Case Study

From Vision to Certification: Our Cybersecurity Uplift

ISO 27001 Certification

Client

Amalgamotion, Insicon

Sector

Cybersecurity

Services

Amalgamotion, a Sydney-based consultancy specialising in large-scale, complex multiparty transformations, achieved ISO 27001 certification in January 2025.

This milestone marks a pivotal moment in our ongoing commitment to cybersecurity maturity, operational rigor, and trust with both government and enterprise customers. The journey was driven by a pressing business need to internalise and rebuild our critical data architecture, satisfy elevated security and data governance expectations from a key NSW Government client, and respond decisively to cyber risk. While we collaborated closely with Insicon as our implementation partner, this case study presents our path, from internal capability build to successful audit, as seen from within Amalgamotion and the lessons we learn’t from it.

Established in 2013, Amalgamotion has consistently delivered complex transformation programs. In 2017, we secured a major engagement with the NSW Telco Authority, contributing to the rebuild of the state’s critical emergency communications network. This led to a long-term delivery role on the Critical Communications Enhancement Program (CCEP).

Initially, we partnered with a third-party organisation to deliver the program’s data reporting capability. By mid-2023, we made a strategic decision to bring this capability in-house by building a new cloud-based architecture on Microsoft Azure. The transition aimed for zero customer disruption while modernising our capability stack.

The Catalyst: Data Governance and Cybersecurity Demands

With the rebuild came increased scrutiny from the client, particularly around:

      • Data integrity of the new solution.
      • Hosting, access control, and architecture documentation.
      • Compliance with sensitive data handling under government classification.

This scrutiny culminated in a 170 question cyber risk questionnaire from the client’s cybersecurity team, highlighting some capability gaps within our IT governance framework. Two pivotal commitments emerged from this work, namely the need to perform a full penetration test to assess & remediate external vulnerabilities and the need to achieve ISO 27001 certification.

Strategic Mobilisation

We began by allocating two internal resources to study ISO 27001 requirements, assess our maturity, and conduct a gap analysis. This revealed significant work ahead, especially aligning with the 93 required controls and developing a Statement of Applicability (SoA). By early 2024, it was clear we needed structured external support. After a rigorous vendor selection process, focused on cultural fit, hands-on expertise, and a phased delivery model, we chose Insicon as our implementation partner.

Early Alignment Led to Structured Delivery

While expectations were high for off the shelf, pre-loaded templates and a populated Jira board, we quickly understood that these needed to be built as part of our solution with respect to the requirements of the business. We adapted, working with Insicon to populate the templates and gradually building the board. Early misalignment in expectations gave way to a rhythm of structured delivery, mutual feedback, and professional collaboration through:

– Weekly internal and external workshops to manage progress.
– Dedicated ISMS operational board in Jira to support sustainable BAU compliance.
– An internal audit team and mock audit which identified over 30 actionable gaps.
– Final sprint planning that ensured closure of all actions before audit phases.
– A sharePoint ISMS portal which was deployed to consolidate documentation and improve navigation.

Certification Process

The certification process began with an internal audit. This was conducted with external guidance and the outcomes fed into Jira for traceable resolution. The formal process then commenced with the initial audit, which was passed with minor findings. This enabled a smooth transition to the final audit, which was completed a few months later with the team being commended for their clarity and maturity, with only two minor observations. Certification was formally granted in January 2025.

Ongoing Operations

Post-certification, we have embedded ISO 27001 into our operational cycle through weekly compliance workgroups which report monthly into the leadership team. This is supported through active SoA tracking and evidence management in Jira with our staff regularly updated through our all-hands meeting and other communications.

Lessons Learned

Our journey to ISO 27001 from kick-off to certification took around nine months. Based on our journey, for other organisations following the same path, we would recommend:

1. Conducting an early gap assessment is critical to setting expectations

2. Dedicated resources will accelerate the success

3. The templates and tools must be suited to the scale of business

4. Structured governance and clear communication will drive momentum

5. Leadership commitment to the outcomes are non-negotiable as challenges will present themselves

6. Be pragmatic and purposeful—the certification is a tool for business maturity, not just compliance

Achievements

Certification Granted: January 10, 2025.
Enhanced Cybersecurity Posture: Evident uplift in governance, architecture, and risk management.
Customer Trust: Renewed confidence from government and enterprise clients.
Business Enablement: ISO 27001 became a lever to win MSAs and new work.
View all Case Studies