Trust Center
ISO 27001 posture
Last reviewed: 2026-05-25
Status, plainly
Compliance Care is not yet certified to ISO/IEC 27001:2022.
We operate against the ISO 27001:2022 control framework with internal self-assessment. Third-party certification through a JAS-ANZ-accredited certification body is scheduled for Year 2 (calendar 2028) of the operating plan, once the customer base and engineering surface are stable enough to justify the cost and discipline of a full ISMS audit cycle.
We do not, and will not, describe Compliance Care as "ISO 27001 certified" or "ISO 27001 compliant" until a JAS-ANZ-accredited certification body has issued a current certificate. This is the same discipline we apply to claims about our NDIS-provider customers.
What this means today
We have:
- An Information Security Management System (ISMS) scope statement covering the Compliance Care application, its supporting infrastructure, the engineering and operations workflow, and the supplier-management process for our sub-processors.
- A risk register, reviewed at minimum quarterly, with risks rated and owned.
- A Statement of Applicability mapped to Annex A of ISO/IEC 27001:2022 (93 controls). Each control is marked as applicable / not applicable with a reason, and applicable controls reference the operating evidence.
- Documented information-security policies covering: access control, cryptography, supplier security, secure development, incident management, business continuity, and acceptable use.
- Internal audit cadence: at minimum one full internal audit cycle per year against the SoA, with findings tracked to closure.
- Management review cadence: at minimum quarterly.
What this does not mean today
- A current certificate from a JAS-ANZ-accredited certification body. We do not have one and we do not represent that we do.
- Independent assurance over the operating effectiveness of every control. Self-assessment is by definition not third-party.
Path to certification
| Milestone | Target |
|---|---|
| ISMS scope statement and Statement of Applicability published internally | Live. |
| First full internal audit cycle complete with findings closed | 2027 calendar year. |
| Stage 1 audit by JAS-ANZ-accredited body | First half of 2028. |
| Stage 2 audit by JAS-ANZ-accredited body | Second half of 2028. |
| Certificate issued | Targeted late 2028. |
| Surveillance audits | Annual thereafter, recertification at year 3. |
These dates are targets, not commitments. If the date moves, this page is updated within the same week, with the reason.
Related
- APP 1–13 mapping (Australian Privacy Principles). Internal:
docs/security/app-mapping.md. Required artefact for production. - Sub-processor list. Sub-processors.
- Incident response. NDB and incident response.
- Impartiality and conflict of interest (separate concern, not part of the ISMS scope). See
/trust.
Change log
| Date | Change |
|---|---|
| 2026-05-25 | Initial publication. Third-party certification target: late 2028. |
