Current state
The ISMS (Information Security Management System) is documented and operating. The Statement of Applicability covers all 93 Annex A controls from ISO/IEC 27001:2022.
The 22 in-flight controls span supplier management formalisation, physical security documentation for the co-working facility, and a subset of human resource security controls that require the second permanent hire. None of the in-flight controls affect the confidentiality, integrity, or availability controls protecting customer data today.
Auditor
Auditor selection is in progress. The accredited certification body is named in the briefing under NDA, alongside Stage 1 (documentation review) and Stage 2 (on-site assessment) dates. This page updates when both are public.
What “in progress” means
It does not mean the work has not been done. It means an external, accredited auditor has not yet certified that the work is what we say it is. That distinction matters and we will not blur it.
Until certification lands: the controls operate, the evidence is collected and version-controlled, the policies are published internally, and the access reviews run quarterly. The certificate will be published when issued. No badge before that point.
Adjacent programmes
APRA CPS 234. Alignment is documented. The incident classification model, control testing cadence, and board reporting on information security all follow CPS 234 guidance, reviewed at the same quarterly cadence as the ISMS.
SOC 2 Type II. In progress. The control base from ISO 27001 carries directly into the SOC 2 engagement; the two programmes are designed together to avoid duplicate evidence collection.
Privacy Act compliance. The Privacy Act 1988 (Cth) obligations, including the Notifiable Data Breaches scheme, are addressed in the ISMS and in the incident response plan at trust/incident-response.
See controls in action ahead of certification.
30 minutes. We walk you through the 71 controls in place today against a real workspace, and name which gaps fall inside the v1.1 evidence sprint vs the audit window. Bring your procurement security questionnaire.
Questions? Email hello@abrlabs.io to request the Statement of Applicability, the current control evidence pack, or to discuss certification timelines for a procurement process.