The Question Every Australian Business Owner Is Asking
If your business holds personal information about customers, employees, or partners, you are almost certainly covered by Australia's Notifiable Data Breaches (NDB) scheme. And if you have been exploring ISO 27001 certification, you have probably wondered whether the two are connected. Does getting certified actually help you meet your NDB obligations? Or are they completely separate things that just happen to share the words “data” and “security”?
On this page
The short answer is yes, ISO 27001 certification does help, and in some meaningful ways it helps quite a lot. But it is not a complete substitute for understanding and managing your NDB obligations directly. This article breaks down exactly where ISO 27001 adds value, where the gaps are, and what a practical approach looks like for an Australian business.
Understanding the Notifiable Data Breaches Scheme
The NDB scheme sits within the Privacy Act 1988 and has been in force since February 2018. It requires organisations covered by the Act to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs.
An eligible data breach is one that is likely to result in serious harm to one or more individuals whose personal information was involved. The assessment of “likely serious harm” is a genuine judgement call, and getting it wrong in either direction carries risk. Notify when you should not have, and you may cause unnecessary alarm. Fail to notify when you should have, and you face regulatory action and reputational damage.
Who Is Covered?
The NDB scheme applies to Australian Government agencies and private sector organisations with an annual turnover of more than $3 million. It also applies to certain smaller organisations regardless of turnover, including health service providers, tax file number recipients, and credit reporting bodies. If you are unsure whether your business is covered, the OAIC's NDB guidance is the right starting point.
What the Scheme Actually Requires
When a suspected eligible data breach occurs, your organisation must act quickly. You have 30 days to assess whether the breach is eligible. If it is, you must notify the OAIC and affected individuals as soon as practicable. The notification must include a description of the breach, the kinds of information involved, and the steps you recommend individuals take in response.
Beyond notification, the scheme expects organisations to have reasonable steps in place to protect personal information. That phrase “reasonable steps” is where ISO 27001 becomes directly relevant.
What ISO 27001 Actually Requires You to Do
ISO 27001 is the international standard for Information Security Management Systems (ISMS). If you are new to the standard, our beginner's guide to ISO 27001 covers the foundations in plain language.
At its core, the standard requires your organisation to identify information security risks, implement controls to address those risks, and continually improve your approach. The 2022 version of the standard includes 93 controls across four themes: organisational, people, physical, and technological.
Key Areas ISO 27001 Addresses
When you implement ISO 27001 properly, you are doing things like:
- Identifying what personal and sensitive information your organisation holds and where it lives
- Assessing the risks to that information from internal and external threats
- Implementing access controls so only the right people can reach sensitive data
- Establishing incident response procedures so your team knows what to do when something goes wrong
- Running regular internal audits to check your controls are actually working
- Training staff on information security responsibilities
- Managing third-party risks through supplier security requirements
These are not just checkbox activities. When implemented properly, they form a genuine system for protecting information and responding to incidents. That is directly relevant to your NDB obligations.
Where ISO 27001 Directly Supports NDB Compliance
Incident Detection and Response
One of the biggest practical challenges with the NDB scheme is that you cannot notify anyone about a breach you have not detected. Many Australian businesses have suffered breaches that went unnoticed for months. ISO 27001 requires you to establish information security incident management procedures, including how to detect, report, assess, and respond to incidents.
Control 5.24 in ISO 27001:2022 specifically addresses information security incident management planning and preparation. Control 5.25 requires assessment and decisions on information security events. These controls push you to build the internal capability to actually find out when something has gone wrong, which is the prerequisite for any NDB notification.
The 30-Day Assessment Clock
Once you suspect a breach, the 30-day assessment window starts. If you have an ISO 27001 ISMS in place, you already have documented procedures for assessing incidents. You have a team with defined roles. You have classification criteria for information assets. This means when the clock starts, you are not scrambling to figure out what data was involved or who needs to make decisions. You have a process.
Without that structure, 30 days disappears fast, particularly in smaller organisations where no one has a clear ownership of the assessment process.
Demonstrating Reasonable Steps
The Privacy Act requires organisations to take “reasonable steps” to protect personal information. ISO 27001 certification is strong evidence that you have done exactly that. An accredited certification body has independently verified that your information security controls meet an internationally recognised standard. That is a far more credible position than simply asserting that you take security seriously.
In a regulatory investigation or enforcement action by the OAIC, being able to point to a current ISO 27001 certificate from an accredited certification body carries genuine weight. It does not guarantee immunity from findings, but it demonstrates a systematic and audited approach to security that self-assessment simply cannot match.
Risk Assessment as a Foundation
ISO 27001 mandates a formal risk assessment process. You identify threats to your information assets, assess the likelihood and impact of those threats materialising, and implement controls proportionate to the risk. This is exactly the kind of structured thinking that supports good privacy practice under the Australian Privacy Principles (APPs), particularly APP 11 which requires reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access.
If you want to understand how to approach this process without needing a technical background, our ISO 27001 risk assessment guide for non-technical business owners walks through it step by step.
Where ISO 27001 Does Not Cover You Completely
This is the part many consultants gloss over, so let me be direct. ISO 27001 certification does not make you NDB compliant. The two frameworks have different purposes, different scopes, and different requirements. Here is where the gaps sit.
ISO 27001 Is Not Privacy-Specific
ISO 27001 covers information security broadly. It protects confidentiality, integrity, and availability of all information, not just personal information. The NDB scheme is specifically about personal information and the privacy rights of individuals. These overlap significantly, but they are not the same thing.
For example, ISO 27001 does not require you to map your data flows specifically against the categories of personal information defined under the Privacy Act. It does not require you to assess breaches against the “likely serious harm” threshold used in the NDB scheme. Those are privacy-specific judgements that your ISMS alone will not make for you.
The Notification Obligation Is a Legal Requirement
ISO 27001 gives you an incident management process. It does not tell you when you are legally required to notify the OAIC. That determination requires understanding the Privacy Act, the NDB scheme, and how the OAIC interprets “eligible data breach.” Getting that wrong is a legal risk, not an information security gap.
This is why many organisations that hold significant personal information consider pairing ISO 27001 with ISO 27701, which is the privacy extension to ISO 27001. Our guide to ISO 27701 explains how the two standards work together and where ISO 27701 adds the privacy-specific layer that ISO 27001 alone does not provide.
Third-Party Breaches Are Still Your Problem
A significant number of data breaches in Australia involve third-party service providers, cloud platforms, and outsourced processing arrangements. ISO 27001 requires you to manage supplier security, but it does not guarantee your suppliers are themselves secure. If a cloud provider you use suffers a breach involving your customers' data, your NDB obligations are triggered regardless of your own certification status.
You need contracts with clear data breach notification requirements from suppliers, and you need to monitor those arrangements actively. ISO 27001 gives you the framework to do that, but the specific contractual and legal protections need to be put in place deliberately.
A Practical Approach for Australian Businesses
Use ISO 27001 as the Foundation
If you are starting from scratch, implementing ISO 27001 is one of the most effective things you can do to build genuine information security capability. It forces you to think systematically about your risks, document your controls, and test whether they are working. That foundation makes everything else easier, including NDB compliance.
The cost of ISO 27001 certification in Australia varies depending on your organisation size and complexity, but the investment is generally modest compared to the cost of a significant data breach, which can include OAIC enforcement action, legal costs, customer notification costs, and reputational damage.
Layer Privacy-Specific Controls on Top
Once your ISMS is in place, map your personal information assets against the Australian Privacy Principles. Document what personal information you hold, where it is stored, who can access it, and how it flows to third parties. Create a specific data breach response plan that addresses the NDB notification requirements, including who makes the eligibility assessment, who notifies the OAIC, and how affected individuals are contacted.
This does not have to be a massive separate project. If your ISO 27001 documentation is well structured, adding privacy-specific elements is incremental work, not a rebuild.
Test Your Incident Response
Many organisations have incident response procedures that look good on paper but fall apart under pressure. Run tabletop exercises that simulate a data breach scenario. Walk your team through the process: who gets called first, how do you assess whether personal information was involved, how do you determine likely serious harm, who makes the call on OAIC notification?
ISO 27001 requires you to test your controls, and your incident response procedures should be part of that testing. If you have not done this, it is one of the most valuable things you can do to prepare for an actual breach.
Get Legal Advice on Your NDB Obligations
ISO 27001 consultants and certification bodies are not lawyers. If you have genuine uncertainty about your NDB obligations, whether you are covered, how to assess eligible breaches, or what your notification content should include, get specific legal advice. The OAIC publishes detailed guidance, but complex situations often warrant professional input.
The Business Case in Plain Terms
Let me put this simply. If you hold personal information and you do not have ISO 27001 or an equivalent systematic approach to information security, you are exposed. Not just to data breaches, but to the regulatory and reputational consequences that follow them. The NDB scheme has real teeth, and the OAIC has shown it is willing to use them.
ISO 27001 certification does not make you bulletproof. No certification does. But it gives you a documented, audited, and internationally recognised system for protecting information. It builds the internal capability to detect and respond to incidents. And it gives you credible evidence that you took reasonable steps to protect personal information, which matters enormously if you ever face an OAIC investigation.
For most Australian businesses that handle personal information, the question is not really whether ISO 27001 helps with NDB obligations. It clearly does. The better question is whether you are implementing it properly or just collecting a certificate.
If you are considering ISO 27001 certification and want to compare quotes from verified consultants and accredited certification bodies, CertBetter makes that process straightforward. You submit one form and receive up to three competing quotes from vetted providers, at no cost to your business. It is a practical starting point for getting the right advice without the usual runaround.
