Frequently Asked Questions

Pre-audit consulting is where I work alongside your team to help you build, implement, and verify your compliance controls before a certification audit. Think of it as coaching — gap assessments, ISMS design, documentation support, and readiness verification. The goal is to get you audit-ready.

Certification audits are the independent assessment of your ISMS against the relevant ISO standard. As your Lead Auditor, I'm evaluating your controls objectively — I'm not there to help you fix things during the audit, I'm there to assess whether they work. This results in an audit report with findings and recommendations.

Critically, due to auditor independence requirements, I cannot provide both services for the same client on the same engagement.

This is a core requirement of audit integrity, rooted in ISO 19011:2018 and the broader assurance profession. If I helped you design and implement your ISMS, I can't then objectively assess it — there's an inherent conflict of interest. My certification and the value of your audit depend on that independence.

This is the same reason your external financial auditor can't also be your financial advisor. The separation protects the credibility of the outcome — your certification is worth more when it comes from an independent, unbiased assessment.

In practice: pick the service you need first. If you need help getting ready, start with consulting. If you're already confident in your ISMS and need a Lead Auditor, come to me for the audit. If you're not sure, reach out and we'll figure it out together.

I work with organisations across a wide range of sectors — professional services, healthcare, government contractors, financial services, technology companies, legal practices, SaaS providers, and managed service providers. The common thread is that they need credible ISO certification and someone who understands how IT actually works.

I'm based in Brisbane and work with organisations across Australia — both remotely and on-site depending on the engagement.

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It provides a framework for organisations to identify, manage, and reduce information security risks systematically.

Certification matters for several reasons: it demonstrates to customers and partners that you take data security seriously; it's increasingly required by procurement processes, government contracts, and supply chain agreements; and it gives your own leadership a structured way to manage security risk rather than reacting to incidents.

The current version is ISO 27001:2022, which significantly updated Annex A controls from the previous 2013 edition.

The audit itself (Stage 1 + Stage 2) typically spans two to five days of audit activity, depending on your organisation's size, scope, and complexity. A small professional services firm might complete both stages in two to three days; a larger organisation with complex infrastructure might require more.

Stage 1 is the documentation review — assessing whether your ISMS is designed appropriately. Stage 2 is the main audit, where we verify that your controls are actually implemented and operating effectively.

Between scoping, planning, and report delivery, expect the full process to run over three to six weeks. If significant nonconformities are found, there may be a follow-up period for remediation before certification is recommended.

It depends significantly on where you're starting from. Organisations with existing security controls and documentation in place might be ready in three to six months. Organisations starting from scratch typically need six to twelve months to build a compliant ISMS.

Factors that affect timeline include: how mature your existing controls are, how much internal resource you can dedicate to the project, the complexity of your scope, and whether you're pursuing ISO 27001 on its own or alongside other standards.

A gap assessment is the best place to start — it gives you a realistic picture of your current state and a practical roadmap to certification.

ISO 27001 certification is valid for three years, subject to annual surveillance audits. In year one and two, you'll have surveillance audits (typically shorter than the initial certification audit) to verify your ISMS remains effective and any nonconformities have been addressed.

In year three, you'll undergo a recertification audit — a full reassessment similar to the initial certification. The ongoing nature of certification is the point: it ensures your security posture is maintained, not just achieved once and forgotten.

I can assist with surveillance audit preparation, continuous improvement guidance, and recertification readiness as part of ongoing consulting engagements — as long as I haven't been your certifying auditor.

ISO 42001 is the international standard for Artificial Intelligence Management Systems (AIMS). Published in 2023, it provides a framework for organisations to govern AI responsibly — covering risk management, transparency, accountability, and the ethical use of AI systems.

It's relevant to any organisation that develops AI products, deploys AI tools as part of its services, or uses AI in significant operational processes. As AI regulation increases globally (including Australia's evolving AI governance framework), ISO 42001 certification is likely to become a procurement and compliance expectation.

Even if you're not planning certification immediately, the standard provides a useful governance framework for managing AI risks now.

ISO 27701 is the Privacy Information Management System (PIMS) standard — a privacy extension built on top of ISO 27001. It adds privacy-specific controls to your information security management system, covering how you collect, process, store, and protect personal information.

While ISO 27701 is mapped primarily to GDPR, there's significant alignment with the Australian Privacy Act 1988 and the Australian Privacy Principles. Certification provides a structured, auditable way to demonstrate privacy compliance to customers, partners, and regulators.

ISO 27701 requires an existing ISO 27001 certification (or simultaneous certification). It can be pursued at the same time as ISO 27001 or as an extension afterwards. The 2025 edition of ISO 27701 is the current version I specialise in.

The Essential Eight is a set of eight cyber security mitigation strategies published by the Australian Signals Directorate (ASD). They're designed to protect against the most common cyber threats, and are assessed against a four-level maturity model (Maturity Level 0 through 3).

For Australian government agencies and many government contractors, compliance with the Essential Eight is mandatory. It's also increasingly required by supply chain and procurement requirements in the private sector.

The eight strategies are: application control, patch applications, configure Microsoft Office macros, user application hardening, restrict admin privileges, patch operating systems, multi-factor authentication, and regular backups. I conduct maturity assessments across all eight, with a detailed report on your current maturity level and remediation priorities.

My specialist certifications and practice are focused on ISO 27001, ISO 42001, ISO 27701, and the ASD Essential Eight. These are where I have the deepest expertise and formal certification.

If you have a need outside these standards, I'm happy to have a conversation — depending on the standard, I may be able to assist or refer you to someone better placed.

Both. Most consulting engagements can be conducted entirely remotely — workshops, document reviews, and advisory sessions work well via video call. For certification audits, I can conduct Stage 1 (documentation review) remotely and may conduct Stage 2 on-site depending on your scope and location.

I'm based in Brisbane but work with organisations across Australia. Travel arrangements for on-site work outside southeast Queensland are factored into the engagement scope.

Typically I can have an initial discovery call within a few days of first contact and a proposal to you within one to two weeks. Actual engagement start dates depend on my current schedule and your availability.

If you have a specific timeline pressure — an upcoming contract requirement, a customer deadline, or a self-imposed target date — let me know upfront and I'll be honest about whether it's achievable.

Genuinely good question. The business name reflects an interest in the intersection of AI governance, workplace technology, and the emerging compliance landscape around AI — particularly relevant to ISO 42001. It's also a nod to the fact that technology and AI are reshaping how organisations work, and compliance frameworks need to keep up.

The core services are information security and compliance — ISO 27001 is the foundation. ISO 42001 is an increasingly important speciality given how rapidly organisations are adopting AI tools.