ISO 27001 Readiness Assessment: How Close Are You to Stage 1?
Score your ISMS across all four Annex A 2022 themes in 60 seconds. Get a prioritized gap analysis and an estimate of weeks to Stage 1.
How This ISO 27001 Readiness Assessment Works
This 8-question assessment maps your current ISMS against the four Annex A 2022 themes: Organizational, People, Physical, and Technological. The questions cover information security policies, risk assessment and treatment, asset inventory, awareness training, physical access, access management with MFA, cryptography, and centralized logging plus incident response. The output gives you a percentage readiness score, a status flag for every theme, a prioritized gap list ranked by Stage 1 audit severity, and a directional estimate of remediation weeks before you are ready for documentation review.
The Four Annex A 2022 Themes Explained
| Theme | Control count | What auditors look for |
|---|---|---|
| Organizational | 37 | Policies, supplier security, threat intelligence, identity governance |
| People | 8 | Screening, NDAs, remote working, awareness training, disciplinary process |
| Physical | 14 | Perimeters, entry controls, clear desk, equipment maintenance and disposal |
| Technological | 34 | Access control, cryptography, secure dev, logging, network security |
The 2022 version of Annex A consolidated the 114 controls in the 2013 standard down to 93. Eleven controls are net new: threat intelligence, ICT readiness for business continuity, configuration management, secure coding, web filtering, data masking, data leakage prevention, monitoring activities, identity management, information deletion, and cloud services. Programs running on the 2013 mapping had to transition by October 2025 or risk certificate validity, so first-time programs should align directly to 2022 and not waste time on legacy crosswalks. The clause structure (Clauses 4 to 10) is unchanged, so management-system work on context, leadership, planning, support, operation, performance evaluation, and improvement carries directly across versions.
What "Audit-Ready" Actually Means
- 75 percent or higher
- Strong foundation. Most policies, controls, and processes exist. Focus on polish, evidence quality, and internal audit before scheduling Stage 1. Realistic timeline: 2 to 4 weeks of remediation.
- 50 to 74 percent
- Meaningful progress with material gaps. Expect 4 to 8 weeks of focused remediation. Prioritize critical-severity gaps first because Stage 1 will flag them as findings.
- Below 50 percent
- Significant build still needed. Plan for 8 to 16 weeks of remediation, often staged. Policies and risk treatment plan typically come first, then technical controls, then awareness training and management review.
Common Gaps Across Each Theme
The most common reason first-timers fail Stage 1 is skipping a theme they assumed did not apply. Cloud-native SaaS companies routinely write off the Physical theme on the basis that AWS handles the data center. Auditors disagree. BYOD laptops, home offices, clear desk practices, and equipment disposal all keep Physical controls in scope, even when you have no server room of your own. The People theme is the second blind spot. Awareness training, screening, and disciplinary processes are non-negotiable and frequently informal. The Organizational theme tends to fail on supplier security and threat intelligence, where teams have onboarding paperwork but no continuous review. The Technological theme typically fails on centralized logging across services, cryptography key management, and secure development controls including code review and dependency scanning. Hicomply ships pre-built policy templates aligned to the 2022 standard, automated evidence collection through 75+ integrations, and an Annex A 2022 mapping that flags missing themes before your auditor does.
Closing the Gaps Faster
Three paths exist for ISO 27001 readiness. DIY using spreadsheets and policy templates is the cheapest on paper but typically takes 600 to 1,000 hours and leaves Stage 1 findings unaddressed. A consultant accelerates the work but adds significant fees and creates dependency. A platform-led approach blends automation with structured guidance through every clause and Annex A control. The Annex A policy and standard guide walks through the documentation each control expects, and the six-step certification path shows where remediation fits in the wider program.
Hicomply plans start from £6,995 per year with unlimited users. The platform covers SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, CCPA/CPRA, NIST CSF, SOX IT controls, Cyber Essentials, and TX-RAMP. Organizations using the platform are typically audit-ready in 8 to 12 weeks.
How to Use Your Score
The score is a starting point. Walk it back to your security lead and CTO. Decide which themes to attack first based on which gaps your buyers are flagging in security questionnaires. Then set a realistic Stage 1 target date that accounts for the remediation weeks the assessment estimated, plus the 4 to 6 weeks most certification bodies allow between Stage 1 and Stage 2. Pair this assessment with the ISO 27001 cost calculator to size the budget, the SoA builder to map controls to your scope, and the certification timeline tool to lay out phase-by-phase milestones. Book a demo when you are ready to see automated readiness in action.
Frequently Asked Questions
What does an ISO 27001 readiness assessment check?
A readiness assessment evaluates your ISMS against the ISO 27001:2022 clauses and the 93 Annex A controls. It looks at policies, risk treatment, asset inventory, training, physical controls, access management, cryptography, and incident response. The output is a gap list ranked by severity that tells you how much work stands between you and Stage 1.
How long does ISO 27001 readiness take?
Timing depends on your starting maturity. Organizations with existing security policies and a compliance platform are often Stage 1 ready in 8 to 12 weeks. Cold-start companies without tooling typically need 4 to 6 months because ISMS design, risk treatment, and control implementation all need to be built before evidence makes sense.
Can a SaaS company skip the Physical theme?
No. Even fully cloud-hosted companies must address Physical controls. BYOD laptops, home offices, secure equipment disposal, and clear desk policies all apply. The Statement of Applicability must list every Annex A control, and exclusions purely on the basis that the cloud provider handles it are not valid per ISO guidance.
What are the most common ISO 27001 readiness gaps?
The frequent gaps are missing or thin information security policies, no documented risk assessment and treatment plan, no asset inventory, weak quarterly access reviews, no centralized logging across services, and no incident response runbook tested through drills. Awareness training is often informal rather than tracked. These are addressable with proper templates and platform-driven evidence collection.
How does Hicomply accelerate ISO 27001 readiness?
Hicomply provides pre-built policy templates aligned to the 2022 standard, automated evidence collection through 75+ integrations across cloud, identity, and HR tools, and a built-in Statement of Applicability that maps to all 93 Annex A controls. Plans start from £6,995 per year with unlimited users, so internal labor drops from hundreds of hours to tens.
Unlock Your Path to SOC 2 Success
Download our Ultimate SOC 2 Compliance Checklist for clear, step-by-step guidance to fast-track your certification.
Explore more free tools
Keep planning your SOC 2 journey with our other interactive tools.