From a conversation to compliance artefacts.
No spreadsheet to start from. You answer questions about your business; we map them to all 93 ISO 27001 controls.
Five steps, no jargon
The whole point is to meet you where you are. Here’s the path from your first answer to a clear improvement plan.
- 1
Answer plain-English questions
You work through around 20 short questions about how your business actually operates — hiring, access, suppliers, devices, backups, incidents. No control numbers, no security degree required.
- 2
We identify your existing controls
Your answers get translated into the security controls you already have. Most SMEs are surprised how much they’re already doing once it’s written down properly.
- 3
We generate your likely gaps
We compare what you do against what ISO 27001 expects and surface the gaps that matter most — in priority order, in plain language.
- 4
We map your evidence
The things you already do and document get linked to the specific controls they support, so you can show an auditor or customer what backs each claim.
- 5
You get an improvement plan
You leave with a short, realistic plan to close your most important gaps first — not a 93-row spreadsheet that never gets finished.
The kinds of questions we ask
Each one is plain English — but quietly maps to the controls an auditor cares about.
How do new staff get access to systems?
Why we ask: Tells us about your access control and onboarding — Annex A controls around identity and provisioning.
What happens when someone leaves?
Why we ask: Covers de-provisioning and the return of assets — a common gap auditors probe.
Which suppliers could seriously affect your business?
Why we ask: Maps to supplier relationships and your dependency risk.
What would happen if a developer laptop was compromised?
Why we ask: Reveals endpoint, encryption and incident-response maturity.
How do you know your backups actually work?
Why we ask: Covers business continuity and the testing auditors love to ask about.
Who can change production systems, and how?
Why we ask: Maps to change management and separation of duties.
What you walk away with
Everything below is generated from your answers — a starting point you can refine, share with a customer, or take to an auditor.
Gap analysis
Where you meet ISO 27001 and where you don’t, prioritised.
Risk register
A starter register of the risks that actually matter to you.
Evidence map
What you already do, linked to the controls it supports.
Control mapping
Your practices mapped to all 93 ISO 27001 Annex A controls.
Action plan
A short, realistic set of next steps to close gaps.
Ready to see your first-pass gap analysis?
Answer the questions once and get a clearer picture of where you stand against ISO 27001.