all our information assets (e.g., data, hardware, software) with assigned owners?

4. Supplier Risk (A.5.19): Do we have a process to assess and manage the information security risks from our suppliers and vendors?

5. Cloud Security (A.5.23): Do we have a specific process for acquiring, using, and managing the security of our cloud services (e.g., AWS, Azure, Microsoft 365)?

6. Incident Management (A.5.24): Do we have a documented incident response plan that defines what to do and who to call in the event of a security breach?

A.6 People Controls The Human Firewall & Security Culture

7. Screening (A.6.1): Do we conduct background verification checks for all new employees and contractors, in line with local laws?

8. Awareness Training (A.6.3): Does all staff receive mandatory information security awareness training (including phishing) at least once per year?

9. Remote Working (A.6.7): Do we have a formal remote working policy that defines the security requirements for staff working from home or off-site?

10. Event Reporting (A.6.8): Do all employees know how to immediately report a suspected security event or weakness without fear of blame?

A.7 Physical Controls Site, Asset, and Hardware Protection

11. Physical Entry (A.7.2): Are sensitive areas (like server rooms or file rooms) protected by entry controls (e.g., access cards, locks) with logging?

12. Clear Desk & Screen (A.7.7): Do we enforce a “clear desk” (for sensitive papers) and “clear screen” (for locking computers) policy?

13. Equipment Disposal (A.7.14): Do we have a secure process to wipe or destroy all data on equipment (e.g., laptops, hard drives) before it is disposed of or re-used?

14. Supporting Utilities (A.7.11): Are critical systems (like servers and network gear) protected from power failures by a UPS or backup generator?

A.8 Technological Controls Technical IT & Cybersecurity Defenses

15. Endpoint Security (A.8.1): Are all user devices (laptops, mobiles) secured with anti-malware, host-based firewalls, and disk encryption?

16. Privileged Access (A.8.2): Is the use of administrator accounts (e.g., “admin,” “root”) tightly restricted, managed, and monitored?

17. Vulnerability Management (A.8.8): Do we have a formal process to regularly scan for technical vulnerabilities and apply security patches in a timely manner?

18. Backups (A.8.13): Do we take regular backups of critical information, store them securely (ideally off-site or immutable), and periodically test that we can restore them?

19. Logging & Monitoring (A.8.15 / A.8.16): Do we centrally collect and monitor logs from critical systems to detect anomalous behavior and security incidents?

20. Secure Development (A.8.25): If we develop our own software, are information security requirements (like secure coding) integrated into the entire development lifecycle?

Get Your Detailed Readiness Score!

You’re all done! To see your detailed breakdown and receive a Free Gap Analysis Report in your inbox, please provide your details.

Scroll to Top

Review My Order

0

Subtotal

Taxes & shipping calculated at checkout

Checkout