The international standard for information security. We build your management system, implement and operate the controls, and get you ready for certification. Epic IT runs its own ISO 27001:2022 ISMS, so we prepare you the way we run our own.
Book an ISO 27001 Readiness Assessment
Read our ISO 27001 guide for the full walkthrough, see how it compares with Essential Eight and SMB1001, or explore our wider cyber security services.
Epic IT operates its own ISO 27001:2022 ISMS, so we know what the auditor looks for
Annex A controls across four themes, selected to your risk in the Statement of Applicability
The certificate is valid three years, with annual surveillance audits by your certification body
Epic IT delivering cybersecurity for Australian businesses
ISO/IEC 27001 is the international standard for an information security management system, or ISMS. The current version is ISO/IEC 27001:2022. It sets out how you govern security through clauses 4 to 10 (context, leadership, risk assessment, support, operation, performance evaluation, and improvement) and a set of 93 Annex A controls that you select based on your risks and record in a Statement of Applicability.
Certification is increasingly expected in enterprise and government procurement, and it sits alongside obligations like APRA CPS 234 and the Privacy Act. A growing number of tenders and client due diligence questionnaires now ask for it directly, which is why so many Australian businesses pursue it once they start selling to larger customers.
One point is worth being clear on. The certificate itself is issued only by a certification body accredited by JAS-ANZ, after a two-stage audit. A consultant or managed IT provider cannot issue it. What we do is get you ready and stay beside you through that audit. If you want the detail first, our ISO 27001 guide walks through the whole standard.
We work with businesses across Australia, on site and remotely, taking you from your current security posture to a management system that is ready for a certification audit, then supporting you through it.
We assess your current posture against ISO 27001:2022, across both the management system and the Annex A controls. You get a clear picture of what already exists and where the gaps are before any work begins.
We define the scope, run the risk assessment, build the Statement of Applicability, and write the policies and procedures the standard requires across clauses 4 to 10. This is the management system the auditor weights most heavily.
This is where a managed security provider is different. We implement and operate the technical controls, MFA, endpoint detection and response, logging, access management, patching, and backup, then map each one to its Annex A requirement with evidence. Not just documented, actually running.
We set up the records, logging, and reporting an auditor samples at Stage 2, so every control has a clear evidence trail rather than a policy with nothing behind it.
We run the internal audit and management review the standard mandates before certification, and close out findings so there are no surprises when the external auditor arrives.
You engage a JAS-ANZ accredited certification body for the two-stage audit. We stay beside you through the Stage 1 documentation review and the Stage 2 effectiveness audit, and help close any non-conformities so the certificate is issued.
Most ISO 27001 support does only half the job. GRC consultants write your policies, scope, and Statement of Applicability, but cannot implement or operate the technical controls, so you are left finding someone else to actually run MFA, logging, access control, and backup. DIY toolkits hand you templates with nothing operating underneath.
We close that loop. As a Microsoft Solutions Partner and managed security provider, we build and run the management system and we implement and operate the technical controls, so the controls declared in your Statement of Applicability are genuinely live with evidence behind them. Because we often already run your Essential Eight controls, mapping them into your ISMS is faster than starting cold. See our managed cyber security service for the controls we operate day to day.
Certification is most often driven by what your customers and regulators expect, rather than something you choose for its own sake.
Enterprise buyers and procurement teams expect ISO 27001 before they will sign. For many software and technology firms it has shifted from an advantage to a baseline requirement.
Firms handling sensitive client data use certification to pass due diligence and win work with larger clients who ask for proof of security governance.
Increasingly a precondition in tenders and vendor approval, alongside APRA CPS 234 and Privacy Act expectations across the supply chain.
Businesses with a security foundation already in place that now need a formal, internationally recognised certificate. If you hold SMB1001 or run Essential Eight, much of the groundwork is done.
Practices, clinics, and health technology companies handling patient data use ISO 27001 to show the governance behind their security and to support their Privacy Act obligations. See our healthcare IT work.
Businesses in the defence supply chain often pursue ISO 27001 alongside their DISP obligations, because the management system work overlaps and a recognised certificate supports tender eligibility.
Every ISMS is scoped to the business, so these are realistic ranges rather than fixed prices. We give you a firm picture after the gap assessment.
Most Australian SMBs reach certification-ready in six to twelve months. If you already run Essential Eight or hold SMB1001, you can often be ready in three to four months, because much of the control work is already done.
Readiness work for a small to medium business typically runs in the tens of thousands, depending on scope, size, and how much security maturity you already have. Certification body audit fees are separate and paid directly to your accredited body.
You do not have to certify the whole organisation on day one. A focused scope around the systems and services that matter most costs less to certify and maintain, and you can widen it in later audit cycles.
Certification runs on a three-year cycle with annual surveillance audits. As your managed security provider, we keep the controls running and the evidence current between audits, so surveillance is not a scramble.
ISO 27001 is the international standard for an information security management system. Certification means a certification body accredited by JAS-ANZ has audited your management system against ISO/IEC 27001:2022 and confirmed it meets the standard. Epic IT helps Australian businesses build the ISMS, implement the controls, and get audit-ready so that certification goes smoothly.
No, and no consultant or IT provider can. The certificate is issued only by a certification body accredited by JAS-ANZ, after a Stage 1 and Stage 2 audit. What Epic IT does is get you ISO 27001 certification-ready: we build the ISMS, implement and operate the controls, and support you through the audit. We are ISO 27001:2022 certified ourselves, so we prepare you the way we run our own system.
Most Australian businesses take six to twelve months from a standing start. If you already run Essential Eight or hold SMB1001 certification, you can often be ready in three to four months, because much of the control and evidence work is already in place.
For a small to medium business, ISO 27001 readiness typically runs in the tens of thousands, depending on scope and how much security maturity you already have. Certification body audit fees are separate and paid to your accredited body. A tightly scoped ISMS costs less than certifying the whole organisation at once, so we help you scope it sensibly first.
Essential Eight and SMB1001 are control-focused frameworks. ISO 27001 is a full management system that wraps governance, risk, and continual improvement around your controls, and it carries an internationally recognised certificate. Many Australian businesses climb the ladder in order: SMB1001 first, then Essential Eight, then ISO 27001 when a client or tender requires it.
Not always, because they answer different questions. Essential Eight proves technical control maturity, while ISO 27001 gives you a certified management system that enterprise and government buyers recognise. The good news is that if your Essential Eight controls are already running, much of the ISO 27001 technical work is done, which makes the step up faster and cheaper than starting from scratch.
