ISO 27001 certification cost in Australia: what does it really cost in 2026?

June 4, 2026

Insights & News ISO 27001 certification cost in Australia: what does it really cost in 2026? June 4, 2026 ISO 27001 certification in Australia costs Australian SMEs between AU$25,000 and AU$80,000 ex GST for first certification, plus AU$5,000 to AU$15,000 per year for surveillance audits. The variance reflects business size, scope complexity, current state of controls, and whether the implementation work is done in-house or with an external consultant. The cost question is the one that typically determines whether an Australian SME pursues certification or stays uncertified, so it deserves a clear answer rather than the “it depends” framing most consultancy websites offer. This guide breaks down where the money actually goes, what cost ranges are realistic for different SME sizes and scopes, what ongoing costs look like after first certification, and how the total cost compares against the commercial benefit certification typically delivers. Key facts First-time ISO 27001 certification for an Australian SME typically costs AU$25,000 to AU$80,000 ex GST, including implementation work, certification audit fees, and supporting tools. The certification audit itself (Stage 1 and Stage 2 combined) typically costs AU$8,000 to AU$20,000 for SMEs, depending on the certification body and the audit duration. Annual surveillance audits in years 1 and 2 after certification cost AU$5,000 to AU$10,000 each. The full recertification audit at year 3 costs AU$8,000 to AU$15,000. Implementation work (the largest single cost component) is AU$15,000 to AU$50,000 depending on complexity and how much is delivered in-house vs through a consultant. ISMS software platforms (Vanta, Drata, Sprinto, isms.online) add AU$2,000 to AU$15,000 per year depending on the platform tier and business size. For an Australian SME pursuing certification to win a specific commercial contract, the certification investment pays back when the contract value exceeds roughly 3x the first-year certification cost. Where does the money actually go? Four cost categories make up the total. Understanding what each one delivers makes the price ranges meaningful rather than arbitrary. Implementation work (typically the largest cost): AU$15,000 to AU$50,000. This covers writing the information security policy framework, conducting the risk assessment, building the Statement of Applicability (SoA) listing each ISO 27001 Annex A control, implementing missing controls, training staff, and preparing the documentation evidence the certification body will audit. For Australian SMEs, this work is typically done over 4 to 9 months and combines internal effort with external consultancy support. Certification body audit fees: AU$8,000 to AU$20,000. The Stage 1 audit (documentation review) and Stage 2 audit (operational verification) are conducted by an accredited certification body. In Australia, JAS-ANZ accredits these bodies. Reputable certification bodies serving the Australian market include BSI Group, SAI Global, BMG Compliance, NSF International, Sustainable Certification, and a number of others. Pricing varies based on the auditor’s day rate and the number of days the audit requires (typically 2 to 5 days combined for an SME). ISMS software platforms: AU$2,000 to AU$15,000 per year. Modern ISO 27001 implementations almost always involve an information security management system (ISMS) platform like Vanta, Drata, Sprinto, or isms.online. These platforms automate evidence collection, control monitoring, and audit preparation. The platforms aren’t required (an organisation can manage the ISMS in SharePoint or similar), but they substantially reduce the operational overhead and most certification bodies are familiar with the evidence formats they produce. Training and supporting tools: AU$1,000 to AU$5,000. ISO 27001 lead implementer training for the internal champion (typically AU$2,000 to AU$3,000), risk assessment tools if the ISMS platform doesn’t include them, and miscellaneous documentation tools. For some businesses, this category is rolled into the implementation consultancy fee rather than billed separately. Indicative total cost by SME size The honest cost ranges by Australian SME size, assuming a reasonable starting baseline (mature business processes, modern technology stack, no major control gaps): SME size Scope Implementation Audit fees Tools First-year total 10 to 30 staff Whole business AU$15,000 to AU$25,000 AU$8,000 to AU$12,000 AU$2,000 to AU$5,000 AU$25,000 to AU$42,000 30 to 75 staff Whole business AU$20,000 to AU$35,000 AU$10,000 to AU$15,000 AU$3,000 to AU$8,000 AU$33,000 to AU$58,000 75 to 200 staff Whole business AU$30,000 to AU$50,000 AU$13,000 to AU$20,000 AU$5,000 to AU$15,000 AU$48,000 to AU$85,000 30 to 200 staff Narrow scope (one product line, one data set) AU$15,000 to AU$25,000 AU$8,000 to AU$12,000 AU$2,000 to AU$8,000 AU$25,000 to AU$45,000 Two factors push the cost outside these ranges. Higher cost: businesses with significant control gaps requiring major remediation (replacement of legacy systems, new security tooling, organisational restructuring). Lower cost: businesses with strong existing security practices and capable internal champions, which can reduce the implementation consultancy spend toward the lower end of the range. What are the ongoing costs after first certification? Many businesses focus on the first-year cost and underestimate the ongoing investment. The certification is valid for 3 years, but it’s subject to surveillance audits in years 1 and 2 and a full recertification audit at year 3. Ongoing costs run continuously. Annual surveillance audits (years 1 and 2): AU$5,000 to AU$10,000 each. Shorter than the initial certification audit, focused on changes since the previous audit and continued conformance to the standard. Most businesses budget AU$7,500 as the indicative mid-range. Recertification audit (year 3): AU$8,000 to AU$15,000. Full reassessment of the ISMS against the standard, similar in scope to the original Stage 2 audit. Triggers a fresh 3-year certificate. ISMS platform licensing (ongoing): AU$2,000 to AU$15,000 per year. Continues at roughly the first-year rate unless the business size changes substantially or the platform tier changes. Internal effort: 0.2 to 0.5 FTE ongoing, depending on scope and risk profile. For a 30-person SME, that’s roughly one staff member spending one day per week on ISMS-related activities (running risk assessments, reviewing controls, preparing for audits, responding to security questionnaires from customers). The cost is often invisible because it’s absorbed into existing roles, but it’s real. Adding these together: ongoing annual cost after first certification typically lands at AU$15,000 to AU$40,000 per year for an Australian SME, depending on size and scope. Over a 3-year cycle, total cost to maintain certification (including the

What is an ISMS? A practical guide for Australian SMEs

June 3, 2026

Insights & News What is an ISMS? A practical guide for Australian SMEs June 3, 2026 An information security management system (ISMS) is the documented set of policies, procedures, and controls a business uses to systematically manage the confidentiality, integrity, and availability of its information. It’s the framework that turns “we take security seriously” into something specific, measurable, and auditable. For Australian SMEs, an ISMS most commonly appears in the form of ISO/IEC 27001 certification, the international standard that defines what a credible ISMS looks like. For most Australian SMEs we work with, the decision to implement an ISMS isn’t driven by an internal desire for better security. It’s driven by a customer, an insurer, or a regulator asking “are you certified to ISO 27001”. This guide explains what an ISMS actually is in practical terms, when implementing one makes commercial sense for a Sydney SME, and what the realistic cost and timeline look like. Key facts An ISMS is a documented management system for information security, typically built to the international standard ISO/IEC 27001. The “system” in ISMS doesn’t mean software. It means the management framework: policies, processes, risk assessments, controls, and ongoing review. For Australian SMEs, ISO 27001 certification costs between AU$25,000 and AU$80,000 to achieve initially, plus ongoing annual surveillance audits of AU$5,000 to AU$15,000. Implementation typically takes 9 to 18 months from start to first certification, with the discovery and documentation phase being the longest single component. An ISMS works at the management level above specific technical controls. It mandates that controls exist and are reviewed, but doesn’t prescribe specific products or implementations. Australian SMEs commonly implement an ISMS to satisfy customer requirements (government contracts, supply chain into APRA-regulated entities), insurance requirements (cyber insurance underwriters increasingly value certification), or regulatory expectations (specific industries). What is an information security management system (ISMS)? An ISMS is the management framework that sits above an organisation’s individual security controls. It documents what the organisation is trying to protect, what risks it faces, what controls it has in place, who’s responsible for what, how decisions get made, and how the framework itself gets reviewed and improved over time. The key distinction: an ISMS is not a security product, a security team, or a set of technical controls. It’s the layer of management discipline that determines which controls exist, why they exist, and how they’re maintained. A business can have excellent technical controls without an ISMS (just by being well-run). A business with an ISMS has the controls documented, justified by risk assessment, and subject to regular review. The dominant standard for what a credible ISMS looks like is ISO/IEC 27001, published by the International Organization for Standardization. ISO 27001 specifies the requirements an ISMS must meet to be certified, including the risk assessment methodology, the policy framework, the management review process, and the corrective action procedures. The companion standard ISO/IEC 27002 provides implementation guidance for specific controls but does not itself confer certification. An organisation can implement an ISMS without seeking certification, and many do. The discipline of the framework delivers value regardless of whether an external auditor verifies it. But for the businesses that face external pressure to demonstrate their security posture, formal certification is usually what’s being asked for. Why would an Australian SME implement an ISMS? The decision is almost always commercial, not security-driven. Three external pressures explain most ISMS implementations at SMEs. Customer demand. Government procurement, enterprise procurement (particularly from APRA-regulated entities), and increasingly large commercial customers ask suppliers about their security posture as part of supplier onboarding. The question “are you certified to ISO 27001” is binary and easy to ask. The supplier either is or isn’t. Suppliers without certification face longer security questionnaires, more rigorous third-party risk assessments, and sometimes simple exclusion from procurement processes. For a 30-person Sydney SME wanting to sell into government or APRA-regulated counterparties, ISO 27001 certification removes friction. Insurance pressure. Cyber insurance underwriters in 2026 don’t require ISO 27001 certification, but they increasingly value it. Certified businesses get better policy terms, broader coverage, and easier renewals. The value is partly the controls (which the certification verifies) and partly the management discipline (which insurance underwriters correctly see as a leading indicator of how the business will respond to an incident). Regulatory expectation. Some Australian industries face explicit or implicit regulatory expectation of certification. Federal government suppliers handling classified or sensitive information. Defence industry supply chain. Specific healthcare and financial services contexts. The expectation may be technical (specific certification required) or commercial (certification is what successful tenders have, so anything less is at a disadvantage). The internal driver, when it appears, is usually a board or executive recognising that the business has grown beyond informal security and needs management discipline. This is a legitimate reason but it’s the minority case. Most Australian SME ISMS implementations are responses to external pressure. ISMS vs ISO 27001: what’s the difference? The terms get conflated in conversation but they refer to different things. Understanding the distinction matters when you’re scoping a project. An ISMS is the management system itself: the framework of policies, controls, and processes that the organisation operates. A business can have an ISMS without being certified. The ISMS can be designed against any framework (ISO 27001, NIST CSF, SOC 2, the Essential Eight extended to a management level) or against the organisation’s own custom framework. What makes it an ISMS rather than a set of controls is the management layer: risk assessment driving control selection, policies defining expected behaviour, processes for review and improvement, defined roles and responsibilities. ISO/IEC 27001 is the international standard that specifies what a credible ISMS must include. It defines the structure (the “clauses” of the standard cover scope, management commitment, planning, support, operation, performance evaluation, improvement), the risk-based approach to control selection, and the specific reference set of controls (Annex A, currently 93 controls in the 2022 revision). An ISMS that conforms to ISO 27001 is auditable against the standard. Certification is awarded by an accredited certification

APRA CPS 234 explained: what Australian insurance brokers need to know

June 1, 2026

Insights & News APRA CPS 234 explained: what Australian insurance brokers need to know June 1, 2026 CPS 234 is the Australian Prudential Regulation Authority (APRA) Prudential Standard that sets information security requirements for APRA-regulated entities, including insurance brokers, general insurers, life insurers, banks, and superannuation funds. It took effect in July 2019 and applies in full to all regulated entities, with no carve-out for size or complexity. For Sydney insurance brokers, CPS 234 compliance is not a one-time project. It’s an ongoing accountability that the board of the entity carries personally. This guide explains what CPS 234 actually requires, what changed in 2023 when APRA introduced the tripartite review framework, and what the standard means for smaller brokers and authorised representatives. Key facts CPS 234 is APRA’s Prudential Standard on Information Security, mandatory for all APRA-regulated entities since 1 July 2019. The board of the regulated entity is ultimately accountable for compliance. Outsourcing IT does not transfer the accountability. CPS 234 covers four main areas: information security capability, policy framework, identification of vulnerabilities and incidents, and notification to APRA. The maximum APRA notification window for material information security incidents is 72 hours. APRA introduced a tripartite review framework in mid-2023, requiring regulated entities to engage an independent third party to assess their CPS 234 controls. Smaller insurance brokers under an Australian Financial Services Licence (AFSL) holder may not be directly APRA-regulated, but they often inherit CPS 234 obligations through their licensee or their general insurer relationships. What is APRA CPS 234? CPS 234 is the Australian Prudential Regulation Authority’s binding information security standard for the financial entities it regulates. The standard was finalised in November 2018 and took effect on 1 July 2019. It replaced earlier non-binding guidance and made information security a board-level accountability backed by enforceable obligations. The standard reflects APRA’s view that information security has become inseparable from financial stability. A successful cyber attack on a general insurer, a life insurer, or a bank can affect customers, counterparties, and the broader financial system in ways that demand the same regulatory rigour as capital adequacy or operational risk. CPS 234 puts cyber on the same footing. The full text of the standard is on the APRA website at apra.gov.au, and APRA also publishes practice guides (the CPG 234 series) that explain expected implementations of the standard’s requirements. Both are required reading for anyone responsible for CPS 234 compliance within a regulated entity. Who does CPS 234 apply to? CPS 234 applies to all entities directly regulated by APRA. This includes authorised deposit-taking institutions (banks, credit unions, building societies), general insurers, life insurers, private health insurers, superannuation funds, and the holding companies of these entities. The standard does not directly apply to: financial planners (regulated by ASIC), insurance brokers operating under an AFSL (regulated by ASIC), or service providers to APRA-regulated entities (unless they’re themselves APRA-regulated). The catch is what we call “inherited CPS 234”. An insurance broker who places business with multiple APRA-regulated insurers will find that their insurer counterparties expect the broker to maintain controls aligned to CPS 234 principles. The broker isn’t directly regulated, but the insurer’s CPS 234 obligation (specifically the requirement to assess third-party information security capability) flows down as a contractual expectation. In practice, brokers who want to maintain agency arrangements with major insurers end up implementing CPS 234-aligned controls regardless of their direct regulatory status. The same dynamic applies to service providers (IT companies, outsourced operations, software vendors) supplying APRA-regulated entities. The standard requires the regulated entity to assess and manage information security risk from its third parties, which translates into supplier security questionnaires, contractual security obligations, and sometimes third-party audits. What does CPS 234 actually require? The standard sets out requirements across four main areas. Each one has practical implications for the systems, controls, and reporting that a compliant entity needs in place. Information security capability commensurate with vulnerabilities and threats. The board must ensure the entity maintains an information security capability that’s appropriate to the size, business mix, and threat profile of the entity. A small specialist insurer does not need the same controls as a major bank, but both need controls proportionate to their actual exposure. The capability includes people, processes, technology, and budget. Information security policy framework. Entities must maintain an information security policy framework that defines roles, responsibilities, and decision rights for information security across the organisation. The framework must be approved at board level, reviewed regularly, and integrate with the entity’s broader risk management framework. Identification of information security vulnerabilities and threats. Entities must have processes to identify their information assets (data, systems, infrastructure), classify them by criticality and sensitivity, and identify vulnerabilities and threats to those assets. This must be a living process, not a one-time assessment. Penetration testing, vulnerability scanning, threat intelligence, and incident response capability all fall under this requirement. Notification to APRA. Entities must notify APRA within 72 hours of becoming aware of a material information security incident, and within 10 business days of identifying a material information security control weakness that cannot be remediated in a timely manner. The 72-hour clock starts when the entity becomes aware of the incident, not when remediation begins. How does the tripartite review framework work? In mid-2023, APRA introduced a tripartite review framework that significantly raised the bar on CPS 234 compliance evidence. The framework requires regulated entities to engage an independent third party to conduct a structured assessment of the entity’s CPS 234 controls. The assessment is reviewed by APRA, and findings inform APRA’s supervisory engagement with the entity. The tripartite naming reflects three parties: the regulated entity, the independent third-party assessor, and APRA. The assessor’s role is to verify that the controls described in the entity’s CPS 234 documentation actually exist and operate as designed. The assessor produces a report with findings, ratings, and recommended remediation. The entity is then expected to address findings on a timeline agreed with APRA. The introduction of tripartite review changed the practical compliance posture for

Australian Privacy Act 2024 changes: what SMEs need to do now

April 30, 2026

Insights & News Australian Privacy Act 2024 changes: what SMEs need to do now April 30, 2026 Most provisions of Australia’s Privacy and Other Legislation Amendment Act 2024 are already in force, with the remaining automated decision-making (ADM) transparency obligations commencing 10 December 2026. The Office of the Australian Information Commissioner (OAIC) now has new infringement notice powers of up to AU$66,000 per contravention and launched its first ever privacy compliance sweep in January 2026. For Australian SMEs, the small business exemption that has shielded most operators since 2000 is widely expected to be removed in the next tranche of reforms. Key facts The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024, with most amendments commencing immediately. The statutory tort for serious invasions of privacy commenced 10 June 2025, allowing Australians to sue for serious privacy invasions for the first time. The OAIC can now issue infringement notices of up to AU$66,000 per contravention, plus compliance notices that mandate specific remediation. Maximum civil penalty for serious or repeated interference with privacy: AU$3.3 million for a body corporate. Automated decision-making transparency obligations commence 10 December 2026, requiring businesses to disclose ADM use in their privacy policies. The OAIC began its first ever privacy compliance sweep in January 2026, targeting roughly 60 organisations across six sectors. The current AU$3 million annual turnover small business exemption is expected to be removed in tranche 2 reforms. What is the Privacy and Other Legislation Amendment Act 2024? The Privacy and Other Legislation Amendment Act 2024 (POLA Act) is the most substantial reform of Australian privacy law since the Privacy Act 1988 was enacted. It received Royal Assent on 10 December 2024 and represents the first of two planned tranches of privacy reform, with tranche 2 expected during 2026 or 2027. The Act introduces a statutory tort for serious invasions of privacy, expands OAIC enforcement powers, requires “reasonable steps” for personal information security to include explicit technical and organisational measures, mandates new disclosure obligations around automated decision-making, and creates the framework for a Children’s Online Privacy Code due to be registered by 10 December 2026. Most SMEs we talk to think privacy law doesn’t apply to them because of the small business exemption. That position is becoming harder to defend, both because the exemption is widely expected to be removed and because contractual obligations from larger customers and global suppliers increasingly require GDPR-equivalent compliance regardless of statutory scope. Which Privacy Act changes are already in effect? Three changes have real teeth right now: the statutory tort, expanded OAIC enforcement powers, and an active compliance sweep that began January 2026. The OAIC’s enforcement toolkit changed materially in late 2024. The Commissioner can now issue infringement notices of up to AU$66,000 per contravention, bypassing the slower civil penalty process and letting the regulator move on administrative breaches quickly. The maximum civil penalty for serious or repeated interference with privacy now sits at AU$3.3 million for a body corporate. The OAIC also gained the power to issue compliance notices that prescribe exactly how a privacy failure must be fixed. The OAIC has signalled clearly that it intends to use these powers. The compliance sweep launched in January 2026 targeted around 60 organisations across six sectors where personal information is commonly collected in person: real estate agents, chemists, licensed venues, car rental, car dealers, and pawnbrokers. The sweep specifically assesses privacy policies for compliance with APPs 1.3 and 1.4. The signal to the rest of the market is fairly clear. What’s the new statutory tort for serious privacy invasions? The statutory tort for serious invasions of privacy commenced 10 June 2025 and gives Australians the personal right to sue parties that intentionally or recklessly invade their privacy. This is the first time in Australian law that privacy has existed as a personal right with a direct cause of action. The tort applies where conduct is intentional or reckless, the invasion is serious, and the public interest in the plaintiff’s privacy outweighs any countervailing public interest. “Misuse” of personal information is broadly defined and includes over-collection, inappropriate disclosure, and interference with personal information. The framing borrows from defamation law, and damages for non-economic loss are capped at the limits applicable to defamation. An accidental data breach probably doesn’t trigger the tort. A breach handled negligently might. The bigger structural shift is that “no win, no fee” lawyers can run privacy actions in similar fashion to defamation cases, which we expect to materially change risk calculus around how breaches are responded to. What happens on 10 December 2026? From 10 December 2026, APP entities must include specific information about automated decision-making in their privacy policies under new APP 1.7. The disclosure obligation applies wherever computer programs make, or contribute to making, decisions that significantly affect a person’s rights or interests, using personal information about that individual. Privacy policies will need to disclose the kinds of personal information used in automated decisions, the kinds of decisions being made or contributed to, and how the system works in plain language. “Significant” effect is broadly defined and includes both positive and negative impacts on rights or interests. In practical terms, that captures credit decisions, insurance pricing, hiring screens, dynamic loan terms, AI-assisted customer routing, fraud detection systems, and any AI tool that produces output a human relies on to make a customer-affecting decision. If you’ve integrated an AI tool into a customer-facing workflow this year and not thought about how it makes decisions, the next 12 months is your window to do something about it. Does the small business exemption still apply? Yes, but probably not for long. The current AU$3 million annual turnover threshold exempts roughly 95% of Australian businesses from most Privacy Act obligations, and the Government has indicated in-principle support for removing the exemption in tranche 2 reforms. Even if your turnover is under the threshold today, three things still apply. First, you’re typically already contractually bound to GDPR-equivalent obligations whenever you handle data on

Services

Business Solutions

Business IT Support

Security

Managed IT Services

Business Phone Systems

Industry Focus

Links

Resources

Join Online Session

Info Hub

Knowledge Base

Simplifying IT for a Complex World

Company

About Us

Contact Us

Careers

Partnerships

AWS

Google Cloud

Microsoft

Salesforce