New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

Back to frameworks
Information security

ISO/IEC 27001 Information Security Management

The international standard for establishing, implementing, operating, and continually improving an information security management system (ISMS).

ISO/IEC 27001 is the most widely adopted international standard for information security management. It gives organisations a repeatable, certifiable way to identify risks, select and operate controls, and prove to customers and regulators that security is managed – not improvised. The current edition, ISO/IEC 27001:2022, restructured the Annex A control set into 93 controls across four themes: organisational, people, physical, and technological.

What certification actually requiresLink to this section

An ISO 27001 certification is not a checklist of 93 controls implemented in isolation. Certification bodies audit a living Information Security Management System (ISMS) – the management system described in Clauses 4 to 10 of the standard – and then verify that the Annex A controls you have deemed applicable genuinely operate.

The management system clauses are where most of the certifiable rigour lives:

  • Clause 4 – Context of the organisation. Define the scope of your ISMS, the internal and external issues that affect it, and the needs of interested parties (customers, regulators, staff).
  • Clause 5 – Leadership. Demonstrate top-management commitment, establish an information security policy, and assign roles and responsibilities.
  • Clause 6 – Planning. Run a documented risk assessment, decide on risk treatment, and produce a Statement of Applicability (SoA) that justifies which Annex A controls apply and why.
  • Clause 7 – Support. Provide the resources, competence, awareness, communication, and documented information the ISMS needs to function.
  • Clause 8 – Operation. Actually operate the controls and treatments, and keep evidence that they run.
  • Clause 9 – Performance evaluation. Monitor and measure, run internal audits, and hold management reviews.
  • Clause 10 – Improvement. Manage nonconformities and corrective actions, and continually improve the system.

Certification follows a two-stage external audit: Stage 1 reviews your documentation and readiness, Stage 2 tests the controls in operation. After certification, you maintain it through annual surveillance audits and a full recertification every three years.

How we help teams get audit-readyLink to this section

We are compliance specialists, and we work backwards from your certification body's expectations. That means clarifying scope early, running a defensible risk assessment, prioritising the controls that match your real risks, and building evidence habits your team can sustain long after the audit window closes.

We do the heavy lifting on the management system – scope, risk methodology, SoA, internal audit, and management review – while pairing every Annex A control below with a practical, achievable implementation tailored to your size and stack. Our goal is not just a certificate on the wall, but a security programme your customers trust and your team can actually run.

Typical engagement shapeLink to this section

Most clients start with a gap assessment against the management system clauses and all 93 Annex A controls, then move into a focused remediation sprint on the highest-risk gaps. We pair policy work with operational fixes so documentation and reality stay aligned, run a mock audit to surface issues before the certification body does, and stay alongside you through Stage 1 and Stage 2.

The table below maps every Annex A control in ISO/IEC 27001:2022 to how we help you implement it.

Annex A controls (ISO/IEC 27001:2022)

A.5 Organisational controls

RefControlHow we help
A.5.1Policies for information securityWe draft a board-ready policy suite, map every policy back to its Annex A obligations, and run an annual review cycle so approvals, versions, and sign-offs are always audit-ready.
A.5.2Information security roles and responsibilitiesWe define a clear RACI for security, appoint named control owners, and embed accountabilities into position descriptions so nothing falls through the cracks.
A.5.3Segregation of dutiesWe map conflicting duties, design separation into your approval and access workflows, and document compensating controls wherever full separation is impractical for a smaller team.
A.5.4Management responsibilitiesWe help leadership demonstrate visible commitment – resourcing the ISMS, setting the tone, and reinforcing expectations so security is owned from the top down.
A.5.5Contact with authoritiesWe build a contact register for regulators, law enforcement, and the ACSC, and bake the right escalation triggers into your incident plan so the correct call is made early.
A.5.6Contact with special interest groupsWe connect your team to relevant security forums, ISACs, and vendor advisories so threat and best-practice intelligence flows in continuously.
A.5.7Threat intelligenceWe stand up a lightweight threat-intelligence routine – curated feeds, triage cadence, and a path from intel to control changes – sized to your risk profile.
A.5.8Information security in project managementWe weave security checkpoints into your project lifecycle so risk is assessed and controls are scoped at every stage, not bolted on at the end.
A.5.9Inventory of information and other associated assetsWe build and maintain an asset and information inventory with assigned owners, then keep it current through your onboarding and change processes.
A.5.10Acceptable use of information and other associated assetsWe write a plain-English acceptable use policy your people will actually follow, covering AI tools, BYOD, and data handling, and reinforce it through awareness training.
A.5.11Return of assetsWe add asset return to your offboarding checklist with tracked sign-off, so devices, credentials, and data come back reliably when people or contracts end.
A.5.12Classification of informationWe design a simple, usable classification scheme tied to your real risks and regulatory duties, then map handling rules to each level.
A.5.13Labelling of informationWe implement practical labelling – document templates, email markings, and tool-based tags – so classification travels with the data.
A.5.14Information transferWe define secure transfer rules and agreements for sharing data internally and with third parties, covering email, file sharing, and physical media.
A.5.15Access controlWe establish least-privilege access policy and review cadence, aligning each decision to your Statement of Applicability and data classification.
A.5.16Identity managementWe rationalise identity lifecycle – joiner, mover, leaver – so every account is owned, justified, and traceable to a real person or service.
A.5.17Authentication informationWe set credential and secrets-handling standards, roll out MFA and a password manager or passkeys, and remove shared logins from your environment.
A.5.18Access rightsWe run periodic access recertification, automate de-provisioning where possible, and produce the review evidence assessors look for.
A.5.19Information security in supplier relationshipsWe build a supplier risk register and tiering model so security expectations match each vendor's access to your data.
A.5.20Addressing information security within supplier agreementsWe provide security clause templates and review supplier contracts so obligations, breach notification, and audit rights are written in.
A.5.21Managing information security in the ICT supply chainWe extend due diligence down the ICT supply chain, covering sub-processors and components, so inherited risk is visible and managed.
A.5.22Monitoring, review and change management of supplier servicesWe set up a supplier review cadence with service and security reporting, so changes to their posture are caught and assessed.
A.5.23Information security for use of cloud servicesWe document cloud responsibility boundaries, configure providers to a hardened baseline, and align acquisition and exit to your ISMS.
A.5.24Information security incident management planning and preparationWe write an incident response plan with defined roles, severities, and runbooks, then prove it works through a tabletop exercise.
A.5.25Assessment and decision on information security eventsWe define triage criteria so events are consistently assessed and classified, turning noise into a clear decision on what is an incident.
A.5.26Response to information security incidentsWe provide response runbooks and on-call support so containment, eradication, and recovery follow a tested, evidence-producing process.
A.5.27Learning from information security incidentsWe facilitate blameless post-incident reviews and feed the lessons back into controls, training, and your risk treatment plan.
A.5.28Collection of evidenceWe establish forensically sound evidence handling and chain-of-custody procedures so you are ready for legal or regulatory follow-up.
A.5.29Information security during disruptionWe integrate security into your continuity planning so controls hold up – rather than lapse – during an outage or crisis.
A.5.30ICT readiness for business continuityWe define recovery objectives (RTO/RPO), validate them with restoration testing, and document ICT continuity arrangements assessors can verify.
A.5.31Legal, statutory, regulatory and contractual requirementsWe build a legal and regulatory obligations register – Privacy Act, sector rules, contractual duties – and map each to controls and owners.
A.5.32Intellectual property rightsWe put software licence and IP controls in place, including a software asset register, to keep you on the right side of usage rights.
A.5.33Protection of recordsWe define retention and protection rules for critical records so they stay available, intact, and compliant with statutory periods.
A.5.34Privacy and protection of PIIWe align your ISMS with Australian Privacy Principles and other privacy duties, embedding PII handling, consent, and data-subject rights into operations.
A.5.35Independent review of information securityWe run independent internal reviews and mock audits so issues surface and are fixed well before your certification body arrives.
A.5.36Compliance with policies, rules and standardsWe set up compliance monitoring and attestations so policy adherence is measured continuously, not assumed.
A.5.37Documented operating proceduresWe help you capture key operating procedures as living runbooks, so critical activities are repeatable and not locked in one person's head.

A.6 People controls

RefControlHow we help
A.6.1ScreeningWe design proportionate pre-employment screening and background-check procedures with documented, privacy-respecting record keeping.
A.6.2Terms and conditions of employmentWe embed security responsibilities into employment terms and contractor agreements so obligations are clear and enforceable from day one.
A.6.3Information security awareness, education and trainingWe deliver an engaging awareness program – role-based modules, phishing simulations, and refreshers – with completion evidence for auditors.
A.6.4Disciplinary processWe provide a documented, fair disciplinary process for security breaches, coordinated with HR so it is consistent and defensible.
A.6.5Responsibilities after termination or change of employmentWe ensure ongoing duties – confidentiality, IP, access removal – carry through your offboarding and role-change processes.
A.6.6Confidentiality or non-disclosure agreementsWe supply NDA templates and a tracking process so confidentiality is locked in for staff, contractors, and third parties.
A.6.7Remote workingWe write a practical remote and hybrid working policy with device, network, and home-environment controls suited to modern Australian teams.
A.6.8Information security event reportingWe make reporting effortless with a clear, low-friction channel and a no-blame culture, so issues reach you fast.

A.7 Physical controls

RefControlHow we help
A.7.1Physical security perimetersWe assess and document physical perimeters for offices and facilities, recommending pragmatic improvements scaled to your footprint.
A.7.2Physical entryWe define entry controls – access cards, visitor logs, escort rules – and the evidence to show they operate.
A.7.3Securing offices, rooms and facilitiesWe help secure sensitive areas with appropriate access restrictions and document the rationale in your risk treatment plan.
A.7.4Physical security monitoringWe advise on proportionate monitoring – CCTV, alarms, access logging – that respects privacy while deterring and detecting intrusion.
A.7.5Protecting against physical and environmental threatsWe assess fire, flood, power, and environmental risks and document the safeguards, including reliance on cloud and data-centre providers.
A.7.6Working in secure areasWe define rules for working in sensitive areas and translate them into simple, enforceable practices for your team.
A.7.7Clear desk and clear screenWe roll out an easy-to-follow clear desk and clear screen standard, reinforced through awareness and auto-lock configuration.
A.7.8Equipment siting and protectionWe review how equipment is sited and protected against theft, damage, and unauthorised viewing, with practical recommendations.
A.7.9Security of assets off-premisesWe set controls for laptops and devices used off-site – encryption, tracking, and handling rules – to keep mobile assets protected.
A.7.10Storage mediaWe define secure handling, transport, and lifecycle rules for removable and storage media, including encryption and registers.
A.7.11Supporting utilitiesWe document dependencies on power, cooling, and connectivity, and the redundancy or provider assurances that protect them.
A.7.12Cabling securityWe assess cabling and comms infrastructure for tamper and interception risks where relevant to your premises.
A.7.13Equipment maintenanceWe establish maintenance procedures and records that keep equipment reliable without exposing data during servicing.
A.7.14Secure disposal or re-use of equipmentWe implement certified data-wiping and disposal procedures with destruction certificates, so retired equipment never leaks data.

A.8 Technological controls

RefControlHow we help
A.8.1User end point devicesWe define endpoint baselines – encryption, MDM, patching, EDR – and help you enforce them across managed and BYOD fleets.
A.8.2Privileged access rightsWe tighten privileged access with just-in-time elevation, dedicated admin accounts, and regular review of who holds the keys.
A.8.3Information access restrictionWe implement role-based access aligned to classification, so people see only the information their role genuinely requires.
A.8.4Access to source codeWe secure source repositories with branch protection, access controls, and audit trails appropriate to your development workflow.
A.8.5Secure authenticationWe roll out strong authentication – MFA, passkeys, conditional access – and retire weak or shared credentials across your systems.
A.8.6Capacity managementWe set capacity monitoring and forecasting so performance and availability stay ahead of demand.
A.8.7Protection against malwareWe deploy and tune anti-malware and EDR with the right policies, exclusions, and alerting to actually stop threats.
A.8.8Management of technical vulnerabilitiesWe stand up a vulnerability management programme with scanning, risk-based SLAs, and remediation evidence for auditors.
A.8.9Configuration managementWe define secure configuration baselines and drift detection so systems stay hardened over time, not just at build.
A.8.10Information deletionWe implement deletion and retention controls across systems and backups so data is removed when it should be.
A.8.11Data maskingWe apply masking, anonymisation, or pseudonymisation in non-production and reporting contexts to shrink exposure of sensitive data.
A.8.12Data leakage preventionWe design pragmatic DLP – covering email, endpoints, and cloud apps – focused on your highest-value data flows.
A.8.13Information backupWe define a backup strategy aligned to RPOs and prove it with regular, documented restoration testing.
A.8.14Redundancy of information processing facilitiesWe assess availability requirements and design appropriate redundancy and failover, leveraging your cloud provider's resilience.
A.8.15LoggingWe define a logging standard covering what to capture, protect, and retain, so the right events are there when you need them.
A.8.16Monitoring activitiesWe help you build security monitoring and alerting – SIEM or managed detection – tuned to meaningful, actionable signals.
A.8.17Clock synchronisationWe ensure systems use synchronised, trusted time sources so logs correlate reliably during investigations.
A.8.18Use of privileged utility programsWe restrict and monitor powerful utilities so they cannot bypass your other controls undetected.
A.8.19Installation of software on operational systemsWe control software installation through allow-listing and change control, keeping production systems clean and known-good.
A.8.20Networks securityWe review and harden network architecture, firewall rules, and segmentation against a defined secure baseline.
A.8.21Security of network servicesWe define security requirements and SLAs for network services, whether delivered in-house or by a provider.
A.8.22Segregation of networksWe design network segmentation to contain breaches and separate sensitive environments from general traffic.
A.8.23Web filteringWe implement web filtering to block malicious and inappropriate destinations, reducing drive-by and phishing risk.
A.8.24Use of cryptographyWe write a cryptography policy with approved algorithms and key management, and check encryption is applied in transit and at rest.
A.8.25Secure development life cycleWe embed security into your SDLC with gates, threat modelling, and review steps that fit how your team already ships.
A.8.26Application security requirementsWe help you define security requirements up front for new and changed applications so they are built in, not retrofitted.
A.8.27Secure system architecture and engineering principlesWe codify secure-by-design engineering principles and review architectures against them.
A.8.28Secure codingWe introduce secure coding standards, linting, and developer training to cut vulnerabilities at the source.
A.8.29Security testing in development and acceptanceWe integrate SAST, DAST, and dependency scanning into your pipeline with clear pass/fail acceptance criteria.
A.8.30Outsourced developmentWe set security requirements and assurance checks for outsourced development so third-party code meets your standards.
A.8.31Separation of development, test and production environmentsWe help you separate environments and control promotion between them so changes are tested before they reach production.
A.8.32Change managementWe establish lightweight but auditable change control so changes are reviewed, approved, and traceable.
A.8.33Test informationWe govern the use of test data so production information is masked or excluded from lower environments.
A.8.34Protection of information systems during audit testingWe plan audit and assessment activities to minimise disruption and protect live systems during testing.

Need help with compliance?

From ISO 27001 readiness to SOC 2 audits, we help teams build practical programs that satisfy assessors and work in the real world.