Why Australian Businesses Need to Understand Both
If you handle personal information in Australia, you are almost certainly dealing with two separate but related frameworks at the same time. ISO 27001 is an international standard for information security management, and the Australian Privacy Act 1988 is domestic legislation that governs how personal information is collected, used, and disclosed. Many businesses assume that achieving one automatically satisfies the other. That assumption can get you into serious trouble.
On this page
This article breaks down what each framework actually requires, where they genuinely overlap, and where they diverge in ways that matter. Whether you are preparing for ISO 27001 certification or trying to build a compliance programme that satisfies both your auditors and the Office of the Australian Information Commissioner (OAIC), this guide will give you a clear picture of what you are working with.
A Quick Overview of Each Framework
What ISO 27001 Actually Is
ISO 27001 is a globally recognised standard published by the International Organisation for Standardisation. It specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The standard takes a risk-based approach, meaning you identify your information security risks and then apply controls proportionate to those risks.
The current version is ISO 27001:2022, which includes Annex A with 93 controls organised into four themes: organisational, people, physical, and technological. Certification is voluntary but increasingly expected by enterprise clients, government procurement panels, and supply chain partners. You can read more about what ISO 27001 certification costs in Australia if you are at the early planning stage.
What the Australian Privacy Act Covers
The Privacy Act 1988 is federal legislation administered by the OAIC. It applies to Australian Government agencies and to private sector organisations with an annual turnover above $3 million, as well as certain smaller organisations in specific sectors such as health services, credit reporting, and tax file number handling. The Act contains 13 Australian Privacy Principles (APPs) that govern the entire lifecycle of personal information, from collection through to disposal.
The Privacy Act has undergone significant reform activity in recent years. The Privacy Act Review Report recommended substantial changes, and amendments continue to be introduced that expand obligations, increase penalties, and strengthen individual rights. If you have not reviewed your obligations recently, the landscape has shifted considerably from even a few years ago.
The Core Differences Between ISO 27001 and the Privacy Act
Nature: Standard vs Law
This is the most fundamental difference and it shapes everything else. ISO 27001 is a voluntary standard. No law in Australia requires you to be certified to it, though certain contracts and tenders may make it a condition of doing business. The Privacy Act, on the other hand, is legislation. Non-compliance is not a matter of failing an audit. It can result in civil penalties, regulatory action by the OAIC, enforceable undertakings, and reputational damage from mandatory data breach notifications.
The practical implication is that ISO 27001 certification gives you a framework and a certificate. The Privacy Act gives you obligations and, if you breach them, consequences. Treating them as equivalent in terms of urgency is a mistake many businesses make.
Scope of Coverage
ISO 27001 covers all information assets, not just personal information. That includes intellectual property, financial data, operational data, system configurations, and anything else your organisation identifies as having value and requiring protection. The standard is deliberately broad because information security risks extend well beyond privacy.
The Privacy Act is narrowly focused on personal information, which is defined as information or an opinion about an identified individual or an individual who is reasonably identifiable. It does not concern itself with protecting your trade secrets or your server infrastructure, except to the extent that those things house personal information.
Who Must Comply
ISO 27001 applies to any organisation that chooses to pursue certification. There are no mandatory thresholds. A sole trader could theoretically certify, though it would be unusual. The standard is sector-agnostic and geography-agnostic.
The Privacy Act has specific applicability thresholds. The $3 million annual turnover threshold means many small businesses are technically exempt, though proposed reforms have pushed toward removing or reducing that threshold. Certain categories of organisations are covered regardless of turnover. If you are unsure whether the Act applies to your business, the OAIC website has guidance, but a legal or compliance professional should confirm your position given the reform environment.
How Compliance Is Measured
ISO 27001 compliance is assessed through a formal certification audit conducted by an accredited certification body. The audit follows a defined process including a Stage 1 documentation review and a Stage 2 on-site or remote assessment. You either receive certification or you do not, and the certificate is valid for three years subject to annual surveillance audits.
Privacy Act compliance is not assessed through a formal certification process. The OAIC can investigate complaints, conduct assessments, and take regulatory action. There is no equivalent to a surveillance audit unless the OAIC initiates one. Compliance is largely self-managed, which means many organisations do not discover gaps until a complaint is lodged or a data breach occurs.
Where ISO 27001 and the Privacy Act Genuinely Overlap
Despite their differences, there is meaningful overlap between the two frameworks, particularly around the handling of personal information. Understanding where they align helps you build a compliance programme that serves both purposes without duplicating effort unnecessarily.
Data Security and Protection
Both frameworks require that personal information be protected from unauthorised access, disclosure, alteration, and loss. APP 11 specifically requires entities to take reasonable steps to protect personal information from misuse, interference, and loss. ISO 27001 addresses this through multiple Annex A controls covering access management, encryption, physical security, and incident management.
If you have implemented ISO 27001 controls properly, you will have gone a long way toward satisfying APP 11. The key word is “properly.” ISO 27001 certification tells you that you have a documented system. It does not automatically guarantee that every control is operating effectively at the level the Privacy Act requires.
Data Breach Response
The Notifiable Data Breaches (NDB) scheme under the Privacy Act requires eligible data breach notifications to the OAIC and affected individuals when a breach is likely to result in serious harm. ISO 27001 Annex A Control 5.24 through 5.28 covers information security incident management, including response procedures, escalation, and learning from incidents.
A well-implemented ISMS will include an incident response plan that can be adapted to meet NDB obligations. The overlap here is practical and significant. Organisations with ISO 27001 certification are generally better positioned to detect, contain, and notify breaches within the required timeframes than those without any formal incident management process.
Third Party and Supplier Management
APP 8 addresses cross-border disclosure of personal information, and APP 11 extends to information handled by third parties on your behalf. ISO 27001 Annex A Control 5.19 through 5.22 covers supplier relationships, including security requirements in supplier agreements and monitoring of supplier service delivery.
Both frameworks push you toward having clear contractual terms with third parties who handle your data, conducting due diligence before engaging them, and monitoring their ongoing compliance. If you are using cloud services, offshore processing, or outsourced IT support, both frameworks require you to have addressed those relationships formally.
Data Retention and Disposal
APP 11.2 requires that personal information no longer needed for its original purpose be destroyed or de-identified. ISO 27001 Annex A Control 8.10 covers information deletion, requiring that information stored on systems be deleted when no longer required. The intent of both requirements is aligned, though the Privacy Act is specifically focused on personal information while ISO 27001 applies to all information assets.
Access Control and Minimum Necessary Access
The Privacy Act does not contain an explicit access control requirement in the same technical sense as ISO 27001, but APP 6 limits the use and disclosure of personal information to the purpose for which it was collected. This principle of purpose limitation maps reasonably well to the ISO 27001 principle of need-to-know access, which is embedded in multiple Annex A controls around identity and access management.
Where They Diverge in Ways That Catch Businesses Off Guard
Consent and Collection Limitations
The Privacy Act contains detailed requirements around how personal information is collected, including requirements to notify individuals at the time of collection (APP 5), to collect only information that is reasonably necessary (APP 3), and to obtain consent in certain circumstances. ISO 27001 has nothing equivalent to these requirements. The standard is not concerned with whether you should have collected the data in the first place. It is concerned with protecting whatever data you hold.
This gap catches businesses off guard. You can have a perfectly functioning ISMS and still be in breach of the Privacy Act because you collected more information than you needed, failed to provide a collection notice, or used information for a purpose beyond what was disclosed.
Individual Rights
The Privacy Act gives individuals rights to access their personal information (APP 12) and to correct inaccurate information (APP 13). These are positive obligations on your organisation to respond to individual requests within a reasonable timeframe. ISO 27001 does not address individual rights in this sense at all. The standard is focused on your organisation's security posture, not on the rights of the people whose data you hold.
If you receive a subject access request or a correction request and your ISMS does not have a process for handling it, you have a Privacy Act gap that ISO 27001 will never fill.
Cross-Border Data Flows
APP 8 imposes specific requirements before personal information can be disclosed to overseas recipients, including ensuring the recipient is subject to a law that provides substantially similar protections. ISO 27001 addresses cross-border data transfers through its supplier management controls, but the standard does not impose the same legal accountability framework as APP 8. Under APP 8, your organisation remains accountable for breaches by the overseas recipient unless specific exceptions apply.
ISO 27701: The Bridge Between the Two Frameworks
If you are trying to address both ISO 27001 and Privacy Act obligations within a single management system, ISO 27701 is worth serious consideration. ISO 27701 is a privacy extension to ISO 27001 that adds requirements and guidance for a Privacy Information Management System (PIMS). It maps directly onto the Australian Privacy Principles and provides a structured way to address privacy obligations within your existing ISMS framework.
You can read a detailed breakdown in our practical guide to ISO 27701. Implementing ISO 27701 alongside ISO 27001 does not guarantee Privacy Act compliance, but it significantly reduces the gap and gives you documented evidence of your privacy controls, which is valuable if the OAIC ever investigates your organisation.
Building a Compliance Programme That Covers Both
Start With a Gap Analysis
Before you try to build anything, map your current practices against both frameworks simultaneously. Identify where you have controls that satisfy both, where you have controls that satisfy one but not the other, and where you have gaps in both. This exercise is more useful than treating ISO 27001 and the Privacy Act as separate workstreams.
Align Your Privacy Policy With Your ISMS
Your privacy policy is a legal document that describes your collection, use, and disclosure practices. Your ISMS documentation describes your security controls. In many organisations these exist in separate silos managed by different teams. Bringing them into alignment does not mean merging them, but it does mean ensuring they are consistent and that the people responsible for each are talking to each other.
Build Your Incident Response to Satisfy Both
Design your data breach response procedure to meet NDB scheme requirements from the outset, not as an afterthought. Your ISO 27001 incident management process should include a step that assesses whether a security incident constitutes an eligible data breach under the Privacy Act, triggers the notification workflow if required, and documents the outcome. This is one area where a small amount of additional design effort creates significant compliance value.
Train Your People on Both Frameworks
ISO 27001 requires competence and awareness training for people whose work affects information security. Use that training requirement as an opportunity to also cover Privacy Act obligations. Staff who understand why they are protecting data, not just how, tend to make better decisions when they encounter situations that fall outside documented procedures. You can learn more about building an ISO training matrix for your team to structure this effectively.
Document Your Compliance Evidence
Both frameworks benefit from strong documentation. ISO 27001 requires it explicitly. The Privacy Act does not prescribe documentation formats, but documented evidence of your compliance efforts is your best defence if the OAIC investigates. Treat your ISMS documentation as a foundation and extend it to capture privacy-specific evidence such as privacy impact assessments, collection notices, consent records, and subject access request logs.
Practical Advice for Australian Businesses
If you are a business that is subject to the Privacy Act and considering ISO 27001 certification, here is the honest picture. ISO 27001 will do a lot of the heavy lifting on the security side of your privacy obligations. It will not, on its own, make you Privacy Act compliant. You need to address the collection, consent, individual rights, and cross-border disclosure requirements separately.
If you are already ISO 27001 certified and have not reviewed your Privacy Act obligations recently, do that review now. The reform environment means your obligations may have changed since you last looked. The penalty regime has been significantly strengthened, with serious or repeated interferences now attracting civil penalties of up to $50 million or more depending on the circumstances.
If you are starting from scratch and want to build a compliance programme that addresses both, consider engaging a consultant who has genuine experience in both information security management systems and Australian privacy law. These are different disciplines and not every ISO 27001 consultant will have the privacy law background to bridge the gap effectively. Our guide on how to select the best ISO consultant can help you ask the right questions before you engage anyone.
CertBetter connects Australian businesses with verified ISO 27001 consultants and accredited certification bodies. If you are looking to get competing quotes from providers who understand both the standard and the Australian compliance context, you can submit one form and receive up to three quotes at no cost. It is a practical way to understand your options without spending hours researching providers individually.
