There's a version of the ISO 27001 story that gets told a lot in the Australian IT market right now. An MSP adds the certification to their website, includes it in their capability statement, and positions it as a differentiator in sales conversations. The story is: we have it, our competitors don't, therefore you should choose us.
That story has become difficult to evaluate. Because a lot of providers have it now, or claim to. And the market has moved fast enough that buyers aren't always equipped to assess what an ISO 27001 claim actually means in practice.
I've been working in information security in South Australia for a long time. I want to explain what genuine ISO 27001 certification looks like, why InterIntra's approach is different, and what it means for businesses in Adelaide that are either pursuing certification themselves or evaluating who to trust with their IT environment.
We Got ISO 27001 Five Years Ago. Here's Why the Timing Matters.
InterIntra achieved ISO 27001 certification roughly five years ago. To understand why that matters, you have to understand the context in which that decision was made.
At the time, ISO 27001 was considered an enterprise-only certification. It was the domain of large ASX-listed companies, major financial institutions, and government departments with dedicated information security teams and the internal resources to run a full ISMS implementation. No one was asking their MSP for it. Mid-market businesses in Adelaide weren't raising it in conversations. It wasn't appearing in RFTs from local councils or professional services firms. The market simply wasn't there.
We pursued certification because it reflected how we believed IT services should be managed, not because a client had asked for it or because we saw a commercial opportunity. The work to get there was substantial. It required us to build an information security management system that covered our own operations, our client delivery processes, our supply chain, and our incident response capability, and then have all of it independently audited by an accredited certification body.
That's the part the marketing brochures don't always capture. ISO 27001 certification isn't a document you produce. It's a programme of work that changes how your organisation actually operates. Maintaining it requires ongoing effort: internal audits, management reviews, control monitoring, and a surveillance audit every year before recertification. We've been doing that work continuously since we first achieved the standard.
The timing matters because it tells you something about the motivation. Five years ago, there was no commercial pressure to do this. It was the right way to run an IT services organisation. That's why we did it.
Why the ISO 27001 Market Has Become Hard to Navigate
The past two years have changed the market considerably. ISO 27001 has moved from an enterprise standard to a procurement expectation, particularly for IT providers working in sectors with regulatory exposure: financial services, professional services, healthcare, and government supply chains.
The result is that the market has flooded with claims. Some are legitimate. Many MSPs have pursued genuine certification through accredited bodies and have built real information security management systems that they maintain through ongoing surveillance audits. That's a meaningful achievement and represents genuine investment in how they manage security risk.
But a significant number of providers are operating with something considerably less than that. "ISO 27001 aligned" is one formulation. It means nothing with respect to formal certification. "ISO 27001 compliant" typically means self-assessed, without independent verification. Some providers have adopted the language of the standard without the substance: they can describe the structure of an ISMS in a sales presentation without having one that functions in their actual operations.
The question worth asking any IT provider who claims ISO 27001 is straightforward: who issued your certificate, what is your certification body's accreditation, and can you provide the certificate document with its scope statement? A genuine ISO 27001 certification has a certificate number, a named certification body, an accreditation mark, and a scope that clearly defines what is and isn't covered. If any of those elements are absent or vague, the claim is worth scrutinising further.
What 'Internal ISO 27001 Resources' Actually Means
InterIntra doesn't outsource its ISO 27001 work. We have internal certified resources: people on our team who are qualified in ISO 27001 and who implement, audit, and maintain information security management systems themselves. That's a meaningful distinction in a market where the standard approach is to bring in an external consulting firm for the implementation work.
What internal capability means in practice:
- The people advising you on your certification programme already know your environment, because they're the ones managing your IT infrastructure
- Risk assessments are conducted by people who understand the actual technical architecture, not consultants learning it from documentation
- Control implementation is coordinated with your existing IT management processes rather than designed in isolation from them
- Ongoing ISMS maintenance is integrated into your managed services relationship, not a separate engagement that requires its own mobilisation
- When you have questions between milestones, you can reach the people doing the work directly, rather than going through a project manager relaying messages to a specialist elsewhere
Internal capability also means we hold ourselves to the same standard we're helping you achieve. Our own ISMS is subject to the same rigour we apply to client programmes. We've been through the audit process ourselves. We know where the evidence gaps tend to appear, where certification bodies focus their scrutiny, and where organisations that pass their stage one audit can still encounter problems in stage two. That practical knowledge comes from doing the work, not from reading the standard.
The Outsourced ISO 27001 Problem
There is a common model in the Australian IT market that deserves more scrutiny than it typically receives. An IT provider recognises that ISO 27001 is becoming a procurement requirement. Rather than building internal capability, they partner with a specialist information security consulting firm, white-label the service, and offer ISO 27001 consulting as part of their managed services portfolio.
The problem with this model is that the team doing the ISO 27001 work doesn't know your environment.
The consulting firm starts from zero. They conduct discovery interviews. They review documentation your IT provider may or may not have prepared. They assess your infrastructure from the outside. They apply a template ISMS, typically a framework that's been adapted from previous engagements with a find-and-replace on the company name and some customisation of the risk register.
The result is an ISMS that describes how a generic business of your type and size might manage information security, not how your specific organisation actually operates. It may be sufficient to pass a stage one audit, where the certification body is reviewing documentation rather than testing whether controls are genuinely embedded. It's more likely to show strain in stage two and in subsequent surveillance audits, when the auditor is testing whether the management system is actually functioning rather than just documented.
Beyond the audit risk, there's a practical problem: an ISMS that doesn't reflect your real environment won't protect you in practice. The controls are there on paper. Whether they're actually reducing the risks specific to your infrastructure, your people, and your data handling practices is a different question entirely. One the template approach doesn't reliably answer.
What It Looks Like When Your IT Provider Handles Your ISO 27001
When InterIntra manages a client's ISO 27001 certification, we start from a position of already knowing their environment. We know their infrastructure: what's on-premises, what's in the cloud, how it's segmented, where the access controls sit. We know their data flows: what systems handle sensitive information, how it's stored, how it's transmitted, who has access. We know their vendors, their integrations, their backup posture, their patch cadence.
The gap analysis that kicks off an ISO 27001 programme is, for us, not a discovery exercise. It's a conversation between people who already know the same system. We're not learning your environment. We're assessing it against the standard's control requirements from a position of existing familiarity. That changes the quality of the analysis and the speed of the work.
It also changes the quality of the ISMS we build. Because we're not working from a template. We're building a management system that reflects how your organisation actually operates, using the controls and processes that are already embedded in your IT environment wherever they meet the standard's requirements. We identify real gaps and address them. We don't create documentation for processes that don't exist and then hope the auditor doesn't probe too deeply.
For South Australian businesses pursuing ISO 27001, whether it's driven by a client contract, a regulatory requirement, or a genuine commitment to security governance, the single most important decision you can make is who you work with on the implementation. Choose a provider whose own house is in order, whose team has done this before, and who already understands your environment before the engagement begins.
The ISO 27001 certification process takes time and real effort. But done properly, it produces an information security management system that actually functions: one that reduces your real risk exposure, survives ongoing scrutiny, and demonstrates to your clients and supply chain partners that you take information security seriously. That's worth doing right.