By the Aegentra Security Team — NV1-cleared ISO 27001 practitioners · Published 7 July 2026
People searching this mean one of two different things — certifying their company, or certifying themselves. This guide covers the second: earning the individual PECB Lead Implementer credential, the exact experience and ISMS project hours each tier needs, the exam, the cost, and the jobs it opens in Australia.
To become a PECB Certified ISO 27001 Lead Implementer you complete the Lead Implementer training, pass the PECB exam, then hold five years of professional experience (two in information security) and 300 hours of ISMS project activity. Lower tiers need less — the Provisional credential needs only the exam. Aegentra Academy runs the official course online and in Melbourne, Sydney & across Australia for $849 AUD + GST, with the exam voucher and a free 12-month resit included.
These are two different things. Certifying your company means building an Information Security Management System (ISMS) and passing a Stage 1 and Stage 2 audit by a JAS-ANZ-accredited body — the outcome is an organisational certificate (covered in our ISO 27001 certification guide). Certifying yourself means earning an individual professional credential — PECB Certified ISO 27001 Lead Implementer — that proves you personally can plan and run an ISMS. This guide is about certifying yourself.
A Lead Implementer builds and runs the ISMS — defining scope, running the risk assessment, producing the Statement of Applicability, implementing the Annex A controls, writing policies, training staff, and steering the organisation through internal audit and management review up to the certification audit. It is the person who gets an organisation audit-ready, not the person who audits it (that is the Lead Auditor).
All four tiers sit the same PECB exam. What separates them is the experience and hours of hands-on ISMS work you can evidence.
| Credential tier | Total experience | In information security | ISMS project hours |
|---|---|---|---|
| Provisional Implementer | None | — | 0 |
| Implementer | 2 years | 1 year | 200 |
| Lead Implementer | 5 years | 2 years | 300 |
| Senior Lead Implementer | 10 years | 7 years | 1,000 |
Requirements are set by PECB — see the official ISO/IEC 27001 Lead Implementer credential page.
Project-activity hours mean hands-on ISMS work: running a risk assessment, drafting the Statement of Applicability, implementing and documenting Annex A controls, writing policies, preparing evidence, conducting an internal audit, and supporting a certification audit. If you work in GRC, compliance, or IT security, you are already banking these hours — you just need to log them.
The Lead Implementer credential maps onto some of the best-paid roles in Australian tech. Ranges below are indicative AUD base salaries drawn from public Australian salary guides — a guide to the market, not a quote.
| Role | Indicative AUD base |
|---|---|
| GRC / Security Analyst | $95k–$130k |
| ISO 27001 Consultant / Lead Implementer | $120k–$170k |
| Compliance / Risk Manager | $130k–$175k |
| Information Security Manager (ISMS owner) | $140k–$190k |
| vCISO / Head of Security | $180k–$260k |
ISO 27001 is now the default security qualifier in Australian procurement. More than 70,000 organisations worldwide hold the standard (ISO Survey), and Australian demand is driven by the ASD Essential Eight, APRA CPS 234, the SOCI Act, and enterprise and government procurement that asks suppliers for an ISO 27001 certified ISMS. Every one of those creates demand for people who can build the ISMS — exactly what the Lead Implementer credential proves.
They are two separate things. Certifying your company means building an Information Security Management System (ISMS) and passing a Stage 1 and Stage 2 audit by a JAS-ANZ-accredited certification body — the outcome is an organisational ISO 27001 certificate. Certifying yourself means earning an individual professional credential (PECB Lead Implementer) that proves you personally can do the work.
Not to start. If you pass the exam you earn the Provisional Implementer credential with no experience required. The Lead Implementer tier specifically requires five years of professional experience (two in information security) plus 300 hours of ISMS project activity, which you accumulate over time while working.
It depends on the tier: Implementer needs 200 hours of ISMS project activity, Lead Implementer needs 300 hours, and Senior Lead Implementer needs 1,000 hours. Project activity means hands-on ISMS work — risk assessment, Statement of Applicability, implementing Annex A controls, internal audit, and supporting a certification audit.
No, it is not mandatory — you can enrol directly in the Lead Implementer course. But if ISO 27001 is new to you, the Foundation course makes the Lead Implementer material much easier to absorb.
Aegentra Academy runs the official PECB Lead Implementer course for $849 AUD + GST, including the exam voucher and one free resit within 12 months. It is self-paced online (typically 30 to 40 hours of study) or instructor-led, and you can be exam-ready in a few weeks.
Yes. PECB is accredited by ANAB (the ANSI National Accreditation Board) under ANSI/ASTM E2659-18, so the credential is recognised on resumes, tenders, and procurement panels worldwide.
Ready to start? Aegentra Academy runs the official PECB ISO 27001 Lead Implementer course for $849 AUD + GST, exam voucher and free resit included. More field notes are on the Aegentra Insights hub.