How long does ISO 27001 certification take?

For most small to medium businesses, the path from a standing start to initial BSI certification takes nine to fifteen months. Larger or more complex organisations may take longer. The timeline is driven by three things: the size of your scope, the maturity of your existing controls, and how quickly your team can implement changes and build evidence. A realistic gap analysis at the start tells you where you are on that spectrum.

Do we need to certify the whole business?

No. ISO 27001 lets you define your certification scope, it might be a specific business unit, a specific product or service, or the whole organisation. Scoping decisions affect the cost and timeline of certification significantly. We help you make the right scoping call early, because changing scope later is expensive.

What does the ongoing maintenance look like after we achieve certification?

ISO 27001 is a three-year certification cycle with annual surveillance audits. Maintenance involves keeping your ISMS documentation current, running internal audits, reviewing and updating your risk register, managing nonconformities, and preparing for each surveillance visit. We offer ongoing ISMS management as a retained service so you never arrive at an audit unprepared.

Do you outsource the ISO 27001 engagement to a third party?

No. With the exception of the certification audit itself, everything is delivered by InterIntra's own team. The certification audit is conducted by BSI, the independent body that issues the certificate — that's standard for all ISO 27001 engagements regardless of who consults on them. The gap assessment, ISMS design, policy documentation, internal audits, and pre-audit preparation are all done in-house. We don't subcontract any of the consulting or implementation work.

Information Security · ISO 27001 Consulting · BSI Certified

ISO 27001 from a team that's actually certified.

We don't consult on ISO 27001 from a textbook. We run an ISO 27001-certified ISMS ourselves. When we guide your organisation through certification, we're drawing on lived experience of what auditors look for, what implementations actually work, and what trips businesses up. With the exception of the certification audit itself, everything is delivered by our own team — no subcontractors, no outsourced delivery.

Book a Discovery Call What's included

Certified, not just accredited

We've done it ourselves.
We'll guide you through it.

InterIntra holds BSI ISO/IEC 27001 certification, independently audited, not self-declared. That changes the quality of the advice we give. We know exactly where the hard parts are, what auditors scrutinise, and how to build controls that actually work in practice rather than just on paper. We also know how to keep documentation proportionate. Certification shouldn't require a wall of paperwork that nobody reads. We've guided Adelaide businesses through BSI certification from a standing start.

Back to Information Security →

ISO 27001 Consulting

The path from gap analysis to your first certificate.

ISO 27001 protects the three dimensions of information security: Confidentiality: information is only accessible to those authorised; Integrity: information is protected from unauthorised modification; Availability: systems and data are accessible when needed. Certification is not a single event. It's a programme you maintain. We work alongside your team from the first assessment through to the BSI audit, and stay with you through the three-year certification cycle if you need us to.

What's covered in every engagement

Gap analysis: Where you stand against ISO 27001 controls today
ISMS scope: Scope definition and Statement of Applicability (SoA)
Risk assessment: Methodology, risk register and treatment plans
Policy library: Proportionate to your size and complexity
Asset inventory: Information classification and data mapping
Control implementation: Support across all Annex A domains
Internal audits: Programme design, scheduling and delivery
Management review: Executive facilitation and board reporting
BSI audit prep: Certification audit preparation and support
ISMS maintenance: Ongoing management and surveillance readiness

What you receive

→Gap analysis report with prioritised remediation plan

→Risk register with methodology and risk treatment plans

→Statement of Applicability (SoA) covering all Annex A controls

→Policy and procedure library: proportionate to your scope

→Annex A control documentation and evidence library

→Security awareness training materials tailored to your team

→Internal audit reports and management review records

→Surveillance readiness summary for each annual audit

How we work

Five phases from first assessment to continual improvement.

Every ISO 27001 engagement follows the same structured path, with regular checkpoints so you always know where you are and what comes next. Certification is the milestone, not the finish line.

Phase 01

Gap analysis

We assess your current controls against ISO 27001 requirements and produce a gap report with a prioritised remediation plan. You know exactly where you stand before any implementation begins.

Phase 02

ISMS design

We design your Information Security Management System: scope, risk methodology, policy framework, asset inventory and Statement of Applicability. Built to pass audit, not just to tick a box.

Phase 03

Implementation

We work alongside your team to implement controls, write policies, build the risk register and evidence library, and run your internal audit. We do as much or as little of the hands-on work as you need.

Phase 04

Audit support

We prepare you for the BSI certification audit: document review, pre-audit walkthrough, answering auditor questions, and being present throughout the audit process. No surprises on the day.

Phase 05

Continual improvement & surveillance

ISO 27001 is a three-year certification cycle with annual surveillance audits. We keep your ISMS alive between audits: reviewing and updating your risk register, running internal audits, managing nonconformities, and preparing evidence for each surveillance visit. The certificate you earn on day one remains credible because it's maintained.

Our Work

Real results. Real businesses.

We hold ISO 27001 certification ourselves, and we've helped others build security postures that stand up to independent scrutiny.

Case Study

Sports College SA

Essential Eight and security framework implementation for a 500-student college, controls designed to scale from day one.

Essential Eight · Greenfield build

Read the case study

Case Study

Sunshine Coast University Hospital

Independent ICT audit delivering assurance across life-critical health IT systems in partnership with Downer at a major Queensland facility.

Healthcare · Live clinical environment

Read the case study

See all our work →

From the Blog

Related insights.

From the Blog

ISO 27001 Certified. Before It Was a Sales Pitch: Why InterIntra's Certification Is Different

InterIntra achieved ISO 27001 certification five years ago, before most MSPs knew what it required. What that means for businesses seeking genuine certification, not a repackaged product.

Alex Macklin · 21 May 2026

Read the article →

From the Blog

Cybersecurity Compliance: A Growing Priority for Australian Financial Firms

Financial firms face mounting pressure to tighten cyber security. What ASIC's rules mean for AFS licensees.

Alex Macklin · 4 Dec 2025

Read the article →