Skip to main content

How to get my company ISO 27001 certified in Australia

By Aegentra Security Team — NV1-cleared ISO 27001 practitioners · Updated 14 July 2026

Every step from “we should do this” to a framed certificate — what your company does, what Aegentra does, who charges what at each stage, when to book the certification body, which departments go in scope, and what happens every year after certification.

In short: to get your company ISO 27001 certified in Australia, pick a scope and an executive sponsor, run a Week 0 discovery, build the ISMS over roughly 12 weeks (readiness typically $25k–$55k fixed-fee with Aegentra), book a JAS-ANZ-accredited certification body in week one, pass an internal audit, then the body’s Stage 1 and Stage 2 audits. The certificate lasts three years, with annual surveillance audits (starting at $2,500, paid to the body) in years one and two.

Why your company needs the certificate

The certification journey at a glance

Week 0 discovery → week 1 book the certification body → weeks 1–9 build the ISMS → weeks 10–11 internal audit and management review → week 12+ Stage 1 and Stage 2 audits → certified for three years → annual surveillance in years one and two → re-certification in year three.

Step by step — who does what, who charges what

Two wallets are involved: Aegentra (fixed-fee readiness work) and the certification body (audit fees). Keeping them separate is what makes the certificate credible.

  1. Pick your scope and a sponsor (before day one — free). Decide which parts of the business are being certified — you do not need every department — and name an executive sponsor with budget and authority. Aegentra helps you draw a defensible scope boundary auditors accept.
  2. Week 0 — discovery and fixed-price plan (included). A senior engineer maps your Microsoft 365 tenant, contracts, and risk appetite. You get a fixed scope, a fixed price, and a named lead before any work starts.
  3. Week 1 — book the certification body early ($8,000–$20,000 for Stage 1 + Stage 2, paid to the body). JAS-ANZ-accredited bodies need 6–10 weeks of lead time, so booking in week one keeps week 12 real. Aegentra shortlists bodies from the JAS-ANZ register and locks audit dates around the build.
  4. Weeks 1–9 — build the ISMS ($25,000–$55,000 fixed-fee readiness with Aegentra, typical Australian SMB). Risk assessment, Statement of Applicability, every applicable Annex A control implemented in your tenant, live evidence collected with the Aeges risk engine.
  5. Weeks 10–11 — internal audit and management review (included in Govern; standalone independent audits are fixed-fee). Aegentra runs the Clause 9.2 internal audit, logs findings, and closes corrective actions before the certification body arrives.
  6. Week 12+ — Stage 1 and Stage 2 (covered by the Stage 1 + 2 fee). Evidence pack handed over; Aegentra sits in on both stages. The certificate is issued by the body, valid three years.
  7. Years 1–2 — annual surveillance audits (starting at $2,500 each, paid to the body). Keep the ISMS running; an optional Aegentra retainer covers control-drift monitoring and surveillance preparation.
  8. Year 3 — re-certification ($8,000–$15,000, paid to the body). A fuller audit renews the certificate for another three years.

Do all departments have to be certified?

No — you choose the scope. ISO 27001 certifies a defined boundary, not automatically the whole company. Most Australian SMBs certify the functions that touch customer data and the product (engineering, IT and the Microsoft 365 tenant, customer support, people and vendor management) and leave unrelated functions outside. The scope statement is printed on your certificate and buyers read it — a scope that dodges the parts of the business customers rely on will cost you the deals the certificate was meant to win.

Documents the auditor will ask for

Stage 1 is largely a documentation review. Governing documents: ISMS scope statement, information security policy, roles and responsibilities (Clause 5.3), Statement of Applicability. Risk documents: risk assessment methodology, risk register with owners, risk treatment plan, asset and supplier inventories. Operating evidence: internal audit report, management review minutes, incident log and corrective actions, training records. The full clause-by-clause build order is on the ISO 27001 implementation process page.

Small business vs mid-size vs enterprise

Small business (10–50 staff): about 12 weeks, readiness $25k–$40k, scope usually the whole company. Mid-size (50–250 staff): 12–16 weeks, readiness $35k–$55k. Enterprise (250+ staff): multi-entity or multi-tenant scopes and on-premise systems add 4–8 weeks; scoped individually.

Five mistakes that delay certification

  1. Booking the certification body last — bodies need 6–10 weeks of lead time.
  2. Scoping the whole company on day one — certify where the customer risk lives, expand at surveillance time.
  3. Writing policies nobody operates — auditors sample reality, not documents.
  4. Skipping a real internal audit — an independent Clause 9.2 audit finds problems while they are cheap.
  5. Treating it as an IT project — Clause 5 makes leadership accountable; without an executive sponsor the programme stalls.

Full pricing breakdown on the ISO 27001 certification cost guide. Want the whole journey run for you? See the Govern engagement — fixed scope, fixed price after Week 0, audit-ready in 12 weeks.