ISO 27001
compliance made manageable
Run ISO 27001 audits with pre-built Annex A control templates. Mark controls as compliant, non-compliant, or partial. Generate AI-powered compliance summaries and export audit evidence.
No credit card required. Free plan available forever.
ISO 27001: building and maintaining your Information Security Management System
ISO 27001 is the international standard for information security management systems (ISMS), published by the International Organization for Standardization and the International Electrotechnical Commission. The standard specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of an organisation's overall business risks. The 2022 revision restructured the Annex A controls into four themes (organisational, people, physical, and technological) with 93 controls, replacing the previous 14-domain structure. Certification to ISO 27001 is recognised globally and is increasingly a prerequisite for enterprise procurement and regulatory compliance.
Implementing ISO 27001 requires organisations to perform risk assessments, define a Statement of Applicability, implement controls proportionate to identified risks, and demonstrate ongoing monitoring and improvement. The challenge for most organisations is not understanding what the standard requires, but maintaining the documentation, evidence, and traceability that auditors demand. SecPortal provides a structured environment for tracking Annex A control status, linking security findings to specific controls, and generating the documentation that certification bodies expect to see during surveillance and recertification audits.
Annex A control tracking
Organisational Controls (A.5)
Policies for information security, roles and responsibilities, segregation of duties, contact with authorities, threat intelligence, and information security in project management. Covers 37 controls addressing governance and management of security.
People Controls (A.6)
Screening, terms and conditions of employment, security awareness training, disciplinary processes, and post-employment responsibilities. Ensures the human element of security is managed throughout the employment lifecycle.
Physical Controls (A.7)
Physical security perimeters, entry controls, securing offices and facilities, protection against environmental threats, working in secure areas, and equipment maintenance. Covers 14 controls for physical asset protection.
Technological Controls (A.8)
User endpoint devices, privileged access rights, information access restriction, secure authentication, capacity management, malware protection, technical vulnerability management, network security, and cryptography. The largest group with 34 controls.
Access Management
Controls spanning A.5.15 through A.8.5 covering access control policies, user registration, privilege management, authentication information, and access rights reviews. A cross-cutting concern that touches organisational and technical domains.
Incident Management
Controls for incident management planning, assessment and decision-making, response procedures, learning from incidents, and evidence collection. Covers the full lifecycle from detection through post-incident review and improvement.
Compliance management features
SecPortal provides pre-built control templates covering the full ISO 27001:2022 Annex A control set, so your team can begin tracking compliance status immediately without building control registers from scratch. Each control supports four status levels, evidence attachments, and direct links to related security findings. The AI engine generates compliance summaries that turn structured control data into the narrative documentation your ISMS requires.
- Pre-built templates for all 93 Annex A controls in the ISO 27001:2022 structure
- Four-tier status tracking: compliant, non-compliant, partial, and not applicable
- Direct linking between security findings and affected Annex A controls
- Timestamped audit trail recording every status change, evidence upload, and user action
- AI-generated compliance summaries translating control status data into narrative ISMS documentation
- Dashboard showing overall compliance posture with percentage breakdowns by control group
- Cross-engagement tracking to demonstrate continuous improvement to certification bodies
Audit preparation
Certification auditors expect structured evidence, clear traceability between risks and controls, and a demonstrable commitment to continuous improvement. SecPortal organises your ISMS data in the formats auditors are accustomed to reviewing, reducing the preparation burden that typically consumes weeks of effort before each audit cycle.
- CSV export of the complete control register in a format aligned with auditor expectations
- Evidence repository with documents, screenshots, and notes linked directly to each control
- Statement of Applicability (SoA) generation showing included and excluded controls with justifications
- Control-to-finding traceability demonstrating how identified risks map to specific Annex A requirements
- Activity logs providing auditors with a verifiable timeline of ISMS maintenance activities
- AI-generated management review summaries for periodic ISMS review meetings
- Gap analysis view highlighting non-compliant and partial controls requiring attention before audit
ISO 27001 certification is an ongoing commitment, not a one-time project. SecPortal supports the full ISMS lifecycle by providing persistent control tracking across engagements, timestamped evidence collection, and AI-assisted documentation generation. Whether you are pursuing initial certification or maintaining compliance through annual surveillance audits, SecPortal gives your team the tools to manage Annex A controls with the rigour and traceability the standard demands.
Key control areas
SecPortal helps you track and manage compliance across these domains.
A.5: Information Security Policies
Track policy documentation, review cycles, and management endorsement controls.
A.6: Organisation of Information Security
Manage roles, responsibilities, segregation of duties, and contact with authorities.
A.8: Asset Management
Document asset inventories, acceptable use, classification, and media handling controls.
A.9: Access Control
Track access management policies, user registration, privilege management, and authentication controls.
A.12: Operations Security
Manage change management, capacity management, malware protection, and logging controls.
A.18: Compliance
Track legal requirements, intellectual property, privacy, and audit controls.
Simplify ISO 27001 audits
Pre-built controls. AI summaries. Export-ready evidence.
No credit card required. Free plan available forever.