Scoper
Sign in
ISO 27001

Audit-ready in weeks.
Not by spreadsheet.

Scoper reads your policies, finds the gaps, and drafts the dossier your auditor reads. Below are samples of what comes out — covered controls, found gaps, and the Statement of Applicability.

Book a demo
Assessment

Every control, interpreted.

Upload your policies once. Scoper interprets each document against every applicable Annex A control and ISO 27001 clause, then keeps that interpretation current as your evidence evolves.

Sample · Anonymised

Clause 5.1 Leadership and commitment

Covered
Citations
Information Security Management System Policy · ISMS Governance Framework · Management Review Records
Reasoning
“The ISMS Policy — approved by the CEO — articulates management commitment, resource provision, aligned objectives, and continual-improvement obligations. The Governance Framework defines a three-lines model with executive oversight and clear role accountability, and the Management Review records confirm top-management-chaired reviews with documented inputs, decisions, and actions. Together they satisfy Clause 5.1’s requirement for demonstrated leadership and commitment.”
Gap analysis

Every gap, drafted.

For each control that isn’t yet covered, Scoper drafts the gap — what’s missing, which clause it sits under, and what evidence would close it. No spreadsheets, no row-counting.

Sample · Anonymised

A.8.9 Configuration management

Gap
Finding
“No documented baseline configuration for cloud infrastructure components in scope. Engineering operates from convention, which is reasonable in practice but not auditable.”
Required evidence
  • A configuration baseline covering AWS and Azure resources within the ISMS scope.
  • Change-management records for the trailing 90 days demonstrating controlled deviations.
Suggested next steps
  • Adopt CIS Benchmarks as starting baselines for Linux hosts and major SaaS services.
  • Codify accepted deviations in an exception register reviewed quarterly.
Dossier

One click. The auditor’s pack.

The Statement of Applicability, the control-by-control evidence pack, and the auditor-ready .docx — generated together, citations linked to source documents for every claim.

Sample · Anonymised

Statement of Applicability

A.5.1
Policies for information security
Applicable
A.5.2
Information security roles and responsibilities
Applicable
A.5.15
Access control
Applicable
A.8.9
Configuration management
Applicable
Remediation in progress — see gap finding.
A.7.1
Physical security perimeters
Not applicable
No physical premises operated by the organisation; declared in scope.
A.8.20
Networks security
Not applicable
Organisation does not operate its own corporate network; declared in scope.

93 of 93 controls included with stated justification · last reinterpreted 2026-05-07

See it run
on your documents.

A 30-minute demo using your real policies. No slides.

Book a demo