Home / Trust / ISO 27001 status

ISO 27001 status.

In progress. Target attainment H2 2026. The work is done. The badge is not yet issued. That distinction matters and we will not blur it.

Current state

The ISMS (Information Security Management System) is documented and operating. The Statement of Applicability covers all 93 Annex A controls from ISO/IEC 27001:2022.

Controls in place
71 of 93
Operating and evidenced as of May 2026
Controls in-flight
22 of 93
Planned or partially implemented · on track for audit
ISMS review cadence
Quarterly
Access reviews, policy versioning, and control evidence collection

The 22 in-flight controls span supplier management formalisation, physical security documentation for the co-working facility, and a subset of human resource security controls that require the second permanent hire. None of the in-flight controls affect the confidentiality, integrity, or availability controls protecting customer data today.

Auditor

Auditor selection is in progress. The accredited certification body is named in the briefing under NDA, alongside Stage 1 (documentation review) and Stage 2 (on-site assessment) dates. This page updates when both are public.

What “in progress” means

It does not mean the work has not been done. It means an external, accredited auditor has not yet certified that the work is what we say it is. That distinction matters and we will not blur it.

Until certification lands: the controls operate, the evidence is collected and version-controlled, the policies are published internally, and the access reviews run quarterly. The certificate will be published when issued. No badge before that point.

Adjacent programmes

APRA CPS 234. Alignment is documented. The incident classification model, control testing cadence, and board reporting on information security all follow CPS 234 guidance, reviewed at the same quarterly cadence as the ISMS.

SOC 2 Type II. In progress. The control base from ISO 27001 carries directly into the SOC 2 engagement; the two programmes are designed together to avoid duplicate evidence collection.

Privacy Act compliance. The Privacy Act 1988 (Cth) obligations, including the Notifiable Data Breaches scheme, are addressed in the ISMS and in the incident response plan at trust/incident-response.

See controls in action ahead of certification.

30 minutes. We walk you through the 71 controls in place today against a real workspace, and name which gaps fall inside the v1.1 evidence sprint vs the audit window. Bring your procurement security questionnaire.

Questions? Email hello@abrlabs.io to request the Statement of Applicability, the current control evidence pack, or to discuss certification timelines for a procurement process.