By the Aegentra Security Team — NV1-cleared ISO 27001 practitioners · Published 12 July 2026
People searching this mean one of two different things — getting their company certified, or getting themselves certified as an auditor. This guide covers the second: earning the individual PECB Lead Auditor credential, the exact audit hours each tier needs, the exam, the cost, and the assurance roles it opens in Australia.
To become a PECB Certified ISO 27001 Lead Auditor you complete the Lead Auditor training, pass the PECB exam, then hold five years of professional experience (two in information security management) and 300 hours of audit activity. Lower tiers need less — the Provisional credential needs only the exam. Aegentra Academy runs the official course online and in Melbourne, Sydney & across Australia for $849 AUD + GST, with the exam voucher and a free 12-month resit included.
Certifying your company means building an ISMS and passing a Stage 1 and Stage 2 audit by a JAS-ANZ-accredited body (see our ISO 27001 certification guide). Certifying yourself means earning the individual PECB Certified ISO 27001 Lead Auditor credential — proof that you can plan and lead ISMS audits. This guide is about certifying yourself.
A Lead Auditor examines the ISMS — planning audits against the Statement of Applicability, interviewing control owners, sampling evidence, classifying nonconformities, writing findings reports, and leading audit teams across first-party (internal), second-party (supplier), and, within certification bodies, third-party certification audits. Building the ISMS is the other track — see how to become a certified ISO 27001 Lead Implementer.
| Credential tier | Total experience | In infosec management | Audit hours |
|---|---|---|---|
| Provisional Auditor | None | — | 0 |
| Auditor | 2 years | 1 year | 200 |
| Lead Auditor | 5 years | 2 years | 300 |
| Senior Lead Auditor | 10 years | 7 years | 1,000 |
Requirements are set by PECB — see the official ISO/IEC 27001 Lead Auditor credential page.
PECB counts the real audit lifecycle: audit planning, interviews, audit program management, document review, on-site fieldwork, drafting nonconformities and working papers, report writing, follow-up actions, and leading audit teams. Internal audits at your own employer count — which is how most people bank their first 200 hours.
Indicative AUD base ranges from public Australian salary guides — a market guide, not a quote.
| Role | Indicative AUD base |
|---|---|
| Internal ISMS Auditor | $90k–$125k |
| GRC / Compliance Auditor | $110k–$150k |
| Certification-body ISO 27001 Auditor | $110k–$160k |
| Compliance / Risk Manager | $130k–$175k |
| Audit & Assurance Lead | $150k–$200k |
More than 70,000 organisations worldwide hold ISO 27001 (ISO Survey) — and every one needs auditing every year. Clause 9.2 makes an independent internal audit mandatory annually, certification bodies need Lead Auditors for a growing certified base, supply-chain assurance keeps expanding, and the Essential Eight, APRA CPS 234, and the SOCI Act all drive verification work. Outsourced internal audits are a real market — exactly the service Aegentra delivers for Australian companies — and the Lead Auditor credential is the qualification that work runs on.
They are two separate things. Certifying your company means building an ISMS and passing a Stage 1 and Stage 2 audit by a JAS-ANZ-accredited certification body. Certifying yourself means earning an individual professional credential — PECB Lead Auditor — that proves you personally can plan and lead ISMS audits.
No. Pass the exam and you earn the Provisional Auditor credential with no experience required. The Lead Auditor tier requires five years of professional experience (two in information security management) plus 300 hours of audit activity, accumulated while you work.
PECB counts hands-on audit work: audit planning, interviews, audit program management, document review, on-site fieldwork, drafting nonconformities and working papers, report writing, follow-up actions, and leading audit teams. Auditor needs 200 hours; Lead Auditor 300; Senior Lead Auditor 1,000.
They are different careers. The Lead Implementer builds and runs the ISMS; the Lead Auditor examines it — internal audits, supplier audits, and, inside certification bodies, certification audits. Many senior GRC consultants eventually hold both.
Aegentra Academy runs the official PECB Lead Auditor course for $849 AUD + GST, including the exam voucher and one free resit within 12 months. Self-paced online (typically 30 to 40 hours of study) or instructor-led — most people are exam-ready in a few weeks.
Not on your own — certificates are issued by JAS-ANZ-accredited certification bodies. The Lead Auditor credential qualifies you to lead first-party and second-party audits, and it is the credential certification bodies look for when hiring auditors for third-party certification work.
Ready to start? Aegentra Academy runs the official PECB ISO 27001 Lead Auditor course for $849 AUD + GST, exam voucher and free resit included. More field notes are on the Aegentra Insights hub.