How Amalgamotion Achieved ISO 27001 Certification with Insicon Cyber

The Challenge: From a 170-Question Audit to ISO 27001 Certification

As Amalgamotion's cloud platform matured, so did its client's expectations. The NSW Government client's cybersecurity team issued a 170-question cyber risk questionnaire, which surfaced capability gaps in Amalgamotion's IT governance framework. The assessment crystallised two non-negotiable commitments: a full penetration test to identify and remediate external vulnerabilities, and ISO/IEC 27001:2022 certification.

This was not a speculative decision. ISO 27001 was a direct prerequisite for Amalgamotion to continue and grow its government work, protect the sensitive data flowing through its platform, and progress its broader 'Invest for Growth' strategy.

"Building business maturity has been central to our growth plans. Securing ISO accreditations isn't just a box-ticking exercise — it's a statement about how we do business."

Amalgamotion had already achieved ISO 9001 (Quality Management), ISO 14001 (Environmental Management), and ISO 45001 (Occupational Health and Safety) in 2023. ISO 27001 was the natural next milestone, but it presented a different order of complexity. The standard requires organisations to define an Information Security Management System (ISMS) across 93 controls, produce a Statement of Applicability (SoA), and pass a two-stage formal audit conducted by an accredited certification body.

Despite strong operational capability, Amalgamotion recognised it did not have the internal capacity or specialist expertise to confidently pursue ISO/IEC 27001:2022 certification on its own. The business needed a structured, experienced implementation partner.

Why Insicon Cyber

Amalgamotion conducted a rigorous vendor selection process, assessing candidates on cultural fit, hands-on ISO 27001 expertise, and ability to deliver a phased, business-aligned implementation. Insicon Cyber was selected over other options.

"Insicon Cyber's proposal stood out for its clarity and structure. They provided confidence that we could achieve certification within the proposed timeline without compromising quality."

Insicon Cyber's Managed Compliance service combines structured ISMS implementation with practical, business-embedded support. Rather than handing clients a documentation bundle and stepping away, the Insicon Cyber team works alongside the organisation, building policies, controls, and governance frameworks that reflect how the business actually operates. This approach was critical for Amalgamotion, which needed certification to hold up under scrutiny from sophisticated government clients.

The Process: Nine Months from Gap to Certified

The implementation commenced in May 2024 and ran for approximately nine months. Key stages included:

1. Gap Analysis and Readiness Assessment

Before formal engagement began, Amalgamotion had allocated two internal resources to study ISO 27001 requirements and assess their current state. This revealed significant work ahead, particularly in aligning with the 93 required controls and developing the Statement of Applicability. Insicon Cyber formalised this gap assessment into a structured implementation plan, giving the team a clear and sequenced view of what was required and when.

2. Dedicated Internal Resources

Amalgamotion assigned two full-time staff members exclusively to the implementation alongside the Insicon Cyber team. Dedicated resource allocation was one of the most consequential decisions of the project. Attempting ISO 27001 implementation as a part-time workload alongside business-as-usual delivery routinely extends timelines and undermines audit readiness.

3. Collaborative Delivery Framework

Weekly workgroups between the Insicon Cyber and Amalgamotion teams provided a consistent rhythm of progress tracking, issue escalation, and mutual feedback. Jira was used as a dedicated ISMS operational board, with controls, evidence requirements, and action items managed transparently across both teams. A SharePoint ISMS portal was also deployed to consolidate documentation and improve navigation for staff across the organisation.

Early in the engagement, the teams worked through an alignment phase around tooling and template expectations. Policies and procedures needed to be built to reflect Amalgamotion's specific business context rather than applied off the shelf. Insicon Cyber worked through this iteratively with the team, and the structured delivery rhythm that followed became one of the project's defining strengths.

4. Policy Development and Control Implementation

Insicon Cyber guided Amalgamotion through the development of all required ISMS policies and procedures, aligning each control to the business's actual operations, risk profile, and client obligations. Policies were built to reflect Amalgamotion's obligations under the Privacy Act 1988 and the data governance requirements of its NSW Government client relationships.

5. Internal Audit, Mock Audit, and Gap Closure

An internal audit was conducted with Insicon Cyber's guidance. A mock audit was then used to stress-test readiness, identifying more than 30 actionable gaps before the formal certification process commenced. Every gap was logged in Jira for traceable resolution, and a final sprint closed all outstanding actions before the audit phases began.

6. Certification Audit

The formal certification process commenced with a Stage 1 (documentation) audit, which was passed with minor findings. This enabled a smooth transition to the Stage 2 (implementation) audit. The audit team commended Amalgamotion for the clarity and maturity of their ISMS. There were only two minor observations. ISO/IEC 27001:2022 certification was formally granted on 10 January 2025.

"Whilst utilising our own internal skills, expertise and capabilities throughout this initiative, we wouldn't have achieved this outcome without the specialist support and expertise from Insicon Cyber. In a true, partnership-principled manner, Insicon Cyber became an integral part of our business and a natural extension of the team. Their experience, support and professionalism were paramount in guiding us from an idea to a clear intent, and then through to a successful implementation of ISO 27001. Working together it is less about the fact we achieved the objective, but more about the way we achieved it."

Ongoing Operations: Compliance Beyond the Certificate

Certification is not the end of the ISO 27001 journey. Post-certification, Amalgamotion embedded ISO 27001 into its operational cycle through weekly compliance workgroups, reporting monthly into the leadership team. The Jira ISMS board remains active for SoA tracking and evidence management, and staff are updated regularly through all-hands meetings and internal communications.

This sustained operational discipline is what distinguishes genuine information security maturity from a compliance sprint. Insicon Cyber's Managed Compliance service is structured to support exactly this kind of ongoing governance, reducing the risk of certification lapse at the annual surveillance audit.

"We now have a robust governance framework that will serve us well into the future and goes far beyond just certification."

The Results

Lessons Learned

Based on Amalgamotion's journey, and Insicon Cyber's experience delivering ISO 27001 certification across Australian organisations, these are the principles that made the difference:

1. An early gap assessment sets realistic expectations. Amalgamotion's pre-engagement gap analysis gave the project a clear starting point and accelerated scoping with Insicon Cyber. Organisations that skip this step routinely underestimate the work ahead.
2. Dedicated resources drive delivery. Assigning two full-time staff to the project alongside Insicon Cyber kept momentum through competing operational priorities. ISO 27001 cannot be treated as a background task.
3. Templates must fit the business, not the other way around. Off-the-shelf frameworks need to be contextualised to the organisation's actual risk profile, client obligations, and operational reality. Insicon Cyber built Amalgamotion's policies to reflect how the business genuinely operates — which is what the auditors assessed.
4. Structured governance keeps the project moving. Weekly workgroups, a dedicated Jira ISMS board, and a SharePoint documentation portal created transparency and accountability across both teams. Momentum requires structure.
5. Leadership commitment is non-negotiable. Challenges arose throughout the project. Leadership's sustained commitment to the outcome — not just the certificate — is what carried the team through.
6. Certification is a tool for business maturity, not just compliance. Amalgamotion approached ISO 27001 as a genuine investment in how they operate, not a procurement checkbox. That mindset produced outcomes that outlast the audit.

Compliance That Supports Growth

Amalgamotion's ISO 27001 journey demonstrates what becomes possible when compliance is approached as a business investment rather than a procurement hurdle. The certification did not simply satisfy a client requirement. It matured Amalgamotion's governance, strengthened its data practices, and directly enabled new commercial opportunities across government and enterprise markets.

For Australian organisations handling sensitive government or enterprise data — particularly those operating under NSW Government procurement frameworks or exposed to the Privacy Act 1988 — ISO 27001 provides independently verified assurance that information is managed to an internationally recognised standard. Across Australia and New Zealand, that assurance is increasingly a baseline expectation, not a differentiator.

"Real compliance isn't about paperwork — it's about building a security culture that supports business growth and resilience. We help Australian and New Zealand organisations move beyond box-ticking, guiding them to practical, lasting improvements that stand up to scrutiny and set them apart in the market."

Organisations that succeed with ISO 27001 share three things: they recognise the genuine value behind certification rather than treating it as a formality; they take a tailored approach that fits their business rather than following a generic process; and they embed ongoing governance practices that sustain the standard long after the auditors have left.

Insicon Cyber's Managed Compliance service is built around all three. If your organisation is considering ISO 27001 certification — whether driven by a government client requirement, a tender, or your own growth strategy — the right starting point is understanding where you stand today.