10-step methodology
Structured path from scope definition to registration. We've run it hundreds of times; you're running it once - no guesswork, no first-timer blind spots.
Advisory
ISO 27001 Compliance & Audits
Implement, certify and maintain the international standard for information security management - end-to-end across the three-year cycle.
Certified once. Maintained for three years.
ISO 27001:2022 establishes an Information Security Management System (ISMS) that aligns people, policies, processes and technology around identified risk. Vectra delivers the full lifecycle: scoping, risk assessment, Annex A control selection (93 controls across four themes in the 2022 revision), Statement of Applicability, internal audit program, certification support and annual surveillance maintenance through the three-year cycle. We've led ISMS implementations across government, financial services, healthcare and SaaS - structured engagements that land the certificate first time, not drift for 18 months. Controls are simultaneously mapped to Essential Eight, APRA CPS 234, SOCI Act and PCI DSS so evidence works across multiple audits.
Deep dive into the capabilitiesStandard version
2022
Annex A controls
93
Certification cycle
3yrs
Surveillance audits
Annual
Why our ISMS engagements land first time.
The same named team stays with you from kick-off through delivery. Engagements are shaped to your risk profile, not our template library.
2022 revision-ready
Full alignment with the 93-control Annex A structure across Organisational, People, Physical and Technological themes - not legacy 2013 thinking.
Multi-framework mapping
Controls simultaneously mapped to Essential Eight, APRA CPS 234, SOCI Act and PCI DSS so a single evidence pack satisfies multiple audits.
Multi-year retention
Surveillance audit program and ISMS tune-up across all three years of the certification cycle - not just implementation then handover.
From scope to certificate in six stages.
Every engagement follows the same six-step CREST-aligned methodology. You get visibility into every phase and an audit trail of every action taken by the test team.
-
01
Scope & context
Establish ISMS scope, interested parties, legal and regulatory context, and information security objectives (clauses 4 and 5).
-
02
Risk assessment
Asset-threat-vulnerability modelling with agreed risk criteria, risk register and treatment strategies (clause 6).
-
03
Control selection
Annex A mapping, Statement of Applicability and control-treatment plan build-out for all 93 controls.
-
04
Implementation
Control deployment, policy library, staff training and evidence collection across the ISMS (clauses 7 and 8).
-
05
Audit & review
Internal audit program execution, management review and corrective action tracking (clauses 9 and 10).
-
06
Certify & maintain
Stage 1 / Stage 2 certification by an accredited body, then annual surveillance audits through the 3-year cycle.
Full-lifecycle ISO 27001 services.
No tiered upsells, no "platinum" package. What you see is what you get - one contract, one team, one number to call.
ISMS implementation
Scope definition, context analysis, risk methodology, control design and Statement of Applicability following the 10-step methodology.
Certification support
Stage 1 and Stage 2 readiness assessments, mock audits and certification body liaison through to certificate issuance.
Annual audits
Internal audit program delivery against clause 9.2 plus external surveillance-audit readiness assessment.
Risk assessment
Asset-threat-vulnerability modelling driving control selection, reviewed annually as required by the standard.
Control implementation
Technical and administrative control design across all 93 Annex A controls with remediation roadmaps.
Ongoing ISMS consultation
Documentation updates, management reviews, incident tuning and KPI reporting as your business evolves between certification cycles.
What a well-run ISMS actually does.
Every engagement runs through a unified portal. Scope, schedule, consume findings and measure the program across years of history - without a single PDF attachment hitting your inbox.
Risk-aligned control design
Controls selected against your actual risk assessment, not a copy-paste register. Annex A Statement of Applicability defensible at Stage 2.
Documentation library
Policies, procedures, evidence templates and records structured for auditor review - not a 200-page PDF dump.
Executive sponsor enablement
Board-facing narrative, ISMS charter and annual management review support so executive engagement is genuine, not theatre.
Staff training program
Security awareness, role-specific training and tabletop exercises for key functions as required by clauses 7.2 and 7.3.
Internal audit program
Annual internal audit schedule, findings log and corrective action tracking aligned to clause 9.2 requirements.
Multi-framework reuse
Evidence mapped once, reused for PCI DSS, APRA CPS 234, Essential Eight, SOCI Act and customer due-diligence questionnaires.
Proof you'll have in your hand.
Measurable, reportable, auditable - every outcome tracks to a control in your compliance framework.
-
ISO 27001:2022 certificate issued by an accredited certification body
-
ISMS aligned to your actual risk profile, not a template control library
-
Annex A Statement of Applicability defensible at Stage 2 audit
-
Evidence library reusable across APRA CPS 234, Essential 8, PCI DSS and SOCI Act audits
-
Surveillance audit clearance across all three years of the certification cycle
ISMS credentials on our team.
ISO 27001 Lead Auditor
ISO 27001 Lead Implementer
CISSP
CISM
CRISC
IRAP
CREST
ISO 27001 Lead Auditor
ISO 27001 Lead Implementer
CISSP
CISM
CRISC
IRAP
CREST
ISO 27001 questions, quickly answered.
Can't find the answer here? The team responds to scoping queries within one business day - usually faster.
Ask the team directlyWhat's the difference between the 2013 and 2022 revision?
The 2022 revision restructures Annex A from 114 controls across 14 domains to 93 controls across four themes (Organisational, People, Physical, Technological). New controls cover threat intelligence, information security for cloud services, ICT readiness for business continuity, data leakage prevention and others. Existing 2013 certifications transition by October 2025.
How long does certification take end-to-end?
Typical greenfield ISMS implementation runs 6-9 months from kick-off to Stage 2 audit. Mature organisations with existing controls can compress to 4-6 months. Surveillance audits run annually for the three-year cycle.
Do we need a dedicated security team before we start?
No, but you need an accountable executive sponsor and a nominated ISMS owner. We can provide the security subject-matter capability; the organisational accountability must be yours.
What happens at Stage 1 vs Stage 2?
Stage 1 is a documentation review - the certification body checks your ISMS documentation is complete and defensible. Stage 2 is an operational audit - they check the ISMS is actually being followed in practice with evidence from the last 3-6 months.
How does surveillance work across the 3-year cycle?
Annual surveillance audits review a subset of controls (roughly a third each year) plus any high-risk or changed areas. A full recertification audit happens at year 3. Surveillance findings must be closed; the certificate can be withdrawn if not.
Can the same evidence be used for other audits?
Yes - that's a big reason customers run ISO 27001 in the first place. We map controls simultaneously to Essential 8, APRA CPS 234, SOCI Act and PCI DSS so a single evidence item often satisfies four different auditors.
Who issues the actual certification - Vectra or someone else?
A separate accredited certification body issues the certificate (JAS-ANZ or IAF accredited). Vectra implements the ISMS and supports you through the certification body's audit - we're not the certifier, which keeps the certification genuinely independent.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.