Skip to main content

How to become a certified ISO 27001 Lead Auditor in Australia

By the Aegentra Security Team — NV1-cleared ISO 27001 practitioners · Published 12 July 2026

People searching this mean one of two different things — getting their company certified, or getting themselves certified as an auditor. This guide covers the second: earning the individual PECB Lead Auditor credential, the exact audit hours each tier needs, the exam, the cost, and the assurance roles it opens in Australia.

To become a PECB Certified ISO 27001 Lead Auditor you complete the Lead Auditor training, pass the PECB exam, then hold five years of professional experience (two in information security management) and 300 hours of audit activity. Lower tiers need less — the Provisional credential needs only the exam. Aegentra Academy runs the official course online and in Melbourne, Sydney & across Australia for $849 AUD + GST, with the exam voucher and a free 12-month resit included.

Certifying your company vs certifying yourself

Certifying your company means building an ISMS and passing a Stage 1 and Stage 2 audit by a JAS-ANZ-accredited body (see our ISO 27001 certification guide). Certifying yourself means earning the individual PECB Certified ISO 27001 Lead Auditor credential — proof that you can plan and lead ISMS audits. This guide is about certifying yourself.

What an ISO 27001 Lead Auditor does

A Lead Auditor examines the ISMS — planning audits against the Statement of Applicability, interviewing control owners, sampling evidence, classifying nonconformities, writing findings reports, and leading audit teams across first-party (internal), second-party (supplier), and, within certification bodies, third-party certification audits. Building the ISMS is the other track — see how to become a certified ISO 27001 Lead Implementer.

The step-by-step pathway

  1. Build the foundations (optional). Start with the ISO 27001 Foundation course if the standard is new to you.
  2. Take the Lead Auditor course. Audit principles, evidence gathering, interviews, nonconformity classification, and reporting aligned to ISO 19011.
  3. Pass the PECB exam. Scenario-based and open-book — pass it and you hold the Provisional Auditor credential immediately.
  4. Log your audit hours. 200 hours unlocks Auditor; 300 hours plus five years’ experience unlocks Lead Auditor.
  5. Sign the Code of Ethics and get credentialed. PECB verifies your application and issues a verifiable digital credential.

Credential tiers and the audit hours each requires

Credential tierTotal experienceIn infosec managementAudit hours
Provisional AuditorNone0
Auditor2 years1 year200
Lead Auditor5 years2 years300
Senior Lead Auditor10 years7 years1,000

Requirements are set by PECB — see the official ISO/IEC 27001 Lead Auditor credential page.

The audit hours that count

PECB counts the real audit lifecycle: audit planning, interviews, audit program management, document review, on-site fieldwork, drafting nonconformities and working papers, report writing, follow-up actions, and leading audit teams. Internal audits at your own employer count — which is how most people bank their first 200 hours.

Jobs and indicative salaries in Australia

Indicative AUD base ranges from public Australian salary guides — a market guide, not a quote.

RoleIndicative AUD base
Internal ISMS Auditor$90k–$125k
GRC / Compliance Auditor$110k–$150k
Certification-body ISO 27001 Auditor$110k–$160k
Compliance / Risk Manager$130k–$175k
Audit & Assurance Lead$150k–$200k

Why auditors are in demand in Australia

More than 70,000 organisations worldwide hold ISO 27001 (ISO Survey) — and every one needs auditing every year. Clause 9.2 makes an independent internal audit mandatory annually, certification bodies need Lead Auditors for a growing certified base, supply-chain assurance keeps expanding, and the Essential Eight, APRA CPS 234, and the SOCI Act all drive verification work. Outsourced internal audits are a real market — exactly the service Aegentra delivers for Australian companies — and the Lead Auditor credential is the qualification that work runs on.

Frequently asked questions

What is the difference between certifying my company and certifying myself?

They are two separate things. Certifying your company means building an ISMS and passing a Stage 1 and Stage 2 audit by a JAS-ANZ-accredited certification body. Certifying yourself means earning an individual professional credential — PECB Lead Auditor — that proves you personally can plan and lead ISMS audits.

Do I need experience to start?

No. Pass the exam and you earn the Provisional Auditor credential with no experience required. The Lead Auditor tier requires five years of professional experience (two in information security management) plus 300 hours of audit activity, accumulated while you work.

What counts as audit activity hours?

PECB counts hands-on audit work: audit planning, interviews, audit program management, document review, on-site fieldwork, drafting nonconformities and working papers, report writing, follow-up actions, and leading audit teams. Auditor needs 200 hours; Lead Auditor 300; Senior Lead Auditor 1,000.

Lead Implementer or Lead Auditor — which should I take?

They are different careers. The Lead Implementer builds and runs the ISMS; the Lead Auditor examines it — internal audits, supplier audits, and, inside certification bodies, certification audits. Many senior GRC consultants eventually hold both.

How much does it cost and how long does it take?

Aegentra Academy runs the official PECB Lead Auditor course for $849 AUD + GST, including the exam voucher and one free resit within 12 months. Self-paced online (typically 30 to 40 hours of study) or instructor-led — most people are exam-ready in a few weeks.

Can a Lead Auditor certify a company to ISO 27001?

Not on your own — certificates are issued by JAS-ANZ-accredited certification bodies. The Lead Auditor credential qualifies you to lead first-party and second-party audits, and it is the credential certification bodies look for when hiring auditors for third-party certification work.

Ready to start? Aegentra Academy runs the official PECB ISO 27001 Lead Auditor course for $849 AUD + GST, exam voucher and free resit included. More field notes are on the Aegentra Insights hub.