ISO/IEC 27001 is the most widely adopted international standard for information security management. It gives organisations a repeatable, certifiable way to identify risks, select and operate controls, and prove to customers and regulators that security is managed – not improvised. The current edition, ISO/IEC 27001:2022, restructured the Annex A control set into 93 controls across four themes: organisational, people, physical, and technological.
What certification actually requiresLink to this section
An ISO 27001 certification is not a checklist of 93 controls implemented in isolation. Certification bodies audit a living Information Security Management System (ISMS) – the management system described in Clauses 4 to 10 of the standard – and then verify that the Annex A controls you have deemed applicable genuinely operate.
The management system clauses are where most of the certifiable rigour lives:
- Clause 4 – Context of the organisation. Define the scope of your ISMS, the internal and external issues that affect it, and the needs of interested parties (customers, regulators, staff).
- Clause 5 – Leadership. Demonstrate top-management commitment, establish an information security policy, and assign roles and responsibilities.
- Clause 6 – Planning. Run a documented risk assessment, decide on risk treatment, and produce a Statement of Applicability (SoA) that justifies which Annex A controls apply and why.
- Clause 7 – Support. Provide the resources, competence, awareness, communication, and documented information the ISMS needs to function.
- Clause 8 – Operation. Actually operate the controls and treatments, and keep evidence that they run.
- Clause 9 – Performance evaluation. Monitor and measure, run internal audits, and hold management reviews.
- Clause 10 – Improvement. Manage nonconformities and corrective actions, and continually improve the system.
Certification follows a two-stage external audit: Stage 1 reviews your documentation and readiness, Stage 2 tests the controls in operation. After certification, you maintain it through annual surveillance audits and a full recertification every three years.
How we help teams get audit-readyLink to this section
We are compliance specialists, and we work backwards from your certification body's expectations. That means clarifying scope early, running a defensible risk assessment, prioritising the controls that match your real risks, and building evidence habits your team can sustain long after the audit window closes.
We do the heavy lifting on the management system – scope, risk methodology, SoA, internal audit, and management review – while pairing every Annex A control below with a practical, achievable implementation tailored to your size and stack. Our goal is not just a certificate on the wall, but a security programme your customers trust and your team can actually run.
Typical engagement shapeLink to this section
Most clients start with a gap assessment against the management system clauses and all 93 Annex A controls, then move into a focused remediation sprint on the highest-risk gaps. We pair policy work with operational fixes so documentation and reality stay aligned, run a mock audit to surface issues before the certification body does, and stay alongside you through Stage 1 and Stage 2.
The table below maps every Annex A control in ISO/IEC 27001:2022 to how we help you implement it.
Annex A controls (ISO/IEC 27001:2022)
A.5 Organisational controls
| Ref | Control | How we help |
|---|---|---|
| A.5.1 | Policies for information security | We draft a board-ready policy suite, map every policy back to its Annex A obligations, and run an annual review cycle so approvals, versions, and sign-offs are always audit-ready. |
| A.5.2 | Information security roles and responsibilities | We define a clear RACI for security, appoint named control owners, and embed accountabilities into position descriptions so nothing falls through the cracks. |
| A.5.3 | Segregation of duties | We map conflicting duties, design separation into your approval and access workflows, and document compensating controls wherever full separation is impractical for a smaller team. |
| A.5.4 | Management responsibilities | We help leadership demonstrate visible commitment – resourcing the ISMS, setting the tone, and reinforcing expectations so security is owned from the top down. |
| A.5.5 | Contact with authorities | We build a contact register for regulators, law enforcement, and the ACSC, and bake the right escalation triggers into your incident plan so the correct call is made early. |
| A.5.6 | Contact with special interest groups | We connect your team to relevant security forums, ISACs, and vendor advisories so threat and best-practice intelligence flows in continuously. |
| A.5.7 | Threat intelligence | We stand up a lightweight threat-intelligence routine – curated feeds, triage cadence, and a path from intel to control changes – sized to your risk profile. |
| A.5.8 | Information security in project management | We weave security checkpoints into your project lifecycle so risk is assessed and controls are scoped at every stage, not bolted on at the end. |
| A.5.9 | Inventory of information and other associated assets | We build and maintain an asset and information inventory with assigned owners, then keep it current through your onboarding and change processes. |
| A.5.10 | Acceptable use of information and other associated assets | We write a plain-English acceptable use policy your people will actually follow, covering AI tools, BYOD, and data handling, and reinforce it through awareness training. |
| A.5.11 | Return of assets | We add asset return to your offboarding checklist with tracked sign-off, so devices, credentials, and data come back reliably when people or contracts end. |
| A.5.12 | Classification of information | We design a simple, usable classification scheme tied to your real risks and regulatory duties, then map handling rules to each level. |
| A.5.13 | Labelling of information | We implement practical labelling – document templates, email markings, and tool-based tags – so classification travels with the data. |
| A.5.14 | Information transfer | We define secure transfer rules and agreements for sharing data internally and with third parties, covering email, file sharing, and physical media. |
| A.5.15 | Access control | We establish least-privilege access policy and review cadence, aligning each decision to your Statement of Applicability and data classification. |
| A.5.16 | Identity management | We rationalise identity lifecycle – joiner, mover, leaver – so every account is owned, justified, and traceable to a real person or service. |
| A.5.17 | Authentication information | We set credential and secrets-handling standards, roll out MFA and a password manager or passkeys, and remove shared logins from your environment. |
| A.5.18 | Access rights | We run periodic access recertification, automate de-provisioning where possible, and produce the review evidence assessors look for. |
| A.5.19 | Information security in supplier relationships | We build a supplier risk register and tiering model so security expectations match each vendor's access to your data. |
| A.5.20 | Addressing information security within supplier agreements | We provide security clause templates and review supplier contracts so obligations, breach notification, and audit rights are written in. |
| A.5.21 | Managing information security in the ICT supply chain | We extend due diligence down the ICT supply chain, covering sub-processors and components, so inherited risk is visible and managed. |
| A.5.22 | Monitoring, review and change management of supplier services | We set up a supplier review cadence with service and security reporting, so changes to their posture are caught and assessed. |
| A.5.23 | Information security for use of cloud services | We document cloud responsibility boundaries, configure providers to a hardened baseline, and align acquisition and exit to your ISMS. |
| A.5.24 | Information security incident management planning and preparation | We write an incident response plan with defined roles, severities, and runbooks, then prove it works through a tabletop exercise. |
| A.5.25 | Assessment and decision on information security events | We define triage criteria so events are consistently assessed and classified, turning noise into a clear decision on what is an incident. |
| A.5.26 | Response to information security incidents | We provide response runbooks and on-call support so containment, eradication, and recovery follow a tested, evidence-producing process. |
| A.5.27 | Learning from information security incidents | We facilitate blameless post-incident reviews and feed the lessons back into controls, training, and your risk treatment plan. |
| A.5.28 | Collection of evidence | We establish forensically sound evidence handling and chain-of-custody procedures so you are ready for legal or regulatory follow-up. |
| A.5.29 | Information security during disruption | We integrate security into your continuity planning so controls hold up – rather than lapse – during an outage or crisis. |
| A.5.30 | ICT readiness for business continuity | We define recovery objectives (RTO/RPO), validate them with restoration testing, and document ICT continuity arrangements assessors can verify. |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | We build a legal and regulatory obligations register – Privacy Act, sector rules, contractual duties – and map each to controls and owners. |
| A.5.32 | Intellectual property rights | We put software licence and IP controls in place, including a software asset register, to keep you on the right side of usage rights. |
| A.5.33 | Protection of records | We define retention and protection rules for critical records so they stay available, intact, and compliant with statutory periods. |
| A.5.34 | Privacy and protection of PII | We align your ISMS with Australian Privacy Principles and other privacy duties, embedding PII handling, consent, and data-subject rights into operations. |
| A.5.35 | Independent review of information security | We run independent internal reviews and mock audits so issues surface and are fixed well before your certification body arrives. |
| A.5.36 | Compliance with policies, rules and standards | We set up compliance monitoring and attestations so policy adherence is measured continuously, not assumed. |
| A.5.37 | Documented operating procedures | We help you capture key operating procedures as living runbooks, so critical activities are repeatable and not locked in one person's head. |
A.6 People controls
| Ref | Control | How we help |
|---|---|---|
| A.6.1 | Screening | We design proportionate pre-employment screening and background-check procedures with documented, privacy-respecting record keeping. |
| A.6.2 | Terms and conditions of employment | We embed security responsibilities into employment terms and contractor agreements so obligations are clear and enforceable from day one. |
| A.6.3 | Information security awareness, education and training | We deliver an engaging awareness program – role-based modules, phishing simulations, and refreshers – with completion evidence for auditors. |
| A.6.4 | Disciplinary process | We provide a documented, fair disciplinary process for security breaches, coordinated with HR so it is consistent and defensible. |
| A.6.5 | Responsibilities after termination or change of employment | We ensure ongoing duties – confidentiality, IP, access removal – carry through your offboarding and role-change processes. |
| A.6.6 | Confidentiality or non-disclosure agreements | We supply NDA templates and a tracking process so confidentiality is locked in for staff, contractors, and third parties. |
| A.6.7 | Remote working | We write a practical remote and hybrid working policy with device, network, and home-environment controls suited to modern Australian teams. |
| A.6.8 | Information security event reporting | We make reporting effortless with a clear, low-friction channel and a no-blame culture, so issues reach you fast. |
A.7 Physical controls
| Ref | Control | How we help |
|---|---|---|
| A.7.1 | Physical security perimeters | We assess and document physical perimeters for offices and facilities, recommending pragmatic improvements scaled to your footprint. |
| A.7.2 | Physical entry | We define entry controls – access cards, visitor logs, escort rules – and the evidence to show they operate. |
| A.7.3 | Securing offices, rooms and facilities | We help secure sensitive areas with appropriate access restrictions and document the rationale in your risk treatment plan. |
| A.7.4 | Physical security monitoring | We advise on proportionate monitoring – CCTV, alarms, access logging – that respects privacy while deterring and detecting intrusion. |
| A.7.5 | Protecting against physical and environmental threats | We assess fire, flood, power, and environmental risks and document the safeguards, including reliance on cloud and data-centre providers. |
| A.7.6 | Working in secure areas | We define rules for working in sensitive areas and translate them into simple, enforceable practices for your team. |
| A.7.7 | Clear desk and clear screen | We roll out an easy-to-follow clear desk and clear screen standard, reinforced through awareness and auto-lock configuration. |
| A.7.8 | Equipment siting and protection | We review how equipment is sited and protected against theft, damage, and unauthorised viewing, with practical recommendations. |
| A.7.9 | Security of assets off-premises | We set controls for laptops and devices used off-site – encryption, tracking, and handling rules – to keep mobile assets protected. |
| A.7.10 | Storage media | We define secure handling, transport, and lifecycle rules for removable and storage media, including encryption and registers. |
| A.7.11 | Supporting utilities | We document dependencies on power, cooling, and connectivity, and the redundancy or provider assurances that protect them. |
| A.7.12 | Cabling security | We assess cabling and comms infrastructure for tamper and interception risks where relevant to your premises. |
| A.7.13 | Equipment maintenance | We establish maintenance procedures and records that keep equipment reliable without exposing data during servicing. |
| A.7.14 | Secure disposal or re-use of equipment | We implement certified data-wiping and disposal procedures with destruction certificates, so retired equipment never leaks data. |
A.8 Technological controls
| Ref | Control | How we help |
|---|---|---|
| A.8.1 | User end point devices | We define endpoint baselines – encryption, MDM, patching, EDR – and help you enforce them across managed and BYOD fleets. |
| A.8.2 | Privileged access rights | We tighten privileged access with just-in-time elevation, dedicated admin accounts, and regular review of who holds the keys. |
| A.8.3 | Information access restriction | We implement role-based access aligned to classification, so people see only the information their role genuinely requires. |
| A.8.4 | Access to source code | We secure source repositories with branch protection, access controls, and audit trails appropriate to your development workflow. |
| A.8.5 | Secure authentication | We roll out strong authentication – MFA, passkeys, conditional access – and retire weak or shared credentials across your systems. |
| A.8.6 | Capacity management | We set capacity monitoring and forecasting so performance and availability stay ahead of demand. |
| A.8.7 | Protection against malware | We deploy and tune anti-malware and EDR with the right policies, exclusions, and alerting to actually stop threats. |
| A.8.8 | Management of technical vulnerabilities | We stand up a vulnerability management programme with scanning, risk-based SLAs, and remediation evidence for auditors. |
| A.8.9 | Configuration management | We define secure configuration baselines and drift detection so systems stay hardened over time, not just at build. |
| A.8.10 | Information deletion | We implement deletion and retention controls across systems and backups so data is removed when it should be. |
| A.8.11 | Data masking | We apply masking, anonymisation, or pseudonymisation in non-production and reporting contexts to shrink exposure of sensitive data. |
| A.8.12 | Data leakage prevention | We design pragmatic DLP – covering email, endpoints, and cloud apps – focused on your highest-value data flows. |
| A.8.13 | Information backup | We define a backup strategy aligned to RPOs and prove it with regular, documented restoration testing. |
| A.8.14 | Redundancy of information processing facilities | We assess availability requirements and design appropriate redundancy and failover, leveraging your cloud provider's resilience. |
| A.8.15 | Logging | We define a logging standard covering what to capture, protect, and retain, so the right events are there when you need them. |
| A.8.16 | Monitoring activities | We help you build security monitoring and alerting – SIEM or managed detection – tuned to meaningful, actionable signals. |
| A.8.17 | Clock synchronisation | We ensure systems use synchronised, trusted time sources so logs correlate reliably during investigations. |
| A.8.18 | Use of privileged utility programs | We restrict and monitor powerful utilities so they cannot bypass your other controls undetected. |
| A.8.19 | Installation of software on operational systems | We control software installation through allow-listing and change control, keeping production systems clean and known-good. |
| A.8.20 | Networks security | We review and harden network architecture, firewall rules, and segmentation against a defined secure baseline. |
| A.8.21 | Security of network services | We define security requirements and SLAs for network services, whether delivered in-house or by a provider. |
| A.8.22 | Segregation of networks | We design network segmentation to contain breaches and separate sensitive environments from general traffic. |
| A.8.23 | Web filtering | We implement web filtering to block malicious and inappropriate destinations, reducing drive-by and phishing risk. |
| A.8.24 | Use of cryptography | We write a cryptography policy with approved algorithms and key management, and check encryption is applied in transit and at rest. |
| A.8.25 | Secure development life cycle | We embed security into your SDLC with gates, threat modelling, and review steps that fit how your team already ships. |
| A.8.26 | Application security requirements | We help you define security requirements up front for new and changed applications so they are built in, not retrofitted. |
| A.8.27 | Secure system architecture and engineering principles | We codify secure-by-design engineering principles and review architectures against them. |
| A.8.28 | Secure coding | We introduce secure coding standards, linting, and developer training to cut vulnerabilities at the source. |
| A.8.29 | Security testing in development and acceptance | We integrate SAST, DAST, and dependency scanning into your pipeline with clear pass/fail acceptance criteria. |
| A.8.30 | Outsourced development | We set security requirements and assurance checks for outsourced development so third-party code meets your standards. |
| A.8.31 | Separation of development, test and production environments | We help you separate environments and control promotion between them so changes are tested before they reach production. |
| A.8.32 | Change management | We establish lightweight but auditable change control so changes are reviewed, approved, and traceable. |
| A.8.33 | Test information | We govern the use of test data so production information is masked or excluded from lower environments. |
| A.8.34 | Protection of information systems during audit testing | We plan audit and assessment activities to minimise disruption and protect live systems during testing. |