An honest note on scope. SiteSecurityScore is a web and transport security scanner. It helps you evidence specific technical controls, it is not an ISO 27001 certification, an ISMS, or a risk assessment, and using it does not make your organization compliant on its own. You still need a full management system and an accredited certification body to become certified.
ISO 27001, Annex A, and where web security fits
ISO 27001 is the international standard for an information security management system, the ISMS. The core of the standard is about governance. You define scope, run a risk assessment, decide how to treat each risk, and keep the whole program under review. Annex A is the reference set of controls you draw from when you treat those risks. In the 2022 revision the Annex A control set was restructured into themes that cover organizational, people, physical, and technological controls.
Most of Annex A is procedural and organizational, and a scanner has nothing to say about it. A handful of the technological controls do map onto web and transport security though. The 2022 set includes controls for the use of cryptography, for the secure configuration of systems and services, for the management of technical vulnerabilities, and for logging and monitoring. These are the controls where a public scan of your site produces real, dated evidence.
That is the lane SiteSecurityScore lives in. One free scan checks your TLS configuration and certificate, your HSTS and security header setup, your Content Security Policy, your cookie attributes, and your DNS records, then returns a letter grade with prioritized fixes. It gives you concrete artifacts for the cryptography and secure configuration controls without pretending to cover the parts of the standard it does not touch.
How SiteSecurityScore maps to Annex A control areas
The table below is honest about coverage. Green means the scanner produces direct evidence for that control area. Amber means it contributes but does not fully cover it. Red means it is out of scope and belongs to your management system.
Cryptography and encryption in transit
| Control area | SiteSecurityScore |
|---|---|
| TLS protocol and certificate validation | |
| HSTS (Strict-Transport-Security) enforcement | |
| Cipher suite and protocol version review |
Secure configuration of web services
| Control area | SiteSecurityScore |
|---|---|
| Security headers (CSP, X-Frame-Options, Referrer-Policy) | |
| Content Security Policy directive analysis | |
| Cookie attributes (HttpOnly, Secure, SameSite) | |
| CORS and security.txt configuration |
Technical vulnerability management (config layer)
| Control area | SiteSecurityScore |
|---|---|
| Detection of missing or weak header configuration | |
| Prioritized fixes with copy and paste remediation | |
| Application code and dependency vulnerabilities |
Monitoring and logging of changes
| Control area | SiteSecurityScore |
|---|---|
| Daily automated rescans of web and transport config | |
| Email alerts when configuration drifts or breaks | |
| Centralized log management and SIEM correlation | Partial |
Policies, access management, and supplier controls
| Control area | SiteSecurityScore |
|---|---|
| Information security policies and ISMS scope | |
| Access control and identity management | |
| Supplier and third party agreements | |
| Risk assessment, SoA, and internal audit |
Control titles paraphrase the ISO 27001 (2022) Annex A themes. Always confirm the exact control references and your Statement of Applicability with your own auditor.
How SiteSecurityScore helps your ISO 27001 evidence
Auditors want artifacts that show a control is in place and operating. For the technical web and transport controls, SiteSecurityScore gives you those artifacts without manual effort.
Dated scan reports
Each scan returns a letter grade and a breakdown of TLS, headers, CSP, cookies, and DNS findings. The date and result act as point in time evidence that transport encryption and secure configuration controls are in place.
PDF exports for auditors
Export any scan as a PDF report and attach it to the relevant Annex A control in your evidence pack. Auditors get a clean, shareable artifact tied to a specific date and domain.
Daily monitoring for review
ISO 27001 expects controls to be reviewed over time. Automated daily rescans build a continuous record that your web and transport configuration stays secure between audits.
Prioritized remediation
Findings come with copy and paste fixes, so you can close gaps in cryptography and secure configuration and show the before and after to your auditor.
Continuous monitoring keeps controls under review
A single scan is point in time. ISO 27001 expects you to operate and review controls continuously, so a result from six months ago says little about today.
SiteSecurityScore runs automated daily scans of your TLS and SSL certificates, security headers, Content Security Policy, DNS records, and cookies. When a certificate nears expiry, a header is removed, or a policy weakens, you receive an email alert. That ongoing record supports the monitoring and technical vulnerability management expectations and gives your auditor confidence that web security configuration stays under active review between formal assessments.
Automated daily rescans
Each monitored site is checked once per day across TLS, headers, CSP, DNS, and cookies.
Alerts on configuration drift
Get an email the moment a control weakens, so review and remediation are recorded.
Generate web security evidence in seconds
Enter any URL and get a dated security report covering TLS, security headers, CSP, cookies, and DNS. Export it as a PDF and attach it to your ISO 27001 evidence pack. No account required.
Run a free scanFrequently asked questions
Does SiteSecurityScore make my website ISO 27001 certified?
No. ISO 27001 certification is awarded by an accredited certification body after it audits your full information security management system (ISMS). No scanner can grant certification. SiteSecurityScore is a technical tool that helps you evidence specific Annex A controls related to web and transport security, such as cryptography in transit and secure configuration of services. It is one input into your evidence pack, not a substitute for an audit.
Which ISO 27001 Annex A controls does SiteSecurityScore help with?
SiteSecurityScore is most useful for the technical controls in the ISO 27001 (2022) Annex A set that touch web and transport security. That includes the use of cryptography and encryption in transit (TLS and HSTS checks), secure configuration of services (security headers, CSP, and cookie attributes), management of technical vulnerabilities at the configuration layer, and ongoing monitoring through daily scans with alerts. It does not address information security policies, access control, supplier relationships, or the wider ISMS.
What ISO 27001 areas does SiteSecurityScore not cover?
SiteSecurityScore does not cover the management system itself. That means it does not handle your risk assessment and treatment plan, the Statement of Applicability, information security policies, access management and identity controls, supplier and third party agreements, physical security, human resource security, or internal audit and management review. Those are organizational and procedural controls that sit outside the scope of a configuration scanner.
Can I use SiteSecurityScore reports as audit evidence?
Yes, as supporting technical evidence. A SiteSecurityScore scan produces a dated report with a letter grade and a breakdown of TLS, security headers, CSP, cookies, and DNS findings, plus the specific fixes applied. You can export these as PDF reports and attach them to the relevant Annex A controls to show your auditor that transport encryption and secure configuration are in place and reviewed. Pair them with your own policies and procedures to complete the picture.
How does daily monitoring support ISO 27001?
ISO 27001 expects controls to be operated and reviewed over time, not set once and forgotten. SiteSecurityScore runs automated daily scans of your TLS configuration, security headers, CSP, DNS records, and cookies, then emails you when something changes or a new issue appears. That ongoing record helps demonstrate that you continuously monitor the secure configuration of your web services and respond to drift, which supports the technical vulnerability management and monitoring expectations.
Is SiteSecurityScore enough on its own to pass an ISO 27001 audit?
No. An ISO 27001 audit assesses your entire ISMS, including governance, risk management, policies, people, and processes. SiteSecurityScore only evidences the technical web and transport security controls. It is a strong, low effort way to demonstrate a handful of Annex A technical controls and to keep them under review, but you still need a full management system, documentation, and an accredited certification body to achieve certification.