Security check

ISO 27001 Annex A: the technical controls, provably

ISO 27001:2022 Annex A has 93 controls β€” but it's the technical ones (the 'Technological' theme) where auditors want actual evidence, not just a policy. We map them against your GitHub and attack surface and show where you stand.

Run a free domain scan All checks β†’
Relates to: ISO 27001 Β· Annex A β€” Technological controls A.8 SOC 2 Β· overlapping CC criteria NIS2 Β· art. 21

What we check

We map the technical Annex A controls (the A.8 theme) to measurable reality: access restriction (A.8.2–8.5), protection against malware and vulnerabilities (A.8.7–8.8), secure development and change management (A.8.25–8.32), backup (A.8.13) and network security (A.8.20–8.23).

Why it matters

ISO 27001 certification often stumbles on the gap between the Statement of Applicability and actual technical evidence. A control marked 'implemented' but not demonstrable in practice is a nonconformity β€” we provide the provable status per control.

How Security Guru tests it

Common mistakes

  • Statement of Applicability says 'implemented' without technical evidence
  • Controls documented but never verified in practice
  • No link between Annex A and actual GitHub/infra configuration
  • Vulnerability handling (A.8.8) without prioritisation or follow-up

What you get in the report

  • Status per technical Annex A control with evidence
  • Gaps between the Statement of Applicability and reality
  • Prioritised fix list ahead of the certification audit
  • Input to internal audit and management review

FAQ

Do you cover all 93 controls?

We focus on the technical ones (the A.8 theme) where evidence is measurable. The organisational, people and physical controls are outside the technical review.

Does this replace a certification auditor?

No β€” we provide the technical evidence that makes the audit smoother. The certificate is issued by an accredited body.

2013 or 2022?

We map to ISO 27001:2022 Annex A (the new structure with 93 controls in four themes).

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan