ISO/IEC 27001:2022 Information Security Management System
Security isn't a habit. It's a system you can prove
Usually appears when a buyer, procurement team, or insurer wants proof security is being run as a managed business function, not just a loose collection of good intentions.
This page helps when
- A buyer, procurement team, or insurer wants evidence that security has clear ownership and review rhythm
- The board needs one operating model that turns scattered controls into a managed security function
- You want commercially credible assurance before certification timing becomes urgent
Best next move
Start with Assurance.
The timing is already active. Start with a working session if this requirement is blocking procurement, insurer conversations, privacy readiness, or leadership confidence.
Deadline Passed
ISO 27001:2013 transition deadline passed October 2025
The transition period from ISO 27001:2013 to ISO 27001:2022 ended on 31 October 2025. Organisations still certified under the 2013 version have lost their certification. If you have not yet transitioned, get in touch to understand your options for achieving certification under the 2022 standard.
Where This Starts To Hurt
The buyer moment that makes this rule urgent
The buyer moment is usually a procurement team, correspondent bank, or enterprise customer asking for the Statement of Applicability before signing
ISO 27001 usually enters the room because someone important wants proof. A major customer wants stronger assurance before signing. Procurement wants evidence that security is being managed deliberately. An insurer wants to know whether the business is organised or just reacting. ISO 27001 matters in those moments because it shows security is being run as a repeatable system.
That is why it carries commercial weight. Certification is still relatively rare in New Zealand, so even credible alignment can separate you from competitors who say the right things but cannot show working ownership, documented decisions, and regular review. For businesses selling into enterprise, government, or international markets, it often becomes part of the trust conversation well before a contract is signed.
The standard works because it forces rhythm. You assess risk, decide what controls matter, document who owns what, review whether the system is working, and improve it over time. Done properly, it turns security from reactive firefighting into something leadership can track, resource, and defend.
What Starts Breaking
What stalls: deals, audits, or insurer renewals
ISO 27001 matters because it is one of the clearest answers a business can give when someone asks, "Can we trust you with our information?" Procurement teams, enterprise buyers, insurers, and government agencies recognise it immediately, which means you spend less time explaining your security setup from scratch.
It also forces internal discipline. Risk assessment, the statement of applicability, management review, internal audit, and continual improvement all require the business to decide what it is protecting, who owns it, and how progress will be measured. That is valuable even before certification enters the picture.
In New Zealand, where relatively few organisations hold certification, ISO 27001 is not background noise. It is a visible trust signal. Businesses that move early use it to open doors, support larger deals, and make their security investment count across multiple external questions at once.
What You Will Need To Prove
The first controls, owners, and evidence to put in place
Annex A's 93 controls — the SoA, the risk treatment plan, and the management-review cadence carry the most weight on a Stage 1 audit
See the main requirements
Information Security Risk Assessment
Organisations must establish and maintain a formal risk assessment methodology that identifies information security risks, analyses their likelihood and impact, evaluates risk against defined criteria, and determines appropriate treatment options. The risk assessment must be documented and reviewed at planned intervals or when significant changes occur.
Statement of Applicability
A Statement of Applicability (SoA) must document which of the 93 Annex A controls are applicable to the organisation and which are not, with justification for any exclusions. The SoA is a core certification document and serves as the master reference for the organisation's control framework.
Information Security Policies
A suite of information security policies must be established, approved by management, communicated to relevant parties, and reviewed at planned intervals. These policies set the organisation's security direction and establish the rules and expectations that underpin the entire ISMS.
Asset Management and Classification
Information assets must be identified, inventoried, assigned ownership, and classified according to their value, sensitivity, and criticality to the organisation. Appropriate handling and protection requirements must be defined for each classification level.
Access Control
Logical and physical access to information and information processing facilities must be controlled based on business and security requirements. This includes user access provisioning, privileged access management, authentication mechanisms, and regular access reviews.
Incident Management
Organisations must establish procedures for reporting, assessing, responding to, and learning from information security incidents. This includes incident classification, clear decision paths, evidence preservation, root cause analysis, and post-incident review to drive continual improvement.
Internal Audit and Management Review
The ISMS must be audited internally at planned intervals to confirm it conforms to requirements and is effectively implemented. Senior management must review the ISMS at planned intervals to confirm its continuing suitability, adequacy, and effectiveness, considering audit results, incident trends, and changing risk landscape.
Business Continuity
Information security continuity must be embedded in the organisation's business continuity management processes. This includes keeping security controls operational during disruptive events and ensuring information availability requirements are met through appropriate resilience measures.
How We Help You Answer It
When the business usually calls us
We usually get called after a pre-audit gap assessment where the SoA, ISMS documentation, or surveillance-audit readiness is short on evidence
Stop Guessing When A Buyer Asks How Secure You Are
Our baseline assessment evaluates your current security position against the ISO 27001 control framework, identifying gaps and establishing the starting point for your ISMS work. This gives you a clear, scored view of where you stand against each Annex A control.
See what an auditor will ask for before they ask
We continuously track your readiness for ISO 27001 certification or surveillance audits, scoring each control area and identifying items that need attention before an auditor visit. Our analyst-reviewed assessments mean there are no surprises on audit day.
Stop Rebuilding The Same Evidence For Every Standard
We map your ISO 27001 controls against other frameworks your organisation needs to address — including NZISM, the Privacy Act, and customer-specific requirements — eliminating duplication so a single set of controls satisfies multiple compliance obligations.
Stop Maintaining Policies Nobody Actually Reads
We develop, review, and maintain the complete policy suite required by ISO 27001 — from the overarching information security policy to supporting policies covering access control, cryptography, supplier relationships, and incident management — keeping them current and audit-ready.
Decide Which Security Risks Are Worth The Money
Our risk management service establishes the formal risk assessment methodology ISO 27001 demands, including risk identification, analysis, evaluation, and treatment processes aligned to ISO 31000 best practice. We maintain your risk register and support management review with analyst-prepared risk reporting.
See What Information Runs The Business
We build and maintain your information asset register as required by Annex A, cataloguing information assets with their owners, classification, and handling requirements — a foundational element that auditors will examine closely.
If You Need The Detail
Related reading for the implementation detail
Related reading on running the ISMS as an operating system — not a certification sprint — plus the 2013-to-2022 transition that closed October 2025
Insight
You don't need a full-time CISO. You need a real owner
A full-time CISO costs $180K–$280K+. For a 10-to-500-person NZ business, that's the wrong question. Here's what it costs to put a real security owner in the seat without hiring an executive.
Read article
Insight
Security Policies That Hold Up Under Pressure
Template policies do not protect the business if they are stale, generic, or untested. Here is what a living policy set looks like and how to spot the difference.
Read article
Questions Before A Decision
The questions that come up before the contract
How long does ISO 27001 certification take? +
For a typical New Zealand business, the journey from initial assessment to certification audit generally takes 9 to 18 months, depending on your current state and the resources you can commit. Organisations that already have some security policies and controls in place will move faster. Good Security finds the real gaps early and prioritises the work that moves certification readiness forward fastest.
What's the cost of certification for a business? +
Certification costs have two components: the implementation costs of getting the business ready, and the audit fees paid to the certification body. Audit fees for a business with 50–200 staff typically range from $15,000 to $30,000 for the initial certification audit. Implementation costs vary widely depending on your starting point, but using an external security lead to run the work is usually far more cost-effective than hiring a full-time specialist team or relying on expensive one-off consulting projects.
Do I need ISO 27001 or can I just align to it? +
This depends on your business objectives. Formal certification provides independent, third-party assurance that your ISMS meets the standard — which is what enterprise customers and government procurement processes typically want to see. However, many organisations choose to align their security operating model to ISO 27001 without pursuing formal certification, gaining the operational benefits of a repeatable ISMS while avoiding audit costs. We support both and can say which gives the best return for your situation.
What's new in the 2022 version? +
ISO/IEC 27001:2022 reorganised the Annex A controls from 14 domains with 114 controls into 4 themes with 93 controls. Eleven new controls were introduced, including threat intelligence, cloud security, ICT readiness for business continuity, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. The restructuring makes the standard more practical to implement and better aligned with modern security operations. Organisations certified to the 2013 version must transition by October 2025.
Can an external security lead manage our ISMS? +
Yes. Many New Zealand businesses do not have the workload or budget for a full-time Chief Information Security Officer, but ISO 27001 still requires clear ownership of the ISMS. Good Security can fill that role, doing the strategy, documentation, and review cadence the standard expects, while costing a fraction of a full-time executive hire. We act as the person keeping the system moving instead of letting the work stall between audits.
Need a clearer answer on ISO/IEC 27001?
A working session shapes the SoA, prioritises which 93 controls to evidence first, and sequences the certification journey to a JAS-ANZ body