SecurityPolicy.com.au
Home/ New Zealand/ Frameworks Explained/ ISO/IEC 27001 in New Zealand: ISMS, controls and certification
New Zealand Frameworks Explained Framework Reviewed 2026-07-13

ISO/IEC 27001 in New Zealand: ISMS, controls and certification

2022
current base edition of ISO/IEC 27001
93
controls in the Annex A reference set
4
Annex A control themes
10
current NCSC Critical Controls for the New Zealand mapping
Why this guide exists

Questions are ordered from what the standard is and how its ISMS works, through Annex A, certification choices, New Zealand legal and NCSC mapping, cost and timing, certification-body due diligence, operating evidence, and the misconceptions most likely to create false assurance.

What is ISO/IEC 27001, and is it recognised and used in New Zealand?

ISO/IEC 27001:2022 is the international requirements standard for establishing, implementing, maintaining and continually improving an information security management system, or ISMS. It is designed for organisations of any size and sector and manages information-security risk through governance, objectives, risk assessment, risk treatment, evaluation and improvement. ISO lists the current base edition as the third edition, published in October 2022, with Amendment 1:2024 on climate-action changes. The standard is voluntary unless a law, contract, tender, licence condition or internal commitment makes it necessary. It is recognised and available in New Zealand through the international ISO system and the joint adoption AS/NZS ISO/IEC 27001:2023, as well as customer procurement practices and the JASANZ-accredited management-system certification market. Adoption and accredited certification are different: an organisation can implement or align with ISO/IEC 27001 without obtaining a certificate, while certification is independent assurance about the defined ISMS scope at the time of audit.

How this differs by situation
  • private SME — Adopt the ISMS disciplines that solve a real risk or customer need; obtain certification only where its commercial or assurance value justifies the continuing effort.
  • regulated or high-trust provider — Use ISO/IEC 27001 alongside applicable New Zealand privacy, sector, contractual and NCSC requirements rather than as a substitute for them.
  • certified ISMS — Certification applies to a stated organisational and service scope, not automatically to every product, site or group company.
PUT THIS IN YOUR CONTROLS, EXACTLY

We establish, implement, maintain and continually improve a risk-based information security management system using ISO/IEC 27001:2022 as a reference or conformity standard. Our ISMS scope, legal and contractual requirements, risks, selected controls, evidence and improvement actions are documented and reviewed. Certification is pursued only where formally approved and commercially or contractually justified.

ISMS basics — what are scope, risk assessment and the Statement of Applicability?

The ISMS scope states the organisational, service, location, technology and process boundaries to which conformity applies. A credible scope is factual and representative: it should identify included business activities, interfaces, dependencies and externally provided processes without implying that excluded products or group entities are certified. Within that scope, the organisation identifies information-security risks, assesses them using defined and repeatable criteria, decides how to treat them and determines the controls necessary to reduce risk to an acceptable level and meet legal, contractual and other requirements. The Statement of Applicability, or SoA, brings the necessary controls together. It records why controls are necessary, whether they are implemented, and why any Annex A reference controls are considered unnecessary. Necessary controls may come from Annex A, another framework or the organisation's own design. The organisation must compare its necessary controls with Annex A to check that it has not inadvertently omitted something. Clauses 4 to 10 are the ISMS requirements and cannot be excluded when claiming conformity; Annex A controls are a reference set selected through risk treatment, not 93 automatic requirements.

How this differs by situation
  • scope — Define the legal entity, services, locations, systems, people, interfaces and outsourced processes inside the ISMS boundary.
  • risk assessment and treatment — Use consistent likelihood, consequence, acceptance and treatment criteria and connect each material risk to an owner and decision.
  • Statement of Applicability — List all necessary controls, their justification and implementation status, and justify any Annex A control judged unnecessary.
PUT THIS IN YOUR CONTROLS, EXACTLY

Our ISMS scope identifies the legal entity, services, locations, systems, people, interfaces and externally provided processes included in the management system. We assess information-security risks using approved criteria, assign owners, approve treatment and acceptance decisions, and maintain a Statement of Applicability containing all necessary controls, implementation status, inclusion reasons and justified Annex A exclusions.

What do the four Annex A themes and 93 controls cover?

ISO/IEC 27001:2022 Annex A contains a common reference set of 93 information-security controls organised under four themes: organisational, people, physical and technological. Organisational controls cover areas such as policies, roles, asset and supplier governance, incident management, continuity, legal requirements and review. People controls address screening, employment responsibilities, awareness, disciplinary processes, remote working and event reporting. Physical controls address secure areas, entry, equipment, media, environmental threats, monitoring and disposal. Technological controls address identity and access, authentication, malware, vulnerability and configuration management, backups, logging and monitoring, networks, cryptography, secure development and change. The controls are concise outcomes; ISO/IEC 27002:2022 supplies implementation guidance. Annex A should be treated as a completeness reference during risk treatment, not as a universal checklist requiring identical implementation of every control. The SoA must nevertheless account for the reference set by mapping necessary controls and justifying controls considered unnecessary.

How this differs by situation
  • organisational — Governance, roles, assets, suppliers, incidents, continuity, compliance and assurance.
  • people — Personnel lifecycle, responsibilities, awareness, remote work and reporting.
  • physical — Premises, secure areas, equipment, media, environmental protection and disposal.
  • technological — Access, authentication, endpoints, vulnerabilities, backups, logs, networks, cryptography and secure development.
PUT THIS IN YOUR CONTROLS, EXACTLY

We use the 93 Annex A controls across the organisational, people, physical and technological themes as a completeness reference. Control selection is based on risk, legal and contractual requirements. Every necessary control is included in the Statement of Applicability, and every Annex A control judged unnecessary has a documented, approved justification.

Certification vs alignment — what does a New Zealand SME actually need?

Alignment means using ISO/IEC 27001's requirements and risk-based methods without claiming accredited certification. It can be sufficient where the aim is better governance, stronger controls, Privacy Act support or a structured customer-assurance response. Certification means an independent certification body audits the ISMS against ISO/IEC 27001 and issues a certificate for a defined scope. It is useful where tenders, enterprise customers, overseas partners, regulated supply chains or market positioning require independent evidence. ISO itself does not certify organisations, and certification is optional under the standard. A small New Zealand business should therefore begin with the business reason: which customer, contract, risk or strategic outcome requires certification, and what exact scope will satisfy it? A narrow but truthful scope can be practical; an artificially narrow or misleading scope creates false assurance. Certification is not a product-security warranty, legal opinion, penetration test or promise that no incident will occur. Even without certification, avoid saying 'ISO compliant' unless the organisation has assessed all clauses 4 to 10, completed its SoA, implemented the necessary controls and can support the claim with evidence.

How this differs by situation
  • alignment only — Suitable where internal improvement and customer evidence are needed but no party requires an accredited certificate.
  • certification justified — Suitable where a tender, contract, buyer, partner or board decision requires independent assurance for a defined scope.
  • claim discipline — State whether the organisation is aligned, implementing, certified or independently assessed, and identify the exact scope.
PUT THIS IN YOUR CONTROLS, EXACTLY

We describe our ISO/IEC 27001 status accurately. We do not claim certification unless a valid certificate covers the relevant legal entity, service, location and current standard. Alignment claims require a documented scope, assessment against clauses 4 to 10, a current risk treatment process, a Statement of Applicability and evidence that necessary controls operate.

How does ISO 27001 map to the Privacy Act 2020 IPP 5 and the NCSC Critical Controls?

ISO/IEC 27001 can help a New Zealand organisation structure how it identifies and manages information-security risks, but it does not replace the Privacy Act. Information privacy principle 5 requires an agency holding personal information to take security safeguards that are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure, and other misuse. ISO's context, risk, legal-requirements, supplier, monitoring, incident and improvement processes can help the organisation decide what 'reasonable' means and retain evidence of that decision. The current NCSC Critical Controls supply a New Zealand priority view: patching; MFA and verification; password managers; centralised logging; security awareness; asset lifecycle management; tested backups; application control; least privilege; and network segmentation and separation. These outcomes map naturally to ISO Annex A areas such as vulnerability and configuration management, identity and access, authentication, logging and monitoring, awareness, assets, backups, software installation and networks. The mapping reduces duplicated work, but it is not one-to-one proof of compliance. IPP 5 remains an outcome-based legal test, and NCSC priorities may demand practical depth beyond a generic control statement.

How this differs by situation
  • Privacy Act IPP 5 — Sets the New Zealand legal outcome of reasonable safeguards for personal information.
  • ISO/IEC 27001 — Provides the risk-management, governance, evidence and continual-improvement system.
  • NCSC Critical Controls — Provides a current New Zealand priority set for concrete protective, detective and recovery controls.
PUT THIS IN YOUR CONTROLS, EXACTLY

Our ISMS records Privacy Act 2020 IPP 5 as an applicable requirement wherever we hold personal information. We determine reasonable safeguards from the information's sensitivity, volume, exposure, foreseeable threats and potential harm. We map the current NCSC Critical Controls to our necessary ISO controls, identify coverage gaps and retain evidence that the controls operate.

What do cost, effort and realistic timelines look like for a New Zealand SME?

There is no authoritative fixed New Zealand price or implementation timetable for ISO/IEC 27001. Cost and duration depend on the scope, headcount, sites, cloud and on-premises complexity, sensitive information, supplier dependencies, existing policies and controls, internal capability, testing needs and the quality of available evidence. Budget for more than the certification audit: the standard and supporting material; internal leadership and staff time; risk and control remediation; specialist advice where needed; asset, identity, logging, backup and ticketing improvements; awareness and exercises; internal audit; penetration or vulnerability testing where risk requires it; certification-stage audits; corrective actions; surveillance; and recertification. As an editorial planning range rather than an ISO or JASANZ benchmark, a focused cloud-first SME with engaged leadership and many controls already operating may prepare in about three to six months. A broader, less mature, multi-site or regulated organisation may need six to twelve months or longer. The certificate is not the end point: control operation, evidence, internal audit, management review and improvement continue throughout the certification cycle. Ask certification bodies for itemised quotations based on an identical scope so comparisons are meaningful.

How this differs by situation
  • focused and already mature SME — Editorial planning range of approximately three to six months where scope is clear, evidence exists and remediation is limited.
  • broader or lower-maturity SME — Editorial planning range of approximately six to twelve months or longer where systems, sites, suppliers or remediation are substantial.
  • whole-of-life cost — Include internal operation, remediation, internal audit, certification, surveillance and continual improvement, not only the initial audit fee.
PUT THIS IN YOUR CONTROLS, EXACTLY

The ISMS owner maintains an approved implementation and operating budget covering internal time, remediation, tools, competence, exercises, internal audit, certification audits, corrective action and ongoing surveillance. Estimates are based on a documented scope and gap assessment. Schedule or budget pressure must not be resolved by misleading scope, unsupported control claims or manufactured evidence.

How do I choose a certification body in New Zealand and read a certificate scope?

JASANZ is the joint Australia–New Zealand accreditation body. It accredits conformity-assessment bodies; it does not itself certify ordinary businesses. For locally accredited certification, use the JASANZ Register to find a certification body and confirm that its current accreditation scope includes ISO/IEC 27001 management-system certification. Then assess sector experience, auditor competence, independence, audit-day assumptions, locations, remote-audit approach, transfer rules, fees, complaints and appeal processes, surveillance costs and recertification terms. Do not rely only on a logo. For an issued certificate, check the certified legal entity, certificate number and status, standard and edition, issuing certification body and accreditation mark, issue and expiry dates, included sites, and the precise activity or service scope. Confirm the certificate in the JASANZ certified-organisations register or directly with the accredited body. A scope such as 'the ISMS supporting operation of the hosted service from named locations' does not automatically certify every group company, product feature, subcontractor or customer environment. Read the scope together with the service architecture, due-diligence evidence and, where appropriately disclosed, the SoA version referenced by the certification documentation.

How this differs by situation
  • certification body — Confirm current JASANZ accreditation and that ISO/IEC 27001 is within the body's accredited scope.
  • certificate verification — Verify status, legal entity, edition, sites and service scope through the JASANZ Register or issuer.
  • buyer interpretation — Treat the certificate as scoped management-system assurance, then examine service-specific security evidence and contractual responsibility.
PUT THIS IN YOUR CONTROLS, EXACTLY

Before appointing an ISO/IEC 27001 certification body, we verify its current JASANZ accreditation and accredited standard scope in the JASANZ Register. Before relying on any supplier certificate, we verify its status and confirm that the legal entity, service, sites and standard edition relevant to our use are within the certificate scope.

What documented information, competence, awareness and management review does ISO 27001 require?

ISO/IEC 27001 is an operating management system, not a binder of policies. Required and necessary documented information must be created, approved, controlled, available where needed and protected from inappropriate change or disclosure. A practical set includes the ISMS scope, security policy and objectives, risk-assessment and risk-treatment methods and results, the SoA, evidence of competence, monitoring and measurement results, internal-audit results, management-review results, corrective actions, and the records needed to show that controls and processes operate. The organisation must determine the competence needed for people whose work affects information-security performance, ensure that competence through education, training or experience, and retain appropriate evidence. People working under the organisation's control must be aware of the policy, their contribution and the consequences of not conforming. Internal audits test whether the ISMS conforms and is effectively implemented. Top management reviews the ISMS at planned intervals, considering changes, performance, audit and incident information, objectives, risks, opportunities and improvement needs. Review decisions should result in assigned actions, owners and due dates rather than meeting minutes with no follow-through.

How this differs by situation
  • documented information — Maintain controlled documents and retained evidence sufficient to operate the ISMS and demonstrate results.
  • competence and awareness — Define role-specific capability, close gaps and retain evidence; ensure personnel understand policy, contribution and consequences.
  • assurance and review — Run risk-based internal audits and planned management reviews that produce decisions and tracked improvements.
PUT THIS IN YOUR CONTROLS, EXACTLY

We create, approve, protect, retain and review the documented information needed to operate and evidence the ISMS. Role owners define required competence and retain evidence that it is met. All personnel receive relevant awareness and understand their responsibilities. Internal audits and management reviews occur to an approved programme, and every decision or nonconformity has an owner, due date and closure evidence.

What are the common ISO 27001 misconceptions?

ISO/IEC 27001 is not New Zealand law, and ISO does not issue certificates. Certification does not mean every Annex A control is implemented identically, because control necessity is determined through risk treatment and the SoA. It does not certify a piece of software in isolation, guarantee that a product has no vulnerability, replace penetration testing or prove that an organisation cannot be breached. It does not automatically cover every office, subsidiary, supplier or service: the certificate scope matters. A policy library is not enough; the organisation must operate the ISMS, retain evidence, audit it, review it and improve it. Conversely, excluding an Annex A control does not automatically mean nonconformity if the organisation has a defensible risk-based justification and has not omitted a necessary control. ISO alignment is not accredited certification, and a certificate from a non-accredited issuer should not be represented as JASANZ-accredited. Certification also does not replace Privacy Act 2020 IPP 5, breach notification, sector regulation or contract-specific duties. The constructive test is simple: understand the scope, verify the certificate, inspect the SoA and service evidence where appropriate, and judge whether the controls are effective for the actual risks.

How this differs by situation
  • scope misconception — A certificate covers the stated ISMS boundary, not automatically every product, entity, site or supplier.
  • control misconception — Annex A is a risk-treatment reference set; the SoA explains necessary controls and justified exclusions.
  • assurance misconception — Certification is independent management-system assurance, not immunity from incidents or proof of legal compliance.
PUT THIS IN YOUR CONTROLS, EXACTLY

We do not present ISO/IEC 27001 certification as a guarantee of product security, absence of incidents or legal compliance. Assurance statements identify the certificate status, issuer, accreditation, legal entity, standard edition, scope and relevant limitations. We supplement certification with risk-specific technical, privacy, supplier and contractual evidence.

What's my next step?

Common misconceptions

  • ISO/IEC 27001 certification is legally required for every New Zealand business. It is voluntary unless a specific law, contract, tender, licence or organisational commitment makes it applicable. INFERRED
  • ISO certifies organisations. ISO develops the standard; independent certification bodies conduct certification. VERIFIED
  • JASANZ certifies ordinary businesses. JASANZ accredits conformity-assessment bodies and does not itself provide the organisation's management-system certificate. VERIFIED
  • All 93 Annex A controls must be implemented in the same way by every organisation. Necessary controls are selected through risk treatment, and the SoA records inclusion, status and justified exclusions. VERIFIED
  • The Statement of Applicability is only a copied Annex A checklist. It must contain all necessary controls, including custom controls where used, together with required justifications and implementation status. VERIFIED
  • ISO/IEC 27001 certifies software as impossible to hack. Certification assesses an organisation's scoped ISMS and is not a product warranty or guarantee against incidents. INFERRED
  • A certificate automatically covers every subsidiary, site, product and supplier. Coverage is limited by the certified legal entity and stated ISMS scope. INFERRED
  • ISO alignment and accredited certification mean the same thing. An organisation may implement the standard without certification, while accredited certification is a separate conformity-assessment process. VERIFIED
  • A certificate proves compliance with New Zealand's Privacy Act. IPP 5 remains a separate, context-specific requirement for reasonable security safeguards. INFERRED
  • Passing the initial audit completes the work. ISO/IEC 27001 requires the ISMS to be maintained and continually improved. VERIFIED
  • The 2022 edition still contains the former 2013 structure of 114 controls in 14 domains. The current Annex A reference set contains 93 controls under four themes. VERIFIED
  • A certification logo is enough supplier due diligence. Buyers should verify accreditation, certificate status, legal entity and scope and then examine service-specific evidence and responsibilities. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
ISO/IEC 27001 clauses 4 to 10 when conformity is claimed Not a statutory regulator; conformity is assessed internally or by the appointed certification body The organisation claims conformity with ISO/IEC 27001 or has adopted a binding contractual or internal requirement to conform. Ongoing throughout the defined ISMS scope; clauses 4 to 10 cannot be excluded from a conformity claim.
Statement of Applicability for ISO/IEC 27001 conformity Not a statutory regulator; reviewed by internal and certification auditors The organisation implements or claims conformity with ISO/IEC 27001. Maintain as current documented information and update when risks, requirements, necessary controls or implementation status materially change.
Accredited ISO/IEC 27001 certification assessment JASANZ accredits the certification body; the certification body audits and certifies the organisation The organisation seeks or maintains JASANZ-accredited ISO/IEC 27001 certification. According to the agreed certification, surveillance and recertification programme and any corrective-action deadlines.
Privacy Act 2020 IPP 5 reasonable security safeguards Office of the Privacy Commissioner A New Zealand agency holds personal information. Ongoing while the information is held and whenever systems, suppliers, risks or handling arrangements change.
Contractual ISO/IEC 27001 or certification requirement Customer, contracting authority or other party entitled to enforce the agreement A tender, customer contract, supplier schedule or other binding agreement requires alignment, conformity or current certification for a stated scope. As stated in the contract, including notice of certificate suspension, withdrawal or material scope change where required. Contractual remedies may apply, depending on the agreement.
Notifiable privacy breach Office of the Privacy Commissioner A privacy breach has caused or is likely to cause serious harm. Notify the Commissioner and affected people as soon as practicable; the Office says it should ideally be notified within 72 hours after awareness of a notifiable breach. Failure without reasonable excuse to notify the Commissioner is an offence punishable by a fine up to NZD 10,000.

Sources

  1. ISO/IEC 27001:2022 — Information security management systems primary
  2. ISO/IEC 27002:2022 — Information security controls primary
  3. ISO Information Security and Privacy Compliance Package primary
  4. ISO certification and conformity assessment primary
  5. AS/NZS ISO/IEC 27001:2023 — joint Australian and New Zealand adoption primary
  6. ISO/IEC JTC 1/SC 27/WG 1 Auditing Practices Note — Statement of Applicability primary
  7. ISO/IEC JTC 1/SC 27/WG 1 Auditing Practices Note — Annex A primary
  8. Standards New Zealand primary
  9. JASANZ — What is accreditation? primary
  10. JASANZ — Accreditation or certification? primary
  11. JASANZ — ISO/IEC 17021-1 management-system certification primary
  12. JASANZ Register — Accredited bodies primary
  13. JASANZ Register — Certified organisations primary
  14. Privacy Act 2020 Principle 5 — Storage and security of information primary
  15. Office of the Privacy Commissioner — NotifyUs of a serious privacy breach primary
  16. Privacy Act 2020 primary
  17. NCSC Critical Controls: Summary primary
  18. NCSC Cyber Security Framework primary
  19. New Zealand Information Security Manual primary
  20. r/newzealand discussion of ISO 27001 scope and a New Zealand data breach forum
  21. r/newzealand discussion of continuing cyber-security investment forum
  22. r/newzealand discussion of the limits of security certification forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.