ISO 27001 Certification for Charities and Non-Profits: Why It Matters and How to Get It

Why Information Security Is a Serious Issue for Charities

Most charities and non-profit organisations do not think of themselves as targets for cybercriminals. That assumption is one of the most dangerous things a charity can believe. The reality is that charitable organisations hold some of the most sensitive personal data in existence: donor payment details, beneficiary health records, vulnerable client case notes, volunteer background checks, and financial account information. All of it is valuable, and much of it is poorly protected.

ISO 27001 certification for charities is not a concept that gets talked about nearly enough. The standard is usually discussed in the context of technology companies, financial services firms, or government contractors. But the threat landscape for non-profits is just as serious, and in some ways more so, because charities often operate with smaller IT budgets, less experienced staff, and a culture that prioritises mission delivery over internal systems management.

This article is written for charity executives, board members, and operations managers who want to understand what ISO 27001 actually involves, why it matters for their organisation specifically, and how to go about getting certified without blowing a year of operational budget on consultants.

What ISO 27001 Actually Is

ISO 27001 is the internationally recognised standard for Information Security Management Systems, commonly referred to as an ISMS. It was developed by the International Organisation for Standardisation and specifies a framework for identifying information security risks, implementing controls to address those risks, and continually improving your security posture over time.

The current version is ISO 27001:2022, which updated the previous 2013 edition with a restructured set of controls and a stronger emphasis on threat intelligence and cloud security. If you want a solid grounding in the standard before reading further, the ISO 27001 beginner's guide on this site covers the structure and key requirements in plain language.

Certification means an accredited third-party certification body has audited your ISMS and confirmed it meets the requirements of the standard. It is not a self-declaration. It is not a checklist you tick off and frame on the wall. It is an ongoing commitment that requires surveillance audits every year and a full recertification audit every three years.

The Real Risks Facing Charities and Non-Profits

Donor Data Breaches

Your donors trust you with their financial information. Credit card numbers, bank account details, and recurring payment mandates sit inside your CRM, your payment gateway, and often in email threads that have never been cleaned up. A breach of donor data does not just expose individuals to financial harm. It destroys the trust that your organisation has spent years building, and in a sector where trust is the primary currency, that damage can be existential.

Beneficiary and Client Confidentiality

Many charities work with highly vulnerable populations: people experiencing domestic violence, individuals with mental health conditions, children in out-of-home care, asylum seekers, and others whose personal circumstances require strict confidentiality. If that information is compromised, the consequences go well beyond reputational damage. People can be physically harmed. Legal liability can follow.

Ransomware and Phishing Attacks

Non-profits are increasingly targeted by ransomware attacks precisely because their defences tend to be weaker. A single phishing email to a volunteer who has not received security awareness training can give an attacker access to your entire network. The Australian Cyber Security Centre consistently reports that small and medium organisations, including non-profits, are among the most affected by ransomware incidents in Australia.

Third-Party and Grant Funding Requirements

Government funding bodies and large corporate donors are increasingly requiring their grantees and partners to demonstrate information security maturity. If your organisation relies on government contracts or seeks partnerships with larger corporates, ISO 27001 certification is becoming a practical prerequisite rather than a nice-to-have.

Why ISO 27001 Is Particularly Suited to the Non-Profit Sector

Some organisations in the charity sector wonder whether a standard designed for commercial enterprises can really apply to them. It absolutely can, and here is why.

ISO 27001 is built around a risk-based approach. You identify the information assets that matter to your organisation, assess the risks to those assets, and implement controls proportionate to those risks. There is no requirement to implement every possible security control. You implement what is relevant to your context. That makes the standard highly adaptable to smaller organisations with limited resources.

The standard also requires you to define the scope of your ISMS. A charity can scope its certification to cover specific functions, such as donor management and financial processing, rather than attempting to certify every aspect of its operations in one go. This makes the initial certification far more achievable.

Understanding how to define that scope correctly is important. The concepts covered in the guide to determining the scope of management systems apply directly to how you would approach scoping an ISMS for a non-profit.

What ISO 27001 Certification Involves for a Charity

Step 1: Understand Your Information Assets

The first practical step is conducting an information asset register. This means identifying every type of information your organisation holds, where it is stored, who has access to it, and how it flows through your systems. For a charity, this typically includes donor records, beneficiary files, employee and volunteer data, financial records, grant documentation, and communications.

This exercise is often eye-opening. Most organisations discover they are holding far more sensitive data than they realised, in far more places than they expected, with far fewer controls than they thought they had.

Step 2: Conduct a Risk Assessment

Once you know what information you hold, you assess the risks to that information. What could go wrong? How likely is it? What would the impact be? ISO 27001 does not prescribe a specific risk assessment methodology, but it does require you to use a consistent, documented approach. For charities with limited in-house expertise, this is often where an experienced consultant adds the most value.

If you want to understand this process in more depth before engaging anyone, the ISO 27001 risk assessment guide for non-technical business owners is worth reading. It explains the process in plain English without assuming any technical background.

Step 3: Select and Implement Controls

ISO 27001:2022 includes Annex A, which contains 93 controls across four categories: organisational, people, physical, and technological. You do not need to implement all 93. You produce a Statement of Applicability that documents which controls are relevant to your organisation, which you have implemented, and why you have excluded any that are not applicable.

For a charity, relevant controls typically include access control policies, staff security awareness training, incident response procedures, backup and recovery processes, supplier security requirements, and physical security for office premises. Many of these controls are straightforward to implement and do not require significant technology investment.

Step 4: Document Your ISMS

ISO 27001 requires documented information to support the operation of your ISMS. This includes an information security policy, risk assessment records, the Statement of Applicability, procedures for key processes, and records of monitoring and review activities. The documentation does not need to be voluminous. It needs to be accurate, current, and actually used.

Step 5: Operate and Monitor the System

Before you can be certified, you need to demonstrate that your ISMS has been operating for a meaningful period, typically at least three months. This means running internal audits, conducting a management review, and responding to any security incidents or near-misses that occur during that period. This operational evidence is what auditors look for during the certification audit.

Step 6: Stage 1 and Stage 2 Certification Audits

The certification process involves two audit stages. The Stage 1 audit is a documentation review where the auditor assesses whether your ISMS is designed correctly and whether you are ready for the full audit. The Stage 2 audit is an on-site assessment where the auditor verifies that your ISMS is actually being implemented as documented.

If you want to understand what to expect from each audit stage, the articles on preparing for a Stage 1 readiness audit and preparing for a Stage 2 certification audit cover the specifics in detail.

How Long Does ISO 27001 Certification Take for a Non-Profit?

For a small to medium charity, a realistic timeframe from starting implementation to receiving your certificate is six to twelve months. The main variables are the size and complexity of your organisation, how much security infrastructure you already have in place, and how much internal resource you can dedicate to the project.

Organisations that try to rush the process often end up with a system that exists on paper but has not been properly embedded into day-to-day operations. Auditors can tell the difference. A system that looks good in documents but shows no evidence of real operation will generate nonconformances that delay certification and add cost.

For a more detailed breakdown of the timeline, the article on how long ISO 27001 certification takes covers the factors that influence duration and how to plan realistically.

What Does ISO 27001 Certification Cost for a Charity?

Cost is always a sensitive topic for non-profits. The honest answer is that the total cost depends on the size of your organisation, the scope of your ISMS, whether you use a consultant, and which certification body you choose.

As a rough guide, a small charity with fewer than 50 staff could expect to spend between $15,000 and $40,000 in total to achieve certification, covering consultant fees, internal staff time, any technology improvements required, and the certification body audit fees. Larger organisations with more complex environments will spend more.

There are ways to reduce cost without cutting corners. Scoping your ISMS tightly in the first instance, using a consultant who specialises in non-profits or smaller organisations, and choosing a certification body that is appropriately sized for your organisation all make a difference. The detailed breakdown in the article on ISO 27001 certification costs in Australia gives you realistic figures to work with when building your budget.

It is also worth checking whether your organisation may be eligible for any government support. The article on government grants for ISO certification in Australia outlines what is available and how to access it.

Choosing the Right Consultant and Certification Body

This is where many charities go wrong. They either try to do everything themselves without sufficient expertise, or they engage the first consultant who contacts them without doing proper due diligence.

For a non-profit, you want a consultant who has genuine experience with ISO 27001 in organisations of similar size and complexity. Someone who has only worked with large enterprises will not understand the resource constraints, governance structures, and operational realities of a charity environment. Ask specifically about their non-profit or public sector experience.

You also want a certification body that is accredited by a recognised national accreditation body. In Australia, that means accreditation by JAS-ANZ. An unaccredited certificate may not be accepted by government funders or corporate partners, which defeats much of the purpose of getting certified in the first place.

The most common mistake charities make is choosing based purely on price. A cheap certification process that produces a certificate not recognised by your key stakeholders is money wasted. The articles on why cheap ISO certification is bad for your business and how to spot red flags when choosing a certification partner are worth reading before you make any commitments.

The Ongoing Commitment After Certification

Getting certified is not the end of the process. ISO 27001 certification requires annual surveillance audits and a full recertification audit every three years. You also need to maintain your ISMS continuously, which means running internal audits, conducting management reviews, updating your risk assessment when things change, and responding to security incidents.

For charities with limited staff, the ongoing maintenance burden is a real consideration. The best way to manage it is to build the ISMS into your normal operational routines rather than treating it as a separate compliance project. When information security becomes part of how your organisation operates rather than something you do for the auditor, the maintenance effort drops significantly and the security benefits become real rather than theoretical.

The Reputational and Funding Benefits

Beyond the direct security benefits, ISO 27001 certification sends a clear signal to donors, beneficiaries, government funders, and corporate partners that your organisation takes data protection seriously. In a sector where public trust is everything, that signal has genuine value.

Increasingly, government grant programs and corporate partnership agreements include data security requirements. Having ISO 27001 certification means you can respond to those requirements with evidence rather than assurances. That competitive advantage in funding applications is difficult to quantify but very real.

Larger charities that work with corporate partners or government agencies often find that certification opens doors that were previously closed. It removes a barrier that was quietly causing potential partners to look elsewhere.

Getting Started

If you are a charity or non-profit considering ISO 27001 certification, the best first step is an honest internal assessment of your current information security posture. What data do you hold? Where does it live? Who has access? What would happen if it were compromised?

That exercise alone will tell you a great deal about the gap between where you are and where you need to be. From there, you can make an informed decision about whether to engage a consultant, how to scope your ISMS, and what timeline and budget are realistic for your organisation.

If you want to compare quotes from experienced ISO 27001 consultants and certification bodies without spending weeks on research, CertBetter makes that process straightforward. You submit one form and receive up to three competing quotes from vetted providers, all at no cost to your organisation. For a charity trying to get the best outcome from a limited budget, that kind of structured comparison is worth doing before you commit to anything.