
PHN achieves ISO/IEC 27001:2022 certification
July 31, 2025
Darling Downs and West Moreton PHN achieved International Organisation for Standardisation (ISO) certification in May this year, reflecting its commitment to ensuring information systems are appropriately protected.
The Australian Government requires all 31 Primary Health Networks to achieve ISO/IEC 27001 by mid-2026.
Conformity with ISO/IEC 27001:2022 means the PHN can better demonstrate it has an effective system to safely and securely manage the data it receives from the community.
To become ISO compliant, the PHN’s Digital Transformation, Performance and Evaluation team undertook a range of activities, including:
- Conducting a gap analysis to see where we are and where we need to improve.
- Developing a Statement of Applicability (SoA) to help us decide which ISO controls applied to us.
- Conducting a comprehensive risk assessment and asset inventory.
- Enhancing the PHN Information Security Management System (ISMS).
- Developing and reviewing policies and procedures aligned with ISO/IEC 27001:2022 controls.
- Further staff training and awareness sessions on information security.
- Working closely with our Managed Service Provider (MSP) to improve technical controls, such as access management and endpoint security.
- Performing internal audits and a management review prior to the external audit.
Achieving compliance with the International Standard is a long-term commitment. This work began in March 2024 and is now an ongoing function of the PHN in order to achieve re-certification every three years.
For PHN staff, ISO compliance reinforces the shared responsibility of cybersecurity. It isn’t just about tech – it’s about people, culture, and everyday habits.
Health Data Analyst at the PHN, John Chan, reflected on the importance of cross-team collaboration in the process of accreditation:
“One of the biggest takeaways was how this process helped us to work better together across teams. It was challenging at times, but we’re now in a stronger position when it comes to protecting sensitive information.
We now have a greater foundation to support our information and data governance going forward.”
With surveillance audits in early 2026 and 2027, and a goal of recertification in 2028, the PHN will maintain high quality processes to ensure effective outcomes in every aspect of the organisation’s operations.