Latest News

Certifications matter. That is especially the case when the accreditation is highly credible and well-known. In global business, the International Organisation for Standardisation (ISO) certifications represent one of the best examples of this.

The ISO 27001 designation applies to businesses that have put in place a high-quality Information Security Management System (ISMS).

The certification is also a ‘badge’ that signals that the business has demonstrated to an external auditor that its systems and processes are of a high standard.

As cyber security experts, we know a lot about this accreditation. So, the rest of this blog is devoted to answering the main questions we’ve fielded about ISO 27001 from clients, including why it matters, how your organisation benefits from having it and how much it costs.

What is ISO 27001?

ISO 27001 is a standard that sets out best practices for organisations when it comes to managing their technology processes and how their employees handle information. The goal is to ensure that the information that the business holds is confidential, trustworthy and able to be accessed when needed.

The focus of the standard is the internal information security management system. This is divided in 14 broad categories. Those categories are further broken down into a total of 114 controls. It’s important to know that it’s not required that every one of those 114 controls is implemented to pass an ISO 27001 audit.

What is the difference between ISO 27001, ISO 27017 and 27018?

ISO 27017 and ISO 27018 are codes of practice that are included as add-ons within the ISO 27001 certification. ISO 27017 demonstrates compliance with the provision and use of cloud services while ISO27018 focuses more specifically on Personally Identifiable Information (PII). Unlike ISO 27001, ISO 27017 and ISO 27018 are not management system standards, so you cannot attain certification to them without ISO 27001 compliance.

Who needs ISO 27001?

The answer to this question depends a lot on the type of business you are in and the needs of your customers. For businesses that work with or are looking to provide future services to enterprises, government entities or are part of regulated industries this is becoming an absolute must. Increasingly, the collection and handling of sensitive data is becoming critical for all parts of the value chain, not only the large enterprises. Not having an ISO 27001 can put companies at a disadvantage to competitors when chasing RFPs with government or enterprise customers.

Similarly, for some large customers, a top-tier information security management system for their suppliers is an important part of their supplier selection checklist. Understanding whether that’s the case for you is an important factor.

Some sectors that might strongly consider an ISO 27001 certification include businesses bidding for government contracts, information technology, finance, insurance, healthcare and telecommunications services.

Is ISO27001 a legal requirement?

ISO27001 is not at present a legal requirement in Australia. In some industries, ISO27001 is accepted as a substitute for the legislated requirements. If you are unsure about the cyber security requirements in your industry, reach out to CyberUnlocked to learn more.

So why is ISO 27001 important?

While it’s not mandatory, some of your customers might have tendering or contracting guidelines that require any potential suppliers or partners to be ISO 27001 compliant. Or, they might award extra ‘points’ to a supplier or customer that has the certification when they are engaging in a competitive tender process.

It’s also important to realise that there is no ‘minimum size’ for a business to obtain this certification. In fact, a smaller or newer entrant to a sector that holds this certification might be at an advantage over incumbents who have not yet made the effort to obtain it.

Can software be ISO27001 certified?

No. The certification applies to organisations and their processes, not to individual pieces of software. However, an organisation that sells software may obtain the certification to demonstrate their security credentials to potential customers, especially if they are asking customers to trust them with personal or private data.

Why should you get your business ISO27001 certified?

Put simply, it’s about trust. An organisation with the certification can prove to its clients, customers and employees that it has the processes in place to protect sensitive data. And that ‘proof’ is obtained with reference to an independent umpire, and a globally recognised standard.

It’s widely accepted that data is one of our most valuable assets that need a high level of protection. That protection is quickly becoming non-negotiable for top-tier businesses and by extension their partners and suppliers.

How much does it cost to get ISO27001 certified?

The cost is determined by the size and complexity of the organisation, its systems and processes and its current security maturity. The costs are associated with:

• The effort of evaluating and documenting your current processes
• The effort of setting up a secure system that meets the certification requirements
• Engaging an ISO-accredited auditor to test your systems and processes



At the end of the day, an ISO 27001 certification is a valuable accreditation that can assist organisations in winning higher value and more complex work. As information management and cyber security specialists, CyberUnlocked are experts in ISO 27001 and can help your business conduct an ISMS audit to help increase your chances of getting the certification.