ISO/IEC 27001:2022 · 93 controls · Annex A

ISO 27001 without starting from scratch.

Before you pay the security consultant SEK 200,000 for a gap analysis — run an automated pre-audit that covers 94% of technical Annex A controls in 30 minutes.

We are opening for purchases in 2026. Register and we will get in touch.

Which ISO 27001 controls do we automate?

ISO 27001:2022 has 93 controls in Annex A, across four themes. Approximately 51 are technically testable (mainly theme 8 — technical controls). Security Guru covers 48 of these 51 automatically.

Theme	Controls	How handled?
5 — Organisational	37	Partially automated (5.10, 5.14, 5.16, 5.17, 5.30 etc.) + document attestation
6 — People	8	HR process, not automatable — attestation
7 — Physical	14	7.4 (monitoring) + 7.10 (storage media) automated, others require site inspection
8 — Technical	34	32 of 34 automated (CVE matching, hardening checks, crypto assessment, segmentation, backup validation etc.)

Examples of automated technical controls

A.8.5 Secure authentication — we detect default credentials, weak passwords on AD/SSH/SMB.
A.8.7 Malware protection — we check AV/EDR processes on all Linux+Windows hosts.
A.8.8 Vulnerability management — CVE matching against CISA KEV on all discovered services.
A.8.13 Backup — we validate that backups are actually usable, not just that they exist.
A.8.20–A.8.24 Network security, encryption, channel protocols — TLS config, ciphers, certificate CT logs.
A.8.32 Change management — branch protection + signed commits via GitHub API.
A.8.34 Audit logging — auditd rules, log forwarding, tamper-evident storage.

What do you get in the report?

Complete coverage of A.5–A.8 marked as pass / fail / untested per control ID
Per-finding mapping to specific Annex A IDs for auditor review
Risk-rated action list (CRITICAL/HIGH/MEDIUM/LOW)
Topology map of discovered network
PDF + HTML — directly importable to SoA template

Frequently asked questions

Is the report sufficient for certification?

No — certification requires an accredited auditor (CB). We do not replace the auditor but provide the documentation the auditor would otherwise have spent 30-60% of their time producing.

Can I use the report in my Statement of Applicability (SoA)?

Yes. Every finding has a control ID (e.g. iso27001:8.20) that can be directly pasted into the SoA template. Many auditors accept our automated tests as "evidence of operating effectiveness" for the period when the scan was run.

How often should we re-run the scan?

ISO 27001 requires "continual improvement" — in practice at least quarterly internal audit. Our Continuous subscription runs the scan monthly and shows drift since the previous run.

Become a beta tester

Fill in the form — we'll get back to you within 24 hours.

Name

Company

Email (work) *

Number of employees

What are you most interested in?

Message (optional)

By submitting you consent to us storing your details in order to contact you. See our privacy policy.