Compliance — ISO 27001
ISO 27001 certification
done properly.
Cliffside is ISO 27001 certified, and our consultants have been certified ISO 27001 Lead Auditors since 2008. We know what a real ISMS looks like, what auditors actually test, and how to build controls that exist beyond certification day. We typically work backwards from your target certification date — so every milestone has a deadline and every deliverable has a purpose.
A framework for managing information security risk — not a checklist.
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). It requires organisations to systematically identify, assess, and treat information security risk — and to demonstrate that the controls they put in place actually work.
Most organisations pursue it for one of three reasons: a customer or government contract requires it, their board wants demonstrable evidence of security maturity, or they've had a near-miss and want a structured framework to prevent recurrence.
The mistake most organisations make is treating it as a documentation exercise. An auditor-focused approach produces certificates that don't survive a real incident. A risk-focused approach produces a programme that does both.
ISO 27001 is becoming a baseline expectation.
Government procurement increasingly requires ISO 27001 certification or equivalent evidence. APRA-regulated entities find significant overlap between ISO 27001 controls and CPS 234 requirements. Organisations that achieve certification typically find it accelerates sales cycles and reduces third-party risk questionnaire burden significantly.
The 2022 revision introduced significant updates — most importantly, the restructured Annex A controls now align with ISO 27002:2022. If your certification or gap assessment predates this, it needs revisiting.
Talk to us about your situationChoose the path that fits your organisation.
Depending on your maturity, desired outcome, timeline, and budget, we offer two distinct approaches to ISO 27001 certification. Both are led by our experienced consultants — the difference is the platform and methodology.
For organisations that want to streamline the certification journey and move away from the traditional approach of managing compliance through spreadsheets, email chains and shared drives. We use Cybereen (opens in new tab) — a purpose-built GRC platform designed for Australian compliance standards — to centralise evidence, automate assessments, and dramatically cut assessment time.
- Maturity-level assessment against ISO 27001, with real-time dashboards
- Centralised evidence management — upload once, link to all applicable controls
- Cross-framework correlation with APRA CPS 234, Essential Eight, and NIST CSF
- Auditor and consultant portal access to speed up reviews
- Significantly reduced assessment time compared to traditional consulting
For organisations — particularly technology and SaaS companies — that want to accelerate certification through deep automation. As a Vanta partner, we combine our ISO 27001 consulting expertise with Vanta's compliance automation platform, which can automate up to 80% of the manual work required for certification.
- Automated evidence collection across 1,200+ tests integrated with your existing tools
- AI-powered ISMS templates for policies, risk registers, and Statement of Applicability
- Continuous monitoring — stay audit-ready year-round, not just at certification time
- Reuse ISO 27001 work across SOC 2, HIPAA, GDPR, and other frameworks
- Typical certification timelines of 12–24 weeks with automation
The standard
What ISO 27001:2022 requires.
The standard is structured around ten mandatory clauses and 93 Annex A controls across four themes.
Understanding internal and external issues, interested parties, and the scope of the ISMS.
Top management commitment, information security policy, and assignment of responsibilities.
Risk assessment methodology, risk treatment plan, and information security objectives.
Resources, competence, awareness, communication, and documented information requirements.
Operational planning, risk assessment execution, and risk treatment implementation.
Monitoring, internal audit programme, and management review requirements.
Nonconformity management, corrective action, and continual improvement obligations.
37 controls covering policies, roles, responsibilities, threat intelligence, supplier relationships, and incident management.
56 controls covering human resource security, physical security, access control, cryptography, and secure development.
Our services
How Cliffside helps with ISO 27001.
An honest evaluation of where you stand against ISO 27001:2022 requirements. We map your existing controls, identify genuine gaps, and give you a prioritised remediation roadmap — not a list of every theoretical deficiency. Typically completed in two to three weeks. Included as standard in the Lighthouse Assessment.
We design and build your Information Security Management System from the ground up — risk methodology, policy suite, asset register, risk register, treatment plan, and Annex A control set. Built to actually work, not just satisfy an auditor. We work alongside your team so the knowledge transfers, not just the documents.
If you're approaching Stage 1 or Stage 2 certification audit, we conduct a pre-audit review, identify any remaining gaps, and help you prepare your team for auditor interviews. We've been through the process ourselves — we know what external auditors focus on and how to present evidence effectively.
Certification is not a finish line — it's an annual cycle. We provide ongoing support: internal audit programme delivery, management review facilitation, risk register maintenance, and surveillance audit preparation. Available as a retained service or on a project basis around your surveillance dates.
Lead auditors since 2008. Certified ourselves. That changes how we work.
Cliffside is an ISO/IEC 27001 certified cyber security consultancy, operating under a robust ISMS that reflects our commitment to confidentiality, integrity and continuous improvement. Our certification demonstrates that we apply the same rigorous security standards internally that we recommend to our clients.
Our consultants have been certified ISO 27001 Lead Auditors since 2008. We know the difference between controls that satisfy an auditor and controls that actually reduce risk. We build programmes designed to do both.
We typically work backwards from your desired certification date — mapping every phase, milestone, and deliverable to your timeline. Whether that's six months or twelve, you'll know what needs to happen and when.
We'll also tell you honestly if ISO 27001 isn't the right priority for you right now. If your security fundamentals aren't in place, certification before controls creates risk, not assurance.
- ✓ISO 27001:2022 gap analysis with prioritised remediation roadmap
- ✓ISMS scope document and context analysis
- ✓Risk assessment methodology and risk register
- ✓Statement of Applicability (SoA) for all 93 Annex A controls
- ✓Information security policy suite (20+ documents)
- ✓Asset register and information classification framework
- ✓Internal audit programme and audit checklists
- ✓Management review agenda and reporting templates
- ✓Pre-certification audit review and readiness assessment
We work backwards from your certification date.
We plan every engagement around your target date. The honest answer is: it depends entirely on your starting point and which approach you choose. Here's what a typical engagement looks like.
Evaluate current state against all ISO 27001:2022 requirements. Produce prioritised gap report.
Build risk methodology, policy framework, asset register, and risk register.
Implement Annex A controls, complete Statement of Applicability, run internal audit programme.
Pre-audit review, team preparation, evidence compilation, and Stage 1 audit readiness.
Stage 1 and Stage 2 certification audits, then annual surveillance cycle management.
Start with an honest conversation.
Tell us where you are and what you're trying to achieve. We'll tell you honestly how long it's likely to take, what it will realistically cost, and whether Cybereen, Vanta, or a traditional approach is the right fit for your organisation. No obligation.