ISO 27001
Choosing a JAS-ANZ Certification Body for ISO 27001
3 July 2026 · Updated 3 July 2026
Short answer: JAS-ANZ is the accreditation body for Australia and New Zealand. It accredits certification bodies so buyers can trust their certificates. An accredited ISO 27001 certificate carries independent credibility and international recognition through IAF and PAC. An unaccredited one may be cheaper but many enterprise and government buyers will not accept it.
Not every ISO 27001 certificate is worth the same. Two look identical on the wall, but one was issued by a body whose competence and impartiality were independently assessed, and the other by a body with no oversight at all. The difference decides whether a buyer accepts it. This explains accreditation and how to check a body before you sign.
What is JAS-ANZ and what does it do?
The Joint Accreditation System of Australia and New Zealand (JAS-ANZ) is the government appointed accreditation body for the two countries. It accredits certification bodies. That means JAS-ANZ assesses whether a certification body is competent and impartial enough to issue certificates such as ISO 27001, and monitors it over time.
The distinction to hold onto is between accreditation and certification. JAS-ANZ does not certify your organisation. It accredits the body that certifies you. To be accredited for ISO 27001, a certification body has to meet ISO/IEC 17021-1 for management system certification and the ISO/IEC 27006 requirements specific to information security. Accreditation is the check on the checker, and it is what lets a buyer trust a certificate they did not commission.
What is the difference between an accredited and an unaccredited ISO 27001 certificate?
Both are real certificates. Only one carries independent assurance.
| Accredited certificate | Unaccredited certificate | |
|---|---|---|
| Issued by | A body accredited by JAS-ANZ or an equivalent | A body with no accreditation oversight |
| Independent check | The certification body’s competence and impartiality are assessed | None |
| Mark on the certificate | Carries the accreditation body’s mark | No accreditation mark |
| International recognition | Recognised through IAF and PAC arrangements | Not covered by mutual recognition |
| Buyer acceptance | Widely accepted by enterprise and government | Often rejected or questioned |
An unaccredited certificate can be quicker and cheaper because the body operates under no external scrutiny. That is precisely why it means less. The value of ISO 27001 to a buyer is that an independent, competent body tested your management system. Remove the accreditation and you remove the independence that made the certificate worth showing.
Does an ISO 27001 certificate have to be accredited to be valid?
Legally, no. ISO 27001 does not require accreditation, and unaccredited certificates exist and are sold. But validity in the eyes of a buyer is the test that matters, and there the answer shifts.
Enterprise procurement teams and government buyers increasingly specify an accredited certificate, because accreditation is what gives the audit its credibility. When a customer asks for your certificate as evidence of security, an unaccredited one invites the question of who checked the checker, and often the answer stalls the deal. If you are pursuing ISO 27001 to win and keep customers, which in Australia is the main driver since it is not regulated, then an accredited certificate is the one that does the job. Weigh this against the cost of certification, where an accredited body is the sensible baseline rather than the premium option.
How do I check whether an ISO 27001 certification body is JAS-ANZ accredited?
Verification is public and quick. Do not take a body’s own claim of accreditation on trust.
- Search the JAS-ANZ register of accredited bodies at register.jas-anz.org and confirm the body appears with ISO/IEC 27001 in its scope of accreditation
- Check the scope, since a body can be accredited for some standards and not others, and you need it accredited for information security specifically
- Verify an issued certificate on the JAS-ANZ certified organisations register, which lists certificates under accredited bodies
- Cross check through IAF CertSearch, the International Accreditation Forum’s global database of accredited certificates
If a body cannot be found on the accreditation register, or is accredited for other standards but not ISO 27001, treat its ISO 27001 certificate as unaccredited regardless of what the paperwork says.
What else should I weigh when choosing an ISO 27001 certification body?
Accreditation is the threshold, not the whole decision. Once you have a shortlist of accredited bodies, other factors separate them. Sector experience matters, since a body that regularly audits software companies reads a SaaS ISMS faster than one that mostly certifies manufacturers. Auditor availability affects your timeline. Day rates and the audit schedule affect cost. And the body’s approach to findings, covered in nonconformities and corrective actions, affects how workable the relationship is over a three year cycle.
For a startup weighing the leanest credible path, an accredited body with startup experience is covered in ISO 27001 for startups. The ISO 27001 stage 1 vs stage 2 audit guide explains what the certification body will actually do during the audit. Cybernion helps organisations select an accredited body and prepare for the ISO 27001 audit so the engagement runs cleanly. For the full picture of certification, see the complete ISO 27001 guide.
Frequently asked questions
What is JAS-ANZ?
JAS-ANZ is the Joint Accreditation System of Australia and New Zealand, the government appointed accreditation body for the two countries. It accredits certification bodies, meaning it assesses whether a body is competent and impartial enough to issue certificates such as ISO 27001. It does not certify organisations itself.
What is the difference between an accredited and unaccredited ISO 27001 certificate?
An accredited certificate is issued by a certification body whose competence and impartiality have been assessed by an accreditation body such as JAS-ANZ, and it carries the accreditation mark. An unaccredited certificate is issued by a body with no such oversight, so its assurance value is much weaker and buyers may not accept it.
Does an ISO 27001 certificate have to be accredited to be valid?
ISO 27001 does not legally require accreditation, so an unaccredited certificate exists. But enterprise and government buyers increasingly ask for an accredited certificate, because accreditation is what gives the audit independent credibility. In practice, for a certificate buyers will accept, accredited is the one that counts.
How do I check if a certification body is JAS-ANZ accredited?
Search the JAS-ANZ register of accredited bodies at register.jas-anz.org and confirm the body is listed with ISO/IEC 27001 in its scope of accreditation. You can also verify an issued certificate on the JAS-ANZ certified organisations register and through the IAF CertSearch global database.
Is a JAS-ANZ certificate recognised overseas?
Yes, generally. JAS-ANZ is a signatory to the IAF and PAC multilateral recognition arrangements, so a certificate issued under a JAS-ANZ accredited body’s scope should be recognised by accreditation bodies in other signatory countries. That mutual recognition is a large part of an accredited certificate’s value.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Information Security Management Systems Certification Scheme, JAS-ANZ, jas-anz.org, 2026
- JAS-ANZ Register of accredited bodies and certified organisations, register.jas-anz.org, 2026
- ISO/IEC 27001:2022, iso.org, 2022
- ISO/IEC 17021-1:2015, iso.org, 2015
Last updated: 3 July, 2026