Man and a woman with a laptop in a server room

ISO 27001 Certification

Your inquiry


Information security with a system

The Australian Signals Directorate (ASD) Cyber Threat Report for the 2022 - 2023 financial year outlines that the average cost of cybercrime for each reported incident is $46000 for small business, $97200 for medium business and $71,600 for large business, representing a 14% increase on the previous year. Additionally, the top 3 cybercrime types for business are email compromise, business email compromise fraud and online banking fraud. 

These findings, along with the nearly 94000 reported cybercrimes, representing a 23% increase emphasise the urgent need for enhanced data security measures and increased vigilance to safeguard personal information in Australia.

Implementing an Information Security Management System (ISMS) which is certified by DQS Australia New Zealand to the ISO 27001 standard can help reduce your company’s risk of a data breach and mitigate the threat and subsequent cost of being a cybercrime victim.

Demonstrable data and information security

Security as part of the corporate culture

Effective implementation of a risk management process

Continuous improvement of your security level

Business10.png

What is ISO 27001?

ISO/IEC 27001 is the leading international standard for implementing a holistic management system for information security. It focuses on the identification, assessment and management of risks to information handling processes. The security of confidential information is emphasised as a significant strategic element. The ISO 27001 standard is published by the International Standards Organisation and can be purchased from them here: https://www.iso.org/standard/27001.

Information surrounds us everywhere and is part of every process. Sometimes it may be inconsequential, but all too often it is critical and confidential. In order to make this important distinction for your organisation, it is necessary to classify information. This is because the protective measures of an Information Security Management System (ISMS) according to ISO 27001 are based on this classification.

An ISMS creates the framework for protecting operational data and its confidentiality. At the same time, the globally recognised standard ensures the availability of the IT systems involved in corporate processes. In this context, ISO 27001 certification in Australia and New Zealand sends a strong signal to the market: namely, independent external evaluation and confirmation of the effectiveness of your ISMS.

Show more
Show less
SEO19.png

Who is certification to ISO 27001 suitable for in Australia and New Zealand?

The ISMS standard ISO 27001 applies worldwide including in Australia and New Zealand. It provides companies of all sizes and industries with a globally recognised framework for planning, implementing, and monitoring their information security. The requirements are applicable and apply to private and public companies as well as non-profit organisations.

Increasingly, governments and other critical industries are requiring their partners and any business accessing their data, to provide evidence of how they ensure their information security. Internationally recognised standards such as ISO 27001 can be an effective tool to help protect critical information and ensuring you have a system to manage data security and as a framework which sits around ISM control frameworks. Both Australia and New Zealand governments have introduced Cyber Security frameworks including Information Security Manuals - Australian here: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism and New Zealand here: https://www.ncsc.govt.nz/resources/ncsc-cyber-security-framework/.

Show more
Show less
Business11.png

What makes the ISO 27001 standard useful for my company?

The introduction of an ISMS according to ISO 27001 is a strategic decision for your company. The standard's requirements are deliberately general to enable companies to meet them in a way which reflects the specific situation of the company. This allows the implementation of the company ISMS to consider the unique needs and goals,  security requirements and organisational processes, as well as the size and structure of the company.

Annex A of ISO 27001, which is to be used in connection with section 6.1.3 on the basis of company-specific risk analyses, is particularly valuable in practice. The information security controls listed in Annex A are directly derived from and aligned with the measures listed in the current ISO 27002, Sections 5 to 8. 

The consistent alignment of company processes with ISO 27001 has been proven to lead to a number of benefits:

  • Continuous improvement of the security level
  • Reduction of existing risks
  • Adherence to compliance requirements including regulatory requirements in Australian and New Zealand 
  • Greater awareness among employees
  • Increased customer satisfaction

Internal audits and management reviews with the participation of top management are the internal levers for achieving this.

Other positive aspects are that interested parties such as supervisory authorities, insurance companies, banks, partner companies build up a higher level of trust in your company. This is because a certified management system signals that your organisation deals with risks in a structured manner and subscribes to continuous improvement (CIP), making it more resistant to unwanted influences.

The international standard ISO/IEC 27001 can also be implemented, operated and certified independently of other management systems such as ISO 9001 (quality management) or ISO 14001 (environmental management).

Show more
Show less
Business36.png

Who is allowed to carry out certification according to ISO 27001?

In order to certify an information security management system, the respective certification body itself must be accredited to ISO/IEC 17021 and ISO/IEC 27006. ISO/IEC 17021 regulates topics related to conformity assessment, specifically requirements for inspection bodies that audit and certify management systems.

In addition, ISO/IEC 27006 defines strict requirements that certification bodies must comply with in order to certify an ISMS according to ISO 27001.

These include:

  • Evidence of specified audit effort
  • Requirements for the qualification of auditors.

DQS Australia New Zealand is accredited by the national German accreditation body DakkS (Deutsche Akkreditierungsstelle GmbH) and therefore authorised to perform audits and certifications according to ISO 27001.

Regardless of the industry in which your company operates, you can rely on the distinctive expertise of the DQS auditors in Australia and New Zealand. They have many years of experience in the assessment of information security management systems in various industries.

Show more
Show less
Arrows20.png

ISO 27001 has Changed

ISO 27001 has been updated to reflect the changes in the data security industry and include cyber security and privacy protection.

We have published a brief transition guide, outlining main steps that you will need to undertake and some FAQs on the changes. This can be found here.

An update to ISO 27001 was published in October 2022 to reflect the changes associated with the increased digitisation of the organisations. The changes include a consolidation and simplification of how organisations can map controls for different stakeholders.

As part of the update, the standard has some changes to reflect the "harmonised" structure of ISO standards. Additionally, the information security controls in Annex A of ISO 27001, have been modernised. There are now 4 categories of controls, containing 93 controls, of which 58 have been updated or modified, 24 have been merged from ISO 27001:2013 and 11 new controls introduced. 

By adopting these changes, you will be bringing your organisation up to date with the latest global standard for Information Security, better protecting and building trust in your organisation and everyone you interact with.

The revision is an inevitable consequence after ISO/IEC 27002, as the implementing guidance governing Annex A of ISO 27001, was comprehensively revised and published in February 2022. 

The transition period for existing ISO 27001 certificates is three years from the last day of the publication month of the new ISO 27001:2022, meaning that all certificates according to ISO 27001:2013 must have been converted to the 2022 version of ISO 27001 by October 31, 2025, You can read about the new features of the ISO 27001 update in our article "The new ISO/IEC 27001:2022 - key changes".

Show more
Show less

More Resources

We regularly blog about topical industry items and how they affect cyber security and data security, and may help you with your ISMS. Topics include:

The full list of blogs can be found here.

Business28.png

How does ISO 27001 certification work in Australia and New Zealand?

Once all requirements of ISO 27001 have been implemented, you can have your management system certified. You will go through a multi-stage certification process with DQS Australia / New Zealand. If a certified management system is already established in the company, the process can be shortened.

In the first step, you discuss your company and the goals of ISO 27001 certification with us. On this basis, you will receive a detailed offer tailored to the individual needs of your company.

A project planning meeting can be useful for larger projects, for example, to better coordinate schedules and the performance of audits with multiple locations or divisions. The pre-audit offers you an opportunity to identify the strengths and potential for improvement of your management system in advance. Both of these services are optional.

The certification audit starts with the system analysis and evaluation of your ISMS (audit stage 1). Here, your auditor determines whether your management system is sufficiently developed and ready for certification. In the next step (system audit stage 2), your auditor assesses the effectiveness of all management processes on site, applying the ISO 27001 standard. The audit result is presented at a final meeting. If necessary, action plans are agreed upon.

After the certification audit, the results are evaluated by the independent certification board of DQS. If all requirements of the standard are met, you will receive the ISO 27001 certificate.

After successful certification, key components of your ISMS are re-audited on site at least once a year to ensure continuous improvement.

An ISO 27001 certificate is valid for a maximum of three years. Recertification is performed in good time before expiry to ensure ongoing compliance with the applicable requirements of the standard. Upon successful completion of the recertification audit, a new certificate is issued.

Transition from ISO 27001:2013 to ISO 27001:2022 requires a transition audit to assess that the changes have been effectively implemented. This can be completed during the surveillance or recertification cycle, with the addition of minimal time, or scheduled as a separate upgrade audit if necessary. Once the transition audit is successfully completed the certificate is updated. The expiration of the current certification cycle will not be changed.

Banking13.png

What does ISO 27001 certification cost in Australia and New Zealand?

The four assessment criteria

Even though the ISO 27001 audit is to be performed according to structured specifications, the cost depends on various factors, such as the complexity of your organisation. Therefore, there can be no one-size-fits-all offer for any given company.

The costs for certification according to ISO 27001 are established according to the following four criteria, among others:

1. The complexity of your information security management system.

The critical values (for example patents, personal data, facilities, processes) of your company are taken into account. The cost of certification is based primarily on the information security requirements and the extent to which confidentiality, integrity and availability (CIA) of information are affected.

2. The core business of your company within the scope of the ISMS

At this point, the risks associated with your business processes in particular play an important role in determining the necessary audit effort. Legal requirements are taken into account as well as complex, individual customer requirements.

3. The main technologies and components used in your ISMS

During the audit, the technology as well as the individual components of your ISMS are examined. These include IT platforms, servers, databases, applications as well as network segments. The basic rule here is: The higher the proportion of standard systems and the lower the complexity of your IT, the lower the effort. The costs of an ISO 27001 certification also depend on this.

4 The proportion of in-house developments in your ISMS

If there is no internal development and you mainly use standardised software platforms, the effort of an assessment is lower. If your ISMS is characterised by intensive use of self-developed software and if this software is used for central business areas, the effort for certification will be higher.

In order for us to be able to give you an overview of the costs for an ISMS certification, we need precise information about your business model and the area of application in advance. This way we can provide you with a tailor-made offer.

Show more
Show less
Business2.png

Why DQS Australia / New Zealand

  • More than 25 years of experience in certification of management systems and processes in Australia and New Zealand, with the ability to call on over 35 years of experience in our global network.
  • Industry-experienced auditors and experts with strong technical knowledge of the Australian and New Zealand markets
  • Value-adding insights into your company
  • Certificates with international acceptance and high prestige in Australia and New Zealand
  • Expertise and accreditations for all relevant standards
  • Personal, smooth support from our specialists - regionally, nationally and internationally
  • Individual offers with flexible contract terms and no hidden costs
Contact-South-Asia-woman-shutterstock_1766529371.jpg

Request a quote from DQS Australia / New Zealand

Your local contact

We would be happy to provide you with an individual quote for the ISO 27001 certification of your ISMS.

Your inquiry

The new ISO 27001:2022 - key changes

In this DQS blog post you will find the most important information about the key changes and additions in the revised ISO 27001:2022 standard.

Read the blog post

Any Questions?

We are here for you.
Contact Us