Australian businesses most often ask what certification will cost, which of the 93 Annex A controls they must implement, and whether a certificate is genuinely accredited. A high-demand question missing from the fixed 10 is whether the certificate's legal entity and scope actually cover the product, service, location and customer data being relied upon.
What is ISO 27001, and who's asking me for it?
ISO/IEC 27001 is the international requirements standard for establishing, operating, monitoring and continually improving an information security management system, or ISMS. It is broader than an IT security checklist because it addresses information risk across people, processes, suppliers, physical environments and technology. In Australia, AS/NZS ISO/IEC 27001:2023 is the identical Australian and New Zealand adoption of ISO/IEC 27001:2022. Certification is generally voluntary, but enterprise customers, government tenders, regulated-sector clients, insurers and supply-chain contracts may require an accredited certificate covering a defined legal entity and scope.
- enterprise supplier — A major customer may require accredited certification before onboarding or contract renewal and may specify the services that must appear within the certificate scope.
- government contractor — A tender may request ISO 27001 certification, but separate PSPF, ISM, IRAP or Essential Eight requirements may still apply.
- private SME — There is no general Australian turnover threshold that automatically requires certification; the trigger is usually customer demand, risk, contract or market strategy.
- regulated or high-trust service — Certification may support assurance, but it does not replace sector-specific legal, regulatory or contractual obligations.
Who is requiring ISO 27001 from us, which edition do they require, what legal entity, products, services, locations and information must be inside the certification scope, must the certificate be JAS-ANZ-accredited, and what deadline applies?
Does it apply to a business my size or type?
ISO 27001 can be used by a sole trader, startup, SME, large enterprise, government body or not-for-profit; there is no minimum employee or turnover threshold in the standard. The requirements remain the same, but the scope, risk assessment, controls and amount of evidence should be proportionate to the organisation. A smaller business can certify a clearly defined service or business unit rather than the entire corporate group, provided the boundary is honest and does not exclude dependencies that affect security. Outsourcing technology does not outsource accountability: the business must still understand and manage the information risks created by cloud providers, MSPs and other suppliers.
- startup or small business — The ISMS can be comparatively simple, but all applicable clauses still need to be addressed and supported by operating evidence.
- multi-entity or enterprise group — The certificate may cover one legal entity, division, platform or service rather than the whole group; customers should inspect the stated scope.
- outsourced IT environment — Supplier controls, contracts, access, evidence and incident responsibilities remain part of the organisation's risk management.
- Australian regulated entity — ISO 27001 may support the security program but does not automatically satisfy APRA, Privacy Act, SOCI, PSPF or other sector obligations.
Define the smallest honest certification scope that meets our customer and risk needs, then identify every shared service, cloud platform, office, supplier and corporate dependency that could affect that scope.
What are the actual requirements and Annex A controls?
The certifiable requirements are primarily in clauses 4 to 10: organisational context, leadership, planning, support, operation, performance evaluation and improvement. Annex A contains 93 reference controls grouped into four themes: organisational, people, physical and technological. An organisation does not automatically implement all 93 controls; it must assess its risks, select appropriate treatment controls, compare those selections with Annex A and explain inclusions and exclusions in its Statement of Applicability. The mandatory management-system clauses cannot simply be omitted, while Annex A control selection is risk-based and may be supplemented with controls from other sources.
- clauses 4–10 — These contain the management-system requirements that must be addressed within the certified scope.
- 93 Annex A controls — These form a reference set that must be considered, not a universal checklist requiring every control to be implemented.
- Statement of Applicability — The organisation records which controls are necessary, why they are included, whether they are implemented and why any Annex A controls are excluded.
- organisation with specialised risks — Controls outside Annex A can be added where the risk assessment, law, contract or technology environment requires them.
Give us a clause-by-clause compliance matrix for clauses 4 to 10 and a complete Statement of Applicability showing all 93 Annex A controls, the reason for inclusion or exclusion, implementation status, control owner and supporting evidence.
Which policies and documents does it require me to have in writing?
ISO 27001 requires controlled documented information, but it does not prescribe a universal pack of dozens of policies with fixed commercial template names. Core records commonly include the ISMS scope, information security policy, risk assessment and treatment methodology and results, Statement of Applicability, security objectives, competence evidence, operating records, monitoring results, internal audits, management reviews and corrective actions. Additional policies and procedures depend on the controls selected, such as access control, supplier security, incident response, backups, acceptable use, secure development or business continuity. The documents must reflect the real business and be supported by implementation evidence; buying a template library is not the same as operating an ISMS.
- small organisation — Related requirements can be combined into fewer concise documents if responsibilities, mandatory rules and evidence remain clear.
- complex or regulated organisation — Separate policies, standards, procedures, registers and plans are usually needed to manage different owners, technologies and legal obligations.
- Annex A control documentation — The documents required depend on the controls selected through risk treatment and stated in the Statement of Applicability.
- certification audit — Auditors need evidence that documents are approved, current, communicated and used, rather than merely present in a folder.
Map every proposed policy, standard, procedure, plan and record to the exact ISO 27001 clause or selected Annex A control it supports, and show the live evidence proving that the documented requirement operates.
What changed in the 2022 version?
ISO/IEC 27001:2022 replaced the 2013 edition and reorganised Annex A from 114 controls in 14 domains to 93 controls in four themes. The underlying control update included 11 new controls, 24 merged controls and 58 updated controls, while new attributes make controls easier to classify and map. The requirements also added a specific clause for planning changes and refined how interested-party requirements are considered. The formal transition deadline was 31 October 2025, so certificates to ISO/IEC 27001:2013 should no longer be treated as current. A 2024 climate-action amendment also applies to the current standard and should be included in the organisation's standards register and context review.
- organisation formerly certified to 2013 — Its transition should have been completed by 31 October 2025 and the current certificate should state ISO/IEC 27001:2022 or the applicable Australian adoption.
- using a 2013 control spreadsheet — The control structure, numbering, mappings, Statement of Applicability and risk-treatment references need to be updated.
- new certification applicant — The ISMS should be built directly against the 2022 edition and applicable 2024 amendment rather than retrofitting obsolete templates.
- Australian certification — AS/NZS ISO/IEC 27001:2023 is the local identical adoption of the international 2022 edition.
Confirm that all gap assessments, policies, risk tools, Statements of Applicability and audit plans use ISO/IEC 27001:2022 or AS/NZS ISO/IEC 27001:2023, include Amendment 1:2024, and no longer rely on the 2013 control numbering.
How is it certified — and by whom (accredited vs not)?
ISO writes the standard but does not audit businesses or issue ISO 27001 certificates. Independent certification bodies conduct a Stage 1 readiness and documentation review followed by a Stage 2 assessment of implementation and effectiveness. In Australia, JAS-ANZ accredits certification bodies and provides registers that can be used to check the certification body and certified organisation. Accreditation is not legally compulsory for every private certification claim, but a non-accredited or self-declared claim may not be accepted by a tender, enterprise customer or insurer. A normal accredited cycle runs for three years, with surveillance audits during the cycle and recertification before the certificate expires.
- self-declared conformity — The organisation states that it follows the standard, but there is no independent certification-body assurance.
- non-accredited certification — An independent body may have issued a certificate, but its competence and impartiality have not been confirmed through recognised accreditation.
- JAS-ANZ-accredited certification — The certification body is independently assessed for competence, impartiality and consistency, and its status can be checked through the JAS-ANZ register.
- international certificate presented in Australia — Check whether the issuing body's accreditation is recognised and whether the certificate, scope, edition, status and legal entity are valid.
Name the certification body, provide its JAS-ANZ or recognised accreditation record, confirm that the consultant is independent from the certification decision, and give us the certificate number, legal entity, scope, standard edition, issue date, expiry date and public verification record.
What evidence do I need to show?
Auditors need evidence that the ISMS has operated, not just that policies were written shortly before the audit. Typical evidence includes the approved scope, risk register, risk-treatment plan, Statement of Applicability, objectives and metrics, asset and supplier records, access reviews, security configurations, training records, incidents, backup and recovery tests, monitoring results and corrective actions. The organisation must also complete internal audits and management reviews and be able to show that identified weaknesses were addressed. Stage 2 normally requires a meaningful period of operating evidence, while annual surveillance checks that the system continues to work throughout the three-year cycle.
- governance evidence — Maintain approvals, risk decisions, objectives, management reviews, internal audits, exceptions and corrective-action records.
- technical and operational evidence — Retain configurations, logs, tickets, scan results, access reviews, backup tests, incident records and supplier-assurance evidence.
- outsourced or cloud environment — The certified organisation still needs contract rights and practical access to evidence held in provider platforms.
- surveillance and recertification — Evidence must show continual operation and improvement after the initial certificate rather than a one-time audit project.
Create an evidence register mapping every ISO 27001 clause and selected Annex A control to its owner, system scope, live evidence source, collection date, review frequency and retention location, including evidence held by suppliers.
How does it compare to the Essential Eight and SMB1001?
ISO 27001 is a broad international, risk-based management-system standard covering information in all forms and requiring governance, risk assessment, performance evaluation and continual improvement. The Essential Eight is ASD's focused baseline of eight technical mitigation strategies, assessed through maturity levels zero to three; it is not a complete ISMS. SMB1001 is a commercial five-tier certification standard designed for small and medium businesses, with Bronze through Diamond pathways. The frameworks can share evidence and complement one another, but none creates automatic equivalence: an ISO 27001 certificate does not by itself prove an Essential Eight maturity level or SMB1001 tier, and the reverse is also true.
- ISO/IEC 27001 — Broad risk-based ISMS covering governance, people, processes, physical security, technology, suppliers and continual improvement.
- Essential Eight — Eight prioritised technical mitigations with maturity levels zero to three and detailed Australian control expectations.
- SMB1001 — Five cumulative commercial certification tiers designed as a staged pathway for SMB cyber security.
- customer names a specific framework — Provide the exact certificate or assessment requested rather than assuming another framework's certificate will be accepted.
Produce a control-by-control crosswalk between ISO/IEC 27001:2022, our target Essential Eight maturity level and our proposed SMB1001 tier, identifying shared evidence, partial coverage and every requirement that remains unique.
What does it cost and how long does it take?
ISO, Standards Australia and JAS-ANZ do not publish a universal Australian implementation price because cost depends on scope, headcount, locations, existing controls, risk, documentation, internal capability and certification-body audit time. Australian commercial estimates vary materially: Mindset Cyber estimates A$15,000–A$30,000 and three to six months for organisations with 1–50 staff, A$30,000–A$80,000 and six to nine months for 50–250 staff, and A$80,000 or more and nine to twelve-plus months for larger organisations. CyberForte gives a broader first-certification estimate of approximately A$15,000–A$100,000 or more and says four to nine months is common. These are vendor estimates, not official tariffs, and may include different combinations of consulting, internal audit, technical remediation and certification fees. Budget separately for implementation, internal labour, training, Stage 1 and Stage 2 audits, annual surveillance and three-year recertification.
- small business with 1–50 staff — A current Australian commercial estimate is A$15,000–A$30,000 and three to six months, subject to scope and readiness.
- medium business with 50–250 staff — A current Australian commercial estimate is A$30,000–A$80,000 and six to nine months.
- enterprise with more than 250 staff — A current Australian commercial estimate begins at A$80,000 and nine to twelve-plus months.
- narrow, mature certification scope — Existing governance and security controls can reduce remediation, but the scope must still meet the customer's actual assurance need.
Break the quote into scope and gap assessment, standard licences, consulting, internal labour, policy and evidence development, technical remediation, training, internal audit, Stage 1, Stage 2, surveillance and recertification, with assumptions, exclusions and milestone dates.
What's my next step?
Common misconceptions
- ISO itself audits organisations and issues ISO 27001 certificates. VERIFIED
- Every organisation must implement all 93 Annex A controls to become certified. VERIFIED
- A self-declared claim or consultant-issued badge provides the same assurance as certification by an accredited independent certification body. INFERRED
- An ISO 27001 certificate automatically covers every company, product, location and service operated by the corporate group. INFERRED
- ISO 27001 certification is a one-time project with no surveillance, continual improvement or recertification. VERIFIED
- Certification guarantees that the organisation cannot suffer a cyber incident or data breach. INFERRED
- Outsourcing systems to an MSP or cloud provider transfers all information-security accountability to that provider. VERIFIED
- An ISO/IEC 27001:2013 certificate can still be treated as a current accredited certificate after 31 October 2025. VERIFIED
- ISO 27001 certification automatically proves an Essential Eight maturity level or SMB1001 tier. INFERRED
- A consultant's ISO 27001 Lead Auditor qualification allows that consultant to issue an accredited certificate to its own client. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Contractual or tender ISO 27001 certification requirement | Customer, procuring entity or contracting party | A tender, supplier-security requirement, contract or procurement condition requires the organisation to hold ISO/IEC 27001 certification within a stated scope. | By the deadline stated in the tender or contract and maintained throughout the required contract period and certification cycle. | Potential consequences include failed tender eligibility, delayed onboarding, remediation requirements, breach remedies or loss of the contract; there is no universal statutory penalty for all Australian businesses. |
| Accredited ISO 27001 certification cycle | Accredited certification body under JAS-ANZ or another recognised accreditation body | An organisation seeks and maintains independently certified conformity with ISO/IEC 27001. | Stage 1 readiness and documentation assessment, Stage 2 implementation and effectiveness assessment, surveillance during the three-year cycle, and recertification before expiry. | Certification may be suspended, reduced in scope, withdrawn or allowed to expire if requirements and certification conditions are not maintained. |
| Transition from ISO/IEC 27001:2013 | International Accreditation Forum and participating accreditation and certification bodies | An organisation held accredited certification to ISO/IEC 27001:2013 and wished to retain current certified status. | Transition to ISO/IEC 27001:2022 was required to be completed by 2025-10-31. | A certificate to the 2013 edition could not remain valid beyond the transition period. |
Sources
- ISO/IEC 27001:2022 — Information security management systems primary
- ISO Certification primary
- ISO/IEC 27001:2022/Amd 1:2024 — Climate action changes primary
- ISO/IEC 27006-1:2024 — Requirements for bodies providing audit and certification of information security management systems primary
- AS/NZS ISO/IEC 27001:2023 primary
- AS/NZS ISO/IEC 27001:2023 Amd 1:2024 primary
- Webinar recap: Strengthening defences against cyber threats primary
- ISO/IEC JTC 1/SC 27 Journal 2025 primary
- IAF MD 26:2023 Transition Requirements for ISO/IEC 27001:2022 primary
- ISO/IEC 17021-1 Management System Certification primary
- Accredited Conformity Assessment Signals Trust for End-User primary
- JAS-ANZ Accredited Bodies Register primary
- JAS-ANZ Certified Organisations Register primary
- Essential Eight maturity model primary
- SMB1001 cybersecurity certification primary
- Ten things you should know about ISO/IEC 27001 forum
- How Much Does ISO 27001 Certification Cost in Australia? forum
- ISO 27001 Certification Cost in Australia: What to Expect in 2026 forum
- Mandatory ACSC Essential Eight forum
- Australia's Regulatory Alphabet Soup and Startup Innovation forum
- Buyer Beware: Australian Businesses and ISO Certification forum
- Maintaining ISO Certifications After Surveillance Audit forum
- Essential 8 Security Standards forum
- ISO 27001 Certification Cost in Australia forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.