1300 002 001
Follow Us  —Fb. /Lk. /X. /Ig.

Glossary · ISO/IEC 27001 — Information Security Management Systems

ISO 27001

The international standard for how an organisation manages information security. Symsafe has been certified against it since 2018, under a JAS-ANZ-accredited certification body.

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). A certified organisation has documented policies, processes, and controls covering how it identifies, manages, and reduces information-security risk — and an independent auditor has verified that those processes are actually in operation, not just on paper.

Why it matters for buyers

ISO 27001 is one of the few security credentials that an auditor’s signature is attached to. Many “certifications” in the security market are self-attested or vendor-issued. ISO 27001 isn’t — a JAS-ANZ-accredited body inspects the ISMS on a defined audit cycle, and the certification can be withdrawn.

For procurement teams: a current ISO 27001 certificate is meaningful evidence that the supplier has thought about information security in a structured way. It is not, on its own, evidence that they will protect your data from a determined attacker — but the absence of it should raise questions.

The 2022 revision (Annex A)

The 2022 version of the standard (ISO 27001:2022) restructured the control set in Annex A from 114 controls into 93, organised into four themes:

  • Organisational controls (37)
  • People controls (8)
  • Physical controls (14)
  • Technological controls (34)

The transition window for organisations certified against the 2013 revision closed in October 2025; current certificates are issued against ISO 27001:2022.

How Symsafe holds it

Symsafe has been certified against ISO 27001 since 2018, by a JAS-ANZ-accredited certification body, currently to the 2022 revision. The certification is audited annually with surveillance audits and re-certification every three years. The Statement of Applicability — which controls we operate, which we’ve scoped out, and why — is available under NDA on request via the contact form.

Alignment with Australian privacy law

ISO 27001’s control set maps cleanly onto the obligations Australian organisations face under the Privacy Act’s Notifiable Data Breaches (NDB) scheme and the Australian Privacy Principles (APPs) — particularly APP 11 (security of personal information) and the breach-assessment, containment, and notification workflow the NDB scheme requires. The standard isn’t a substitute for legal compliance, but a working ISMS provides most of the operational scaffolding the law expects to see.

← Back to glossary