ISO 27001 · Brisbane · Melbourne · Sydney · Australia-Wide
We deliver ISO 27001 inside your existing Microsoft 365 environment. Fixed-price, audit-ready in 10–14 weeks, 100% first-time pass rate. No Vanta, no Drata, no Secureframe — and no annual licence fee waiting for you in year two.
Most ISO 27001 consultants will tell you that getting certified means buying a GRC platform — Vanta, Drata, Secureframe, or one of the Australian alternatives. Then they'll spend three months configuring it, train your team on yet another tool, and bill you for both. We don't.
Typical path
3-year cost (mid-market):
~$135k
Our approach
3-year cost (mid-market):
~$60k
~$75k saved
Figures based on typical mid-market scope (50–200 staff). Precise estimate confirmed on call.
Every ISO 27001 engagement covers the same scope, from kickoff through to certificate. Fixed-price, milestone-gated, no upsells.
Weeks 1–2. We define what's actually in scope (and just as importantly, what isn't), review your current M365 environment, and produce a gap analysis against every Annex A control with concrete remediation actions.
A risk register populated with real risks (not framework template placeholders), each with likelihood, impact, owner, and treatment direction. Statement of Applicability mapping every Annex A control to your environment with justification.
Information security, access control, asset management, incident response, supplier security — all written specifically for your environment, not generic templates. Reviewed and approved through your normal governance process.
Conditional Access policies in Entra. Endpoint policies in Intune. DLP and information protection in Purview. Backup, logging, monitoring. Every control built directly inside your existing M365 environment with ring-based deployment.
Evidence captured at the point of change — Power BI dashboards from M365 audit logs, SharePoint libraries with retention and approval workflows. By certification you have months of operating evidence, not a frantic scramble.
Full internal audit including dress rehearsal of the external audit. We support you through Stage 1 documentation review and Stage 2 operational audit, on call for assessor questions and additional evidence requests.
Everything lives inside your Microsoft 365 tenant — not a third-party platform. Here's what a typical Risk Register and Statement of Applicability look like inside SharePoint.
Risk Register — SharePoint List
Statement of Applicability — ISO 27001 Controls
Compressed for under-50-staff scope, extended for 500+ staff. Most mid-market engagements land in this range.
Assess
Scoping interviews, environment review, gap analysis, risk register draft, fixed-price proposal for remaining phases.
Implement
Policy framework, control implementation, SoA finalised, evidence capture automation, training rollout.
Internal audit
Full internal audit and dress rehearsal of the external audit. Any findings remediated before booking certification.
Certify
External certification audit (Stage 1 + Stage 2). We support throughout. Certificate issued on successful completion.
The standard is global but the context is local. Australian organisations face specific regulatory drivers, procurement requirements, and certification body options that affect how you approach ISO 27001.
ISO 27001 Annex A controls directly map to Australian Privacy Principles under the Privacy Act 1988. Organisations handling personal information benefit from combining ISO 27001 with ISO 27701, achieving dual assurance from a single evidence set — and preparing for the Privacy Act reforms expected in 2026.
Commonwealth entities, state government contractors, and DISP members increasingly require ISO 27001 alongside Essential Eight. We regularly deliver both frameworks simultaneously — one control set, two compliance outcomes — for organisations in Brisbane, Canberra, and across Australia.
Australian certification bodies include BSI, Bureau Veritas, SAI Global, and LRQA. All are JASANZ-accredited. We help you choose based on auditor availability, sector expertise, and fees — without the referral arrangement that conflicts some consultants' advice.
The Australian Cyber Security Centre's guidelines and ASD's Information Security Manual share significant control overlap with ISO 27001. For organisations in regulated sectors, we map your ISO 27001 implementation to ACSC best practice simultaneously — no duplicated effort.
Healthcare organisations subject to the My Health Records Act, and financial institutions under APRA CPS 234, find that ISO 27001 provides the evidence structure regulators and auditors expect. We've delivered ISO 27001 for health SaaS, pathology providers, and APRA-regulated entities.
Compliance365 is headquartered in Brisbane, Queensland, and delivers ISO 27001 engagements across Australia — Sydney, Melbourne, Canberra, Perth, and remote. All work is delivered by senior practitioners, not juniors supervised from offshore.
ISO 27001 is the right certification for organisations in one of these situations:
You've had a customer or prospect ask for ISO 27001 in a tender, vendor questionnaire, or contract clause. Their procurement team has it as a tickbox requirement and you need it to keep the deal alive.
Government, finance, healthcare, defence-adjacent sectors. ISO 27001 is the baseline signal that gets you onto the panel or shortlist. Without it, you don't get evaluated.
Cyber insurance renewal is harder than it used to be. Board members want demonstrable evidence that security is governed properly. ISO 27001 satisfies both.
You may already have SOC 2 or Essential Eight and want to add ISO 27001 with shared controls and evidence — not three separate parallel programmes. We deliver combined engagements regularly.
Answered plainly. If you have a question not covered here, the fastest way to get a real answer is a 30-min call.
10–14 weeks for most Australian mid-market organisations (50–500 staff). Under-50-staff focused scope can complete in 8 weeks. Enterprise environments (500+) typically take 14–20 weeks.
Fixed-price, ranging $25k–$130k depending on company size and scope. Includes everything from gap assessment through certification support. Certification body fees ($8k–$25k) are separate and paid directly to your auditor.
No. We deliver entirely inside your existing M365 environment. Over three years (cert + two surveillance audits) this typically saves $45k–$180k in avoided platform licence costs.
The nominated internal contact typically spends 2–4 hours per week. We work within your existing change management process. Engineering teams don't need to learn a new tool.
100% across all engagements. Two weeks before any external audit, we run an internal dress rehearsal. If we wouldn't pass our own review, we don't book the external one.
Yes — and this is one of our most common engagements. A single set of controls and evidence can satisfy all three. Combined engagements typically reduce total cost by 30–40% versus running them sequentially.
It hasn't happened — but the mechanism is this: if Stage 1 (documentation review) raises findings, we close them before Stage 2 is booked. If Stage 2 raises minor non-conformities, the certification body gives a window to close them. Major non-conformities are rare and preventable with a proper dress rehearsal, which we run two weeks before every external audit.
ISO 27001 certification runs on a 3-year cycle: initial certification, then annual surveillance audits in years 2 and 3, then recertification. Surveillance audits are lighter than the initial — typically 30–50% of the effort. Because your evidence lives in Microsoft 365 and is maintained continuously, surveillance prep is hours not weeks. Existing clients get preferential rates on surveillance support.
ISO 27001 is often the foundation. Most clients add one or two related frameworks with shared controls and evidence.
Three questions. Instant estimate including the platform licence costs you'll avoid. No sign-up.
Estimate based on typical engagement patterns. Precise scope confirmed on call after reviewing your environment.
A free 30-minute call gives you a precise scope, realistic timeline, and a fixed-price quote. No sales pitch. If you don't need us yet, we'll tell you.
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
