ISO 27001 is the international standard for running information security as a system rather than a pile of tools. It is the credential a tender means when it asks “are you certified?”, and for a growing number of Australian businesses it has quietly shifted from a nice-to-have to the price of being allowed to bid. If a large customer or a government panel is in your future, this is the standard that decides whether you are in the room.

It is also a credential plenty of businesses chase too early, or in a panic, because one customer mentioned it once. So before you spend a dollar, get clear on what it is and whether you are at that point yet.

What is ISO 27001?

ISO/IEC 27001 is the international standard for an Information Security Management System, or ISMS, a risk-based and organisation-wide way of managing the security of the information your business holds. Its full title is Information security, cybersecurity and privacy protection — Information security management systems — Requirements, and the current version is ISO/IEC 27001:2022.

The word doing the work there is system. ISO 27001 sits a level above the firewalls and the passwords. It is the framework for deciding what information matters, what could go wrong with it, which controls you put in place, and how you keep checking those controls still work. Antivirus and multi-factor authentication are controls that live inside the system. The standard is the management layer above them that decides which ones you need and shows you are running them.

It is certifiable, which is the part that gives it commercial weight. An accredited body audits you and issues a certificate valid for three years, with annual surveillance audits in between. In Australia, you want a body accredited by JAS-ANZ for the certificate to carry weight in tenders.

What changed in ISO 27001:2022, and why it matters now

The 2022 edition is the only version you can certify against, because the transition window for the old 2013 edition closed on 31 October 2025. Any certificate still referencing ISO/IEC 27001:2013 is now out of date. If you are starting fresh, you start on 2022.

The substantive change is in Annex A, the catalogue of controls. The 2022 version consolidated the old 114 controls across 14 domains into 93 controls grouped under four themes:

ThemeControlsWhat it covers
Organisational37Policies, roles, supplier relationships, incident management, the management scaffolding
People8Screening, awareness, responsibilities, remote working
Physical14Facilities, equipment, secure areas, media handling
Technological34Access control, cryptography, logging, secure development, the technical controls

It also added 11 new controls built for how businesses operate now, covering threat intelligence, information security for cloud services, ICT readiness for business continuity, data masking, data leakage prevention, secure coding and more. Those additions are the standard catching up to cloud and modern software delivery, which is where a lot of Australian SMB risk now lives.

Why does ISO 27001 matter?

ISO 27001 is the most widely recognised way to prove, to someone who does not trust you yet, that you manage security properly. Anyone can claim their security is good. A certificate from an accredited auditor is a third party saying it for you, in a language procurement teams already read fluently.

That proof opens specific doors. Security questionnaires get shorter, because the certificate answers most of them in one stroke. Vendor-onboarding gates at large enterprises stop being a wall. Tenders, government and corporate, often score or mandate it outright. And cyber insurers increasingly want to see it before they will price your cover, because they are buying evidence of a managed program rather than a promise.

There is a quieter benefit too. The work of getting certified forces decisions a lot of businesses keep deferring, like who owns security, what data matters, and what you would do in the first hour of a breach. Plenty of organisations come out the other side saying the certificate mattered less than the arguments it forced them to finally have.

Who needs ISO 27001, and when?

In practice, the standard becomes your problem the moment someone you want to do business with makes it a condition, which is what turns a voluntary credential into a practical one. It fits any organisation of any size, but fitting you and being justified yet are different things. The triggers below are the test:

  • A tender or RFP names ISO 27001 as mandatory or scored. This is the most common trigger and the hardest to argue with.
  • A large enterprise customer makes it a condition of onboarding you as a vendor.
  • You are pursuing government work, where you will often meet the Essential Eight for technical assurance and ISO 27001 for organisational assurance.
  • You handle sensitive personal or customer data at a scale that draws privacy and supply-chain scrutiny.
  • Your cyber insurer is asking for evidence of a managed security program to bind or price cover.

If none of those is true, you may not need the certificate yet, and there is a smarter sequence. Start with the Australian Signals Directorate’s Essential Eight as your technical baseline, get your information security in order, and pursue certification when a contract requires it. Building the management system early and certifying on demand is cheaper than scrambling when a tender lands with a four-week deadline.

How much does ISO 27001 cost and how long does it take?

For a typical small Australian business, first certification commonly lands in the tens of thousands of dollars once you add readiness work to the external audit, over a timeline of roughly four to six months. That figure moves a lot with scope, headcount, and how much you do in-house, so treat any number you read, including this one, as a planning estimate rather than a quote.

The path looks the same even when the price does not. You start with a gap assessment to see where you stand, then scoping and risk assessment, building the management system and its Statement of Applicability, and an internal audit, before the external Stage 1 audit (is the system documented and ready?) and Stage 2 audit (is it working in practice?). After that the certificate runs three years, with a lighter surveillance audit each year and a full recertification at the end. The ongoing cost is smaller than the first push, though it never drops to zero.

The ISO 27001 certification journey: a gap assessment, building the management system, an internal audit, then the Stage 1 and Stage 2 external audits, the certificate itself, and the annual surveillance audits that follow

ISO 27001 vs the alternatives

ISO 27001 is the broadest-travelling security credential, but it is not the only one Australian businesses get asked for, and they solve different problems:

  • SOC 2 is a US attestation report rather than a certificate, and it is most relevant when your buyers are American. ISO 27001 is usually the more efficient first move for Australian and European-facing businesses, and much of the underlying control work carries over if you later need SOC 2 as well.
  • The Essential Eight is a technical baseline from the ASD rather than a management system. It is excellent, and it sits underneath ISO 27001 rather than replacing it.
  • IRAP and the Information Security Manual are the path for handling Australian Government data at PROTECTED and above. There is significant control overlap with ISO 27001, but IRAP is more prescriptive and serves a specific government-data purpose.
  • ISO 42001 is the newer AI management system standard, and it is built on the same structure as ISO 27001. If you certify to 27001, you can extend much of that system to govern AI rather than start again.

Build it before you need it

ISO 27001 is voluntary on paper and close to mandatory in practice for any Australian business chasing enterprise or government work. The mistake is treating it as a certificate to buy under deadline pressure rather than a system to build before the deadline exists. Sort out who owns security and get the fundamentals in place early, and the day a tender names the standard, certification is paperwork rather than a fire drill.

The hard part is usually capacity. Few small businesses have someone whose week has room to drive security strategy and certification readiness on top of the day job. A Fractional CIO or CTO carries that load on a retainer, and our Security Assessments give you a clear map of where you stand before you commit to an audit timeline.

The certificate is the visible part. What you are paying for is the ability to show, in writing, that if your most sensitive information were exposed tomorrow, a working system was already there to contain it.

Frequently asked questions

No. ISO 27001 is voluntary in Australia. There is no general law requiring a private business to hold it. What makes it close to compulsory in practice is contracts. Tenders, enterprise customers, and supply-chain due diligence increasingly name it as a condition of doing business, so for many companies it is a commercial requirement even though it is not a legal one.

The 2022 edition restructured Annex A from 114 controls across 14 domains down to 93 controls in four themes: Organisational, People, Physical, and Technological. It added 11 new controls covering modern risks like threat intelligence, cloud-service security, data masking, and secure coding. The transition deadline has passed: ISO/IEC 27001:2013 certificates had to move to the 2022 version by 31 October 2025, so 2022 is the only version you can certify against now.

For a small Australian business it commonly takes somewhere in the region of four to six months from kickoff to certificate, depending on how mature your security already is and how much of the work you outsource. The path runs through a gap assessment, building the management system, an internal audit, then a two-stage external audit by an accredited body. Treat any timeline you see as a planning estimate, because scope and readiness move it significantly.

ISO 27001 is a whole-of-organisation management system; the Essential Eight is a focused set of eight technical mitigations from the Australian Signals Directorate. They are complementary, not competing. The Essential Eight is a strong technical baseline, mostly aimed at Microsoft-centric endpoints and infrastructure, and it sits comfortably underneath an ISO 27001 management system. Many Australian businesses are asked for both, the Essential Eight for technical assurance and ISO 27001 for organisational assurance.

It depends on who is asking. SOC 2 is a US attestation report, common when your buyers are American SaaS companies. ISO 27001 is an internationally recognised certificate and is usually the more efficient first move for Australian and European-facing businesses. If your customers are split across regions, ISO 27001 tends to be the broader-travelling credential, and a lot of the underlying work overlaps if you later need SOC 2 as well.

Security assessment

Working out whether you need ISO 27001?

Book a free Discovery Call with InnovateX Solutions. We'll tell you whether certification makes sense for your business yet, or whether the controls matter more than the certificate right now.

Senior-led and Australian-owned. We'll map where you stand against ISO 27001 and the Essential Eight, and give you a phased plan scoped to the business you run.