Compliance
ISO/IEC 27001
The international gold standard for information security management, providing a structured framework for protecting organisational information assets.
Deadline Passed
ISO 27001:2013 transition deadline passed October 2025
The transition period from ISO 27001:2013 to ISO 27001:2022 ended on 31 October 2025. Organisations still certified under the 2013 version have lost their certification. If you have not yet transitioned, contact us to understand your options for achieving certification under the 2022 standard.
What is really being asked of the business
What this requirement is trying to protect in the real world
A good compliance programme starts by understanding the business purpose behind the requirement rather than treating it like a checklist.
ISO/IEC 27001 is the world's leading standard for information security management systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the standard provides a systematic approach to managing sensitive company and customer information through a combination of people, processes, and technology. The 2022 revision — ISO/IEC 27001:2022 — updated the standard's Annex A controls to reflect modern security challenges including cloud security, threat intelligence, and data masking, consolidating the previous 114 controls into 93 controls across four themes: organisational, people, physical, and technological.
In New Zealand, ISO 27001 certification remains relatively rare. As of 2023, only 89 organisations held certified ISMS across the country — making certification a genuine competitive differentiator rather than a baseline expectation. However, alignment to the standard is increasingly demanded by enterprise customers, government procurement processes, and cyber insurance underwriters. Organisations that can demonstrate an ISO 27001-aligned security programme — whether formally certified or not — signal a level of security maturity that opens doors in the New Zealand and international marketplace.
The standard follows a Plan-Do-Check-Act (PDCA) cycle, requiring organisations to assess their information security risks, implement appropriate controls, monitor their effectiveness, and continually improve. This structured approach transforms security from a reactive, ad-hoc activity into a managed business function with clear accountability, measurable outcomes, and executive visibility. For New Zealand businesses, ISO 27001 provides a proven framework for building a security programme that grows with the business.
Why It Matters
Why business owners, customers, and boards pay attention to it.
With only 89 certified organisations in New Zealand as of 2023, ISO 27001 certification is a powerful market differentiator. In an environment where government agencies, enterprise customers, and international partners increasingly require evidence of structured security management, holding — or demonstrably working toward — ISO 27001 certification places your organisation ahead of the vast majority of New Zealand businesses. It is not simply a compliance exercise; it is a strategic business asset that directly supports revenue growth and market access.
The demand signals are clear. New Zealand government procurement is increasingly referencing ISO 27001 and the related Protective Security Requirements (PSR). Major enterprises include security management system requirements in their supplier assessments. Cyber insurance underwriters offer more favourable terms to organisations that can demonstrate an ISMS. International customers and partners recognise ISO 27001 as a universally understood indicator of security maturity, removing the need to explain or translate New Zealand-specific frameworks when working across borders.
Beyond market positioning, ISO 27001 provides genuine operational value. The structured risk assessment methodology directs security investment where it matters most. The requirement for management review and internal audit creates accountability at the executive level. The continual improvement cycle keeps your security position from stagnating. For businesses that need to build an effective security programme without the resources of a large enterprise, ISO 27001 provides a detailed, proven roadmap that our analysts tailor to your specific context and risk profile.
Key Requirements
The obligations most businesses need translated into operating reality.
This is where the framework turns into documented controls, ownership, evidence, and review cycles.
See key requirements
Information Security Risk Assessment
Organisations must establish and maintain a formal risk assessment methodology that identifies information security risks, analyses their likelihood and impact, evaluates risk against defined criteria, and determines appropriate treatment options. The risk assessment must be documented and reviewed at planned intervals or when significant changes occur.
Statement of Applicability
A Statement of Applicability (SoA) must document which of the 93 Annex A controls are applicable to the organisation and which are not, with justification for any exclusions. The SoA is a core certification document and serves as the master reference for the organisation's control framework.
Information Security Policies
A suite of information security policies must be established, approved by management, communicated to relevant parties, and reviewed at planned intervals. These policies set the organisation's security direction and establish the rules and expectations that underpin the entire ISMS.
Asset Management and Classification
Information assets must be identified, inventoried, assigned ownership, and classified according to their value, sensitivity, and criticality to the organisation. Appropriate handling and protection requirements must be defined for each classification level.
Access Control
Logical and physical access to information and information processing facilities must be controlled based on business and security requirements. This includes user access provisioning, privileged access management, authentication mechanisms, and regular access reviews.
Incident Management
Organisations must establish procedures for reporting, assessing, responding to, and learning from information security incidents. This includes incident classification, escalation paths, evidence preservation, root cause analysis, and post-incident review to drive continual improvement.
Internal Audit and Management Review
The ISMS must be audited internally at planned intervals to confirm it conforms to requirements and is effectively implemented. Senior management must review the ISMS at planned intervals to confirm its continuing suitability, adequacy, and effectiveness, considering audit results, incident trends, and changing risk landscape.
Business Continuity
Information security continuity must be embedded in the organisation's business continuity management processes. This includes keeping security controls operational during disruptive events and that information availability requirements are met through appropriate resilience measures.
How Good Security Helps
Where businesses usually need practical support.
This is about building the policies, registers, evidence, and governance needed to stand up to scrutiny.
Security Baseline Assessment
Our baseline assessment evaluates your current security position against the ISO 27001 control framework, identifying gaps and establishing the starting point for your ISMS implementation journey. This gives you a clear, scored view of where you stand against each Annex A control.
Audit Readiness Score & Evidence Compiler
We continuously track your readiness for ISO 27001 certification or surveillance audits, scoring each control area and identifying items that need attention before an auditor visit. Our expert-reviewed assessments mean there are no surprises on audit day.
Multi-Standard Compliance Mapping
We map your ISO 27001 controls against other frameworks your organisation needs to address — including NZISM, the Privacy Act, and customer-specific requirements — eliminating duplication so a single set of controls satisfies multiple compliance obligations.
Policy Suite & Lifecycle Management
We develop, review, and maintain the complete policy suite required by ISO 27001 — from the overarching information security policy to supporting policies covering access control, cryptography, supplier relationships, and incident management — keeping them current and audit-ready.
Risk Management Framework
Our risk management service establishes the formal risk assessment methodology ISO 27001 demands, including risk identification, analysis, evaluation, and treatment processes aligned to ISO 31000 best practice. We maintain your risk register and support management review with expert-prepared risk reporting.
Government Standards Gap Assessment
For organisations pursuing both ISO 27001 and New Zealand government supply chain requirements, our gap assessment maps the intersection of ISO 27001 and NZISM, so your investment in one framework directly supports the other.
Information Asset Register
We build and maintain your information asset register as required by Annex A, cataloguing information assets with their owners, classification, and handling requirements — a foundational element that auditors will examine closely.
Further Reading
Related guidance for teams that need the detail.
These articles go deeper into the surrounding decisions, timelines, and implementation issues.
FAQ
Common commercial questions.
How long does ISO 27001 certification take? +
For a typical New Zealand business, the journey from initial assessment to certification audit generally takes 9 to 18 months, depending on your starting maturity level and the resources you can commit. Organisations that already have some security policies and controls in place will move faster. Good Security's structured approach, supported by our proprietary security intelligence platform, typically positions clients at the shorter end of that range by efficiently identifying gaps and prioritising improvements.
What's the cost of certification for a business? +
Certification costs have two components: the implementation costs (building the ISMS, writing policies, implementing controls) and the audit fees paid to the certification body. Audit fees for a business with 50–200 staff typically range from $15,000 to $30,000 for the initial certification audit. Implementation costs vary widely depending on your starting point, but engaging a virtual CISO to guide the process is significantly more cost-effective than hiring full-time specialist staff or large consulting firms.
Do I need ISO 27001 or can I just align to it? +
This depends on your business objectives. Formal certification provides independent, third-party assurance that your ISMS meets the standard — which is what enterprise customers and government procurement processes typically want to see. However, many organisations choose to align their security programme to ISO 27001 without pursuing formal certification, gaining the operational benefits of a structured ISMS while avoiding audit costs. Good Security supports both approaches and can advise on which path delivers the best return for your specific situation.
What's new in the 2022 version? +
ISO/IEC 27001:2022 reorganised the Annex A controls from 14 domains with 114 controls into 4 themes with 93 controls. Eleven new controls were introduced, including threat intelligence, cloud security, ICT readiness for business continuity, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. The restructuring makes the standard more practical to implement and better aligned with modern security operations. Organisations certified to the 2013 version must transition by October 2025.
Can a virtual CISO manage our ISMS? +
Absolutely. Many New Zealand businesses lack the budget or workload to justify a full-time Chief Information Security Officer, yet ISO 27001 requires clear management responsibility for the ISMS. A virtual CISO from Good Security fills this role — providing the strategic leadership, deep analysis, and day-to-day ISMS management that the standard demands, while costing a fraction of a full-time executive hire. We act as your ISMS manager, driving continual improvement and maintaining audit readiness year-round.
Most businesses managing ISO/IEC 27001:2022 Information Security Management System obligations start with Assurance.
If you are weighing up fit, scope, or urgency, start with the scorecard for a fast benchmark and book a consultation when you need a practical next-step plan.