How to get my company ISO 27001 certified in Australia
By Aegentra Security Team — NV1-cleared ISO 27001 practitioners · Updated 14 July 2026
Every step from “we should do this” to a framed certificate — what your company does, what Aegentra does, who charges what at each stage, when to book the certification body, which departments go in scope, and what happens every year after certification.
In short: to get your company ISO 27001 certified in Australia, pick a scope and an executive sponsor, run a Week 0 discovery, build the ISMS over roughly 12 weeks (readiness typically $25k–$55k fixed-fee with Aegentra), book a JAS-ANZ-accredited certification body in week one, pass an internal audit, then the body’s Stage 1 and Stage 2 audits. The certificate lasts three years, with annual surveillance audits (starting at $2,500, paid to the body) in years one and two.
Why your company needs the certificate
Win tenders you currently lose — government and enterprise procurement increasingly shortlists ISO 27001-certified suppliers; PSPF-aligned buyers ask for it by name.
Unlock enterprise customers — security questionnaires collapse from weeks to a certificate number.
Answer regulators once — one ISMS gives a defensible story for APRA CPS 234, the SOCI Act, the Privacy Act, and the Essential Eight conversation.
Better cyber-insurance terms — a certified, evidenced ISMS is the strongest signal an SMB can show at renewal.
Actually harder to breach — the certificate is the by-product; the real product is 93 Annex A controls configured and monitored in your tenant.
Faster sales cycles — certified vendors publish the certificate and move straight to commercial terms.
The certification journey at a glance
Week 0 discovery → week 1 book the certification body → weeks 1–9 build the ISMS → weeks 10–11 internal audit and management review → week 12+ Stage 1 and Stage 2 audits → certified for three years → annual surveillance in years one and two → re-certification in year three.
Step by step — who does what, who charges what
Two wallets are involved: Aegentra (fixed-fee readiness work) and the certification body (audit fees). Keeping them separate is what makes the certificate credible.
Pick your scope and a sponsor (before day one — free). Decide which parts of the business are being certified — you do not need every department — and name an executive sponsor with budget and authority. Aegentra helps you draw a defensible scope boundary auditors accept.
Week 0 — discovery and fixed-price plan (included). A senior engineer maps your Microsoft 365 tenant, contracts, and risk appetite. You get a fixed scope, a fixed price, and a named lead before any work starts.
Week 1 — book the certification body early ($8,000–$20,000 for Stage 1 + Stage 2, paid to the body). JAS-ANZ-accredited bodies need 6–10 weeks of lead time, so booking in week one keeps week 12 real. Aegentra shortlists bodies from the JAS-ANZ register and locks audit dates around the build.
Weeks 1–9 — build the ISMS ($25,000–$55,000 fixed-fee readiness with Aegentra, typical Australian SMB). Risk assessment, Statement of Applicability, every applicable Annex A control implemented in your tenant, live evidence collected with the Aeges risk engine.
Weeks 10–11 — internal audit and management review (included in Govern; standalone independent audits are fixed-fee). Aegentra runs the Clause 9.2 internal audit, logs findings, and closes corrective actions before the certification body arrives.
Week 12+ — Stage 1 and Stage 2 (covered by the Stage 1 + 2 fee). Evidence pack handed over; Aegentra sits in on both stages. The certificate is issued by the body, valid three years.
Years 1–2 — annual surveillance audits (starting at $2,500 each, paid to the body). Keep the ISMS running; an optional Aegentra retainer covers control-drift monitoring and surveillance preparation.
Year 3 — re-certification ($8,000–$15,000, paid to the body). A fuller audit renews the certificate for another three years.
Do all departments have to be certified?
No — you choose the scope. ISO 27001 certifies a defined boundary, not automatically the whole company. Most Australian SMBs certify the functions that touch customer data and the product (engineering, IT and the Microsoft 365 tenant, customer support, people and vendor management) and leave unrelated functions outside. The scope statement is printed on your certificate and buyers read it — a scope that dodges the parts of the business customers rely on will cost you the deals the certificate was meant to win.
Documents the auditor will ask for
Stage 1 is largely a documentation review. Governing documents: ISMS scope statement, information security policy, roles and responsibilities (Clause 5.3), Statement of Applicability. Risk documents: risk assessment methodology, risk register with owners, risk treatment plan, asset and supplier inventories. Operating evidence: internal audit report, management review minutes, incident log and corrective actions, training records. The full clause-by-clause build order is on the ISO 27001 implementation process page.
Small business vs mid-size vs enterprise
Small business (10–50 staff): about 12 weeks, readiness $25k–$40k, scope usually the whole company. Mid-size (50–250 staff): 12–16 weeks, readiness $35k–$55k. Enterprise (250+ staff): multi-entity or multi-tenant scopes and on-premise systems add 4–8 weeks; scoped individually.
Five mistakes that delay certification
Booking the certification body last — bodies need 6–10 weeks of lead time.
Scoping the whole company on day one — certify where the customer risk lives, expand at surveillance time.
Writing policies nobody operates — auditors sample reality, not documents.
Skipping a real internal audit — an independent Clause 9.2 audit finds problems while they are cheap.
Treating it as an IT project — Clause 5 makes leadership accountable; without an executive sponsor the programme stalls.