ISO/IEC 27001:2022 is the international standard for an information security management system. An accredited body certifies the management system, not a product or a one off scan. It covers management clauses 4 to 10 and 93 Annex A controls, runs on a three year cycle, and in Australia is driven by customers and tenders, not regulation.
Teams buy the certificate. The auditor tests the system behind it. ISO 27001 is a management system, not a list of technical fixes, and that gap is where most readiness projects lose months. Start with what the standard actually requires.
What is ISO 27001:2022?
ISO/IEC 27001 is the international standard for an information security management system, an ISMS: the governance, risk and control framework that runs security as a continuing system rather than a one time project. The 2022 version is the current edition. An accredited certification body audits your ISMS and issues a certificate. This is real third party certification, unlike the Essential Eight, which has no certificate and no pass mark. Read more: what ISO 27001 is.
What does Annex A require?
Annex A lists 93 controls grouped into four themes: organisational (37), people (8), physical (14) and technological (34), down from 114 in the 2013 version. You do not implement all 93 by default. The Statement of Applicability records which controls apply, which you have excluded, and why, and it is the document an auditor opens first. Read more: Annex A controls explained.
How long does certification take, and what does it cost?
On a typical engagement, gap analysis and ISMS design run about 4 to 8 weeks; full implementation through to certification more often takes 6 to 12 months, driven by how much of the management system already exists. These are indicative ranges, not a quote. Cost follows scope, the number of in scope sites and the certification body day rate, not a single list price. Read more: how long it takes and what it costs.
How does the audit work, Stage 1 and Stage 2?
Certification runs on a three year cycle. A Stage 1 audit reviews your documentation and readiness; a Stage 2 audit tests whether the ISMS operates in practice. Pass both and the certificate issues, followed by annual surveillance audits and a full recertification every three years. The work is continuous, not a single event. Read more: Stage 1 vs Stage 2 and the readiness checklist.
ISO 27001 or SOC 2?
They answer different buyers. ISO 27001 certifies a management system against an international standard and suits customers and tenders worldwide. SOC 2 is an attestation against the AICPA Trust Services Criteria, expected mainly by United States buyers. Many technology firms end up doing both; the control work overlaps, the reports do not. Read more: ISO 27001 vs SOC 2.
How does ISO 27001 sit with IRAP and the Essential Eight?
ISO 27001 is not government mandated in Australia; demand is commercial. IRAP assesses a specific system against the ISM for government use, and the Essential Eight is eight ASD technical controls. The Essential Eight maps onto part of ISO 27001 technological theme only; the organisational, people and physical controls and the clause 4 to 10 management system have no Essential Eight equivalent. Read more: Essential Eight vs ISO 27001.
ISO 27001 for SaaS, and where to start
For a SaaS provider the ISMS scope is usually the platform, its build pipeline and the people who run it, which keeps the certificate meaningful and the audit focused. Start with a gap analysis against clauses 4 to 10 and Annex A, then build the Statement of Applicability before Stage 1. Read more: ISO 27001 for SaaS and the readiness checklist.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, 2022
- ISO/IEC 27002:2022, 2022
- ASD Essential Eight explained, current June 2026
Last updated: 21 June, 2026