ISO 27001 Checklist: What Australian Businesses Must Prepare

Most businesses don't fail ISO 27001 because it's too hard. They fail because no one told them what to do first.

This checklist is based on real ISO 27001 gap assessments and certification audits conducted across Australian businesses preparing for ISO 27001:2022 transition.

In Australia, this certificate has become very important. Clients want it. Government contracts ask for it. Big companies check for it before they work with you.

Key Takeaways

• You need an ISMS before ISO 27001 certification

• Prepare scope, risks, policies, controls, training, and audit

• Missing documents delay certification

• A gap assessment finds problems early

What Is ISO 27001 and Why Does It Matter in Australia?

ISO 27001 Australia used to be optional. Now it is not. Banks ask suppliers for it. Telcos require it from vendors. After many big data breaches in Australia, clients and regulators started taking it very seriously.

The standard is simple in concept - build a proper system to protect your information, then keep making it better. It covers your people, your processes, and your technology.

The 2022 revision cut Annex A controls from 114 to 93 and added 11 new ones covering cloud security, remote access, and threat intelligence - all outlined by the Australian Cyber Security Centre. All ISO 27001:2013 certifications officially expired on 31 October 2025. 

Why Start With a Gap Assessment?

A gap assessment is like a health check for your business. It shows what you already have and what is missing. It finds weak spots early - before they become big problems. Skipping this step is why many businesses face delays later.

The ISO 27001 Checklist for Australian Businesses

1. Define Your ISMS Scope

First, work out which parts of your business use or store sensitive information. Write down every system, location, and supplier connected to it. If you are leaving anything out, write down why.

Get your senior leaders to approve this in writing. If you run a small or medium business, start with just one part of the business. Get that right first, then grow from there.

2. Conduct a Risk Assessment

Make a list of everything that holds information - data, systems, computers, people. For each one, ask: what could go wrong? Give each risk a score based on how likely it is and how bad it would be. Then decide - fix it, accept it, or pass it on.

Keep this list updated regularly. Bring in people from finance, HR, and operations. They all handle sensitive data and need to be part of this.

3. Build Your Policy Framework

You need these documents ready:

• Information Security Policy

• Access Control Policy

• Acceptable Use Policy

• Incident Response Procedure

• Business Continuity Plan

• Supplier and Vendor Security Policy

• Asset Management Procedure

• Change Management Controls

Every document needs one person responsible for it and a date to review it. But having documents is not enough - people need to actually use them. Auditors ask questions. They can tell very quickly if no one follows the rules.

4. Implement and Evidence Your Controls

Match all your controls to Annex A of the 2022 standard. Set up access controls, encryption, logging, and patching for your systems. Add physical security too - lock server rooms, have a clean desk rule, keep visitor records.

Save your evidence as you go - logs, screenshots, approval emails. Don't leave it all to collect at the end.

Write a Statement of Applicability. This lists every control and explains why it applies to your business. Auditors look at this document first. It must show your real situation - not a copy-paste template.

5. Train Your Staff

Everyone needs training - not just the IT team. Keep records showing who was trained and when. Make sure managers know exactly what they are responsible for. Do phishing tests from time to time and keep the results.

For iso 27001 certification in australia, auditors look closely at your people. One person clicking a bad link can cause serious damage to everything you have built.

Senior leaders also need to be genuinely involved. Not just signing a form once. They should be reviewing security goals, approving policies, and joining management reviews during the whole process.

6 Sigma Consulting also offers corporate information security training and ISO 27001 internal auditor training for teams preparing for certification. 

6. Complete an Internal Audit

Do this well before your external audit - not the day before. The person doing the audit must not be responsible for the areas they are checking. Write down every problem found. Keep proof that each problem was fixed. Hold a management review meeting and write down what was discussed and decided.

Most businesses skip this step. That is why most businesses face delays. An internal audit finds your problems while you can still fix them quietly.

If no one in your team can run it, bring in outside help. 6 Sigma Consulting runs internal audits for Australian businesses as part of ISO 27001 certification support.

Common Mistakes Before Certification

Treating it as an IT project.

Every team that touches data is involved. Leaving out HR, finance, or operations creates gaps the auditor will find.

Writing policies at the last minute.

Auditors want to see that policies were used over time. Documents written the week before the audit look suspicious.

Using a generic risk register.

A template will not hold up when the auditor asks questions. Your risks must match your actual business.

Leaders who approve but disappear.

The standard needs real, ongoing involvement from senior management. One old email is not enough.

Forgetting suppliers.

Cloud providers, overseas developers, IT partners -  they are all in scope. Each one needs a written security review.

Skipping the internal audit.

This comes up every time because it causes problems every time. Do it yourself before the external auditor does it for you.

Conclusion

ISO 27001 is not out of reach. Businesses that prepare step by step - building documents, training people, running internal checks - always have an easier time.

Go through this ISO 27001 checklist one section at a time. Collect your evidence as you go. Keep your leaders involved. Do it properly once and your audit will not be a surprise.

6 Sigma Consulting helps Australian businesses with gap assessments, building an ISMS, preparing documents, and getting through the full ISO 27001 certification process. Ready to get certified? Contact 6 Sigma Consulting today and let's get started. 

Frequently Asked Questions

Q1: How long does ISO 27001 preparation take?

 Three to six months for most businesses. A gap assessment at the start gives you a clear timeline.

Q2: Do smaller businesses need ISO 27001? 

Not every business needs it - but if you handle client data or want government and enterprise contracts, more Australian tenders are asking for it every year.

Q3: What changed in ISO 27001:2022? 

Controls went from 114 to 93, put into four groups. Eleven new controls were added for cloud security, threat intelligence, and secure development. The 2022 version is now the only accepted version.

Q4: What documents are required? 

ISMS scope, information security policy, risk assessment, Statement of Applicability, risk treatment plan, training records, internal audit report, management review records.

Q5: Can we run our own internal audit? 

Yes - as long as the auditor is not responsible for the area being checked. Fix all problems found before your certification audit.