ISO-STANDARD.app

Risk assessment software that produces audit-ready evidence

A purpose-built risk assessment platform with the 5×5 register, ISO 27001 Annex A control mapping, treatment workflow and management-review exports already wired together — so you spend time treating risk, not building the tool.

Why most risk assessment tools disappoint

Teams searching for risk assessment software usually land in one of two places. Spreadsheets — fast to start, impossible to audit once you cross a dozen risks and two reviewers. Or enterprise GRC suites — six-figure contracts, a four-month implementation, and a tool where the risk register is a tab inside a tab.

Neither matches what ISO 27001, ISO 27005 or ISO 31000 actually expect: identify the risk, score it, pick a treatment, map it to a control, document the decision, review it on a cadence. That is a workflow, not a content-management system.

What ISO-STANDARD.app gives you

5×5 risk register

Inherent and residual scoring, owner, treatment decision (the four Ts), target residual and review date — in one editable view that exports cleanly.

Annex A:2022 control mapping

Every risk links to the controls that treat it. Statement of Applicability assembles automatically from your decisions.

Treatment workflow

Treatment actions, owners, due dates and status tracked alongside the risk — not in a separate Trello board nobody opens.

Live heatmap & reports

5×5 heatmap, treatment status, by-category and by-owner views. Configurable report views you can save and share.

Risk → control → policy traceability

Auditors stop asking "where is the evidence?" — every risk is one click from its control and its policy.

Audit-ready exports

Management-review pack (ISO 27001 clause 9.3), risk register CSV, full SoA — branded PDFs ready for the auditor.

Full audit trail

Every change to every risk is logged with who, when and what. Required for Growth-tier plans and above.

Multi-framework

Ships with ISO 27001 Annex A, ISO 42001, ISO 20000-1, ISO 31000 and ISO 9001 control catalogues — adopt one or several.

Who it's for

SaaS teams chasing ISO 27001 certification

Pain: Procurement is gating an enterprise deal on a certificate and the CTO is the de facto ISMS manager.

With ISO-STANDARD.app: A 60–90 day path to a Stage 2 audit with the register, SoA, treatment plan and policies the auditor expects already in place.

Operations leaders moving off spreadsheets

Pain: Three risk spreadsheets, two control logs, none of them reconcile and nobody owns the master copy.

With ISO-STANDARD.app: One canonical workspace where risks, controls, treatments and evidence are linked — drift becomes visible instead of hidden.

Consultancies running multiple client ISMSs

Pain: Every client gets a bespoke spreadsheet stack; handovers are painful and audits look different every time.

With ISO-STANDARD.app: A repeatable workspace per client with the same exports, the same catalogue and the same review cadence.

See the competitive landscape

We track the risk assessment software category openly. See who currently ranks for "risk assessment software", our side-by-side comparison vs Vanta, SafetyCulture, Hyperproof and Drata, and the most-asked buyer questions.

Start your risk register today

Spin up a free workspace with the 5×5 register, Annex A controls and the SoA already wired together. Bring an auditor when you're ready.

Start free See pricingTalk to us

Prefer a conversation? Email hello@iso-standard.app — a practitioner responds within one business day.

← Browse guidesPricing →