⚡ Free effectiveness score in minutes, no documents required
ISO 22301 and ISO 27001

The threat environment is evolving.

Has your management system kept pace?

Threats change. Standards are updated. Organisations restructure. The management systems that held up at certification are not always the ones that hold up twelve months later. Answer a few questions about your system and get an indicative SSF Effectiveness Score in minutes. No documents, no obligation.

Start the Free Readiness Check Or see the full Health Check
Free · No documents required · Results in minutes

Find out if your system has
kept pace with the threat landscape.

The free Readiness Check is a self-assessed version of the SSF Effectiveness Model. It samples four of the highest-signal areas to give you an indicative SSF Effectiveness Score in minutes. The full model, applied on every paid engagement, scores every requirement of the standard at audit and reviews your objectives quarterly. Complete the Readiness Check below to see where you stand today.

When you want certainty, not an estimate

The paid Health Check: we assess your actual evidence.

The Readiness Check above is the self-assessed version. The Management System Health Check is the evidence-based one: we apply the full SSF Effectiveness Model to your real artefacts, your risk register, management review records, scope, and SOA or BIA, and return your SSF Effectiveness Score with a practitioner-rated RAG report in days. Same measure, assessed against your actual evidence rather than your own estimate. A mutual NDA and secure document transfer are in place before any documents are shared.

A focused set of artefacts We review your risk register, management review minutes, scope, and your SOA or BIA - the artefacts that most honestly reflect system health.
Rapid findings We return a structured, RAG-rated report within days of receiving your documents. Not weeks.
Clear next steps Findings come with prioritised recommendations and, where you choose, a path to close the gaps with us.
0
Major nonconformities across all client audits
1,400+
Requirements and controls assessed
92
Average SSF Effectiveness Score across active engagements

If you are not measuring effectiveness, what are you measuring?

Most certified organisations cannot put a number on how well their management system is actually working. SSF can. We score every requirement at internal audit on how effectively it is operating, average it across the whole standard, and review the objectives behind it every quarter. Our clients consistently sit in the Effective band. The free check below gives you an indicative score in minutes, without sharing a single document.

What we assess

The artefacts that reveal whether
your system has kept pace.

Threats evolve. Organisations change. Standards are updated. The artefacts below are the ones that most honestly show whether a management system has moved with those changes or quietly fallen behind. You cannot hide a stale risk register or an outdated BIA for long.

01
Risk Register
Completeness, currency, clear ownership, and the status of treatment plans. We assess whether risk is genuinely being managed or simply recorded.
Completeness Currency Ownership Treatment status
02
Management Review Minutes
Frequency, agenda coverage, action tracking, and evidence of continual improvement. Whether leadership engagement is genuine or procedural.
Agenda coverage Action tracking CI evidence Leadership engagement
03
Scope and System Boundary
Whether the defined scope reflects how the organisation actually operates today and whether it would hold up to scrutiny in a surveillance or recertification audit.
Currency Accuracy Audit readiness
04
Standard-Specific Assessment
For ISO 27001: Statement of Applicability - version control, control justification, and exclusion rationale. For ISO 22301: Business Impact Analysis - currency, RTO/RPO validity, and linkage to continuity plans.
ISO 27001: SOA ISO 22301: BIA RTO / RPO
What your report covers

A RAG-rated assessment.
Written for decision-makers.

The report is concise by design. Each area is rated Red, Amber, or Green with a short observation and a recommended action where relevant. Select the standard below.

Area Illustrative Rating What We Assess
Risk Register Amber Completeness, currency, asset linkage, ownership, and treatment plan status across the register.
Scope Definition Green Whether the scope accurately reflects the organisation's current operating environment and would withstand audit scrutiny.
Statement of Applicability Red Version control, alignment with the current control set (Annex A / ISO 27002), and documented justification for any exclusions.
Management Review Amber Frequency relative to the audit cycle, agenda coverage against clause 9.3 requirements, and quality of action tracking.
Continual Improvement Evidence Amber Whether improvement actions from reviews, audits, and incidents are being tracked through to closure and reported at management level.
Overall System Maturity Amber An informed view of overall ISMS health - the signal a surveillance auditor is likely to receive from these artefacts.
Meets standard requirements Attention recommended Action required before audit
Area Illustrative Rating What We Assess
Risk Register Amber Completeness, currency, ownership, and treatment plan status - assessed against BCM-specific risk and threat categories.
Scope Definition Green Whether the BCMS scope accurately reflects the organisation's current operations, dependencies, and interested parties.
Business Impact Analysis Red Currency of the BIA, validity of Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), and whether outputs are clearly linked to continuity plans.
Management Review Amber Frequency, agenda coverage against clause 9.3 requirements, and whether review outputs are driving meaningful system improvement.
Continual Improvement Evidence Amber Whether improvement actions - including post-exercise findings - are tracked, closed, and reported at management level.
Overall System Maturity Amber An informed view of overall BCMS health - whether the system would demonstrate genuine resilience or surface gaps under audit conditions.
Meets standard requirements Attention recommended Action required before audit
The process

From documents to findings.
In days.

There is no onboarding. No discovery calls before we begin. You share your artefacts, we start immediately.

01
Share your documents
Send us your risk register, management review minutes, scope document, and your SOA or BIA. We will confirm receipt and begin the assessment.
02
We begin immediately
Our specialists review your documents against the requirements of your applicable standard. No waiting list. No preliminary calls.
03
You receive your report
A concise RAG-rated report covering all assessed areas, with prioritised recommendations and clear rationale for every finding.
04
Act on the findings
Implement recommendations with your own team, or engage us to close the gaps. The choice is yours. There is no obligation to continue.
What you receive

A report built for
action, not filing.

Concise, direct, and written for the people who need to act on it.

  • RAG-rated assessment across all areas covered in the review
  • Risk register quality assessment with specific, referenced observations
  • Scope assessment - current, accurate, and audit-ready or not
  • SOA review (ISO 27001) or BIA review (ISO 22301) with findings
  • Management review effectiveness rating against standard requirements
  • Overall system maturity signal - what an auditor is likely to find
  • Top 3 to 5 prioritised recommendations with rationale
  • Optional walkthrough call to discuss findings and next steps
Request a Health Check