Engineer's guide to
ISO 27001:2022
ISO 27001:2022
Free · Offline · No signup · No API keys · No billing · Just tools.
Built for DevOps, Backend, Security & GRC engineers.
Built for DevOps, Backend, Security & GRC engineers.
Total Controls
93
Annex A · 2022 edition
Organizational
37
A.5.1 – A.5.37
Technological
34
A.8.1 – A.8.34
New in 2022
11
Cloud · Threat Intel · DLP
Compliance Heatmap
Visual grid of all 93 controls. Click to mark status. See your posture at a glance.
● live→Controls Guide
Every control in plain English. Filter by your role.
● live→Risk Register
Add assets, score likelihood × impact. Auto-prioritised. Export to CSV or PDF.
● live→Posture Score
15 questions → radar chart of your ISMS maturity across all 4 Annex A domains.
● new v0.2→SoA Generator
Auto-generate your Statement of Applicability — the mandatory cert doc. Free forever.
● new v0.2→Threat Mapper
Pick a real attack scenario → see which controls prevent it and your exact gaps.
● new v0.2→Evidence Wizard
Per-control checklist of exactly what an auditor will ask for. Walk in prepared.
● new v0.2→Code Snippets
Every control mapped to real Terraform, GitHub Actions, Bash & Python. Copy and use directly.
● new v0.3→2013 → 2022 Diff
Side-by-side migration view. New, merged, renamed. Critical for teams transitioning.
● live→
# annexa is fully offline — all data stays in your browser
localStorage.getItem('annexa_risks') // your risk register, local only
localStorage.getItem('annexa_controls') // your control statuses, local only
localStorage.getItem('annexa_soa') // your SoA decisions, local only
✓ zero data sent to any server · ✓ no tracking · ✓ no analytics · ✓ open source
localStorage.getItem('annexa_risks') // your risk register, local only
localStorage.getItem('annexa_controls') // your control statuses, local only
localStorage.getItem('annexa_soa') // your SoA decisions, local only
✓ zero data sent to any server · ✓ no tracking · ✓ no analytics · ✓ open source
Compliance Heatmap
Click any cell to cycle: Not Assessed → Implemented → Partial → Gap → N/A. Auto-saved.
Implemented
Partial
Gap
Not assessed
N/A
Controls Guide
Select your role. Plain English. No ISO jargon.
Risk Register
Score risks. Auto-sorted by severity. Saved locally. Export to CSV or PDF.
Add New Risk
9 — Medium
Asset / Risk
Likelihood
Impact
Score
Severity
2013 → 2022 Migration
What changed, merged, renamed, or is entirely new. Critical for teams transitioning.
Security Posture Score
Answer honestly. Get a radar chart of your ISMS maturity across all 4 Annex A domains. Export as PDF.
SoA Generator
Statement of Applicability — mandatory for ISO 27001 certification. Mark each control applicable or not, add your justification. Export when ready.
Control
Name
Applicable?
Justification / Notes
Threat Mapper
Pick a real-world attack scenario → see which ISO 27001 controls prevent it and exactly where your gaps are.
Controls that PREVENT this attack
Gaps — what you still need to implement
Code Snippets
Every ISO 27001 control mapped to real implementation code. Terraform · GitHub Actions · Bash · Python. Copy and use directly.
Evidence Wizard
Select a control → get the exact evidence checklist an ISO 27001 auditor will ask for. Tick items off as you collect them.