Evaluate your organization's readiness for ISO 27001 certification across all four control domains. Get maturity scores, gap analysis, and a prioritized roadmap to certification.
You might also find these calculators useful
ISO 27001 is the international standard for information security management. Our ISO 27001 Readiness Calculator evaluates your organization across all four control domains—Organizational, People, Physical, and Technological—providing a comprehensive maturity assessment and roadmap to certification.
ISO 27001:2022 reorganized information security controls into 4 themes with 93 controls total. This assessment evaluates your implementation across Organizational controls (37), People controls (8), Physical controls (14), and Technological controls (34). Organizations typically need 6-12 months to achieve certification, with about 60% passing on their first audit attempt.
Readiness Formula
Readiness = (Org × 0.35) + (Tech × 0.30) + (People × 0.20) + (Physical × 0.15)Discover which of the 93 controls need implementation before certification. Focus resources on high-priority gaps.
Get realistic estimates for time to certification based on your current maturity level and identified gaps.
Understand which control domains need the most attention. Address critical gaps before minor improvements.
Organizations that assess readiness beforehand have higher first-time pass rates. Avoid costly re-audits.
Quantify the effort required for certification to justify budget and resources to leadership.
Re-assess periodically to measure improvement and maintain momentum toward certification.
Organizations beginning their ISO 27001 journey. Establish baseline and create implementation roadmap.
Identify specific control gaps before engaging a certification body. Prioritize remediation efforts.
Already certified organizations preparing for annual surveillance audits. Ensure continued compliance.
Prepare for the three-year re-certification audit. Verify all controls remain effective.
Evaluate supplier security posture against ISO 27001 requirements during procurement.
Generate quantitative metrics on security maturity for executive and board presentations.
ISO 27001 requires: (1) Management commitment and ISMS policy, (2) Risk assessment and treatment plan, (3) Implementation of relevant controls from Annex A, (4) Documentation of policies and procedures, (5) Internal audit program, (6) Management review, (7) Continuous improvement process. The 2022 version has 93 controls in 4 categories.
Typical timeline is 6-12 months for initial certification. Factors affecting duration: organization size, existing security maturity, resource availability, and complexity of IT environment. Small organizations with good existing practices may certify in 3-6 months.
Core policies include: Information Security Policy, Access Control Policy, Risk Management Policy, Asset Management Policy, Human Resources Security Policy, Physical Security Policy, Operations Security Policy, Communications Security Policy, Incident Management Policy, Business Continuity Policy, Compliance Policy, and Supplier Security Policy.
ISO 27001:2022 reorganized controls from 14 domains (114 controls) to 4 themes (93 controls): Organizational (37), People (8), Physical (14), Technological (34). New controls address cloud security, threat intelligence, data masking, and secure coding. Organizations must transition by October 2025.
Target 70%+ overall readiness before engaging a certification body. Critical requirements: formal risk assessment (100% required), core policies documented (100%), access controls managed, incident response tested. Some gaps are acceptable if you have a remediation plan.
Costs vary by organization size. Small organizations (< 50 employees): $10,000-$30,000 for audit fees, plus $20,000-$50,000 implementation. Medium organizations: $30,000-$100,000 total. Large enterprises: $100,000+. Ongoing costs include annual surveillance audits and continuous improvement.