ISO 27001 guidance
Get expert cyber guidance when attaining ISO 27001:2022 certification
We provide Australian and UK organisations with leadership and guidance to attain ISO 27001:2022 certification
As one of the first organisations in Australia to achieve ISO 27001:2022, and with several members of our team being qualified senior ISO 27001 auditors, we are very familiar with the process and pitfalls. Let us help you sail through the process.
Talk to an ISO 27001 expert today
Why ISO 27001?
Improve your organisation's risk posture
ISO 27001 is a set of best practices for information security management. It provides organisations with a framework for identifying, assessing, and mitigating risks to their information assets. By implementing the controls recommended by ISO 27001, your organisation can reduce the likelihood of a security incident taking place and minimise the impact if an incident does take place.
Meet your legal requirements
Many contracts, partnerships, regulations etc. require participating organisations to attain ISO 27001 certification because it provides a framework for managing information security risks. It provides the best proof available that your organisation has deeply considered cyber risk and put a plan in place to mitigate this risk.
Gain trust in the marketplace
ISO 27001 certification demonstrates to your customers, suppliers, stakeholders etc. your organisation has implemented a robust information security management system. This can result in a competitive business advantage—opening up new partnerships, contracts, markets etc.—because it builds trust in your ability to protect other’s information.
Our steps to help your organisation with ISO 27001 certification
1. Get to know your business
We take time to really get to know your organisation—your people, processes, goals etc. We understand your systems and documentation, interview leaders in your company, run workshops to understand how the whole ecosystem links together.
Once we have a thorough understanding of your organisation, our consultants will capture specific details of how cyber security is managed throughout your business. This is where we look at what your organisation has in place today in terms of cyber security compared to the requirements of the ISO 27001 standard. With this information, a tailored roadmap of implementation is formed.
3. Identifying the things that matter
Next our consultants will start to get very familiar with your risk management system. We address questions like what information assets does your organisation have? What are the threats to these assets? What are the vulnerabilities of these assets? What is the likelihood of each threat occurring? etc. This helps us develop a risk management plan tailored to your organisation’s specific needs.
4. Governance and documentation
Next, we set up an ISO 27001 governance framework that steers everything else in your cyber security practices. We’ll then work through all the documentation required for ISO 27001 certification. We tackle each topic to ensure we are not only ticking the compliance boxes for ISO 27001 but also building something that can be used to further protect your business in a worst-case scenario.
5. Training and transferring knowledge
We help with training your team and transferring knowledge to ensure everyone in your company is being brought along for the journey. We also help upskill the key operators of your management system to ensure they are confident maintaining the ongoing ISO 27001 policies.
6. Ongoing audits and cyber maintenance
Once certification is achieved, we can support your organisation with ongoing maintenance of your information security management system. This includes helping with evidence collection and policy updates, and conducting internal audits which are required to support ongoing maintenance of the ISO 27001 certification. It means you can get on with other things and be confident your organisation is cyber protected.
What is ISO 27001 certification?
The ISO 27001 provides a structured approach to identifying and managing cyber risk. It also proves to third parties—other businesses, organisations, consumers—you have deeply considered and invested in your cyber security practices.
ISO 27001 is part of the ISO 27000 internationally recognised set of standards for Information Technology. ISO stands for International Organization of Standards and 27001 refers to the Information Security Management standard.
ISO 27001 defines the management clauses to be adhered to by the governance processes within the business. It includes a list of controls—Annex A—designed to uplift cyber security practices.
ISO 27002 comes into play as guidance material on how to implement these Annex A controls.
The process of certification includes governance elements, roles and responsibilities, the development of systems to manage information security, as well as bringing in elements of risk and considering how these elements impact the deployment and implementation of your management system.
The ISO 27001 certification also requires businesses to develop methods to ensure they are continually updating and improving their cyber security posture through internal auditing, management reviews, defining metrics worth tracking etc.
Not all ISO 27001 implementations are equal
While ISO 27001 is a good measure of cyber security, it’s not perfect. When you complete ISO 27001, there are two ways to do it—a generic, stock-standard approach or a bespoke plan that really considers your organisation. They might both tick the boxes for certification, but in the event of a real-life incident, only the plan that has really considered your business will be helpful. So, if you’re going to take the trouble to go through the process, do yourself a favour and do it right the first-time round. Use the opportunity to take charge of your cyber security journey. Let us partner with you to achieve this goal!