Security

ISO 27001 + vCISO for a digital health platform

Part-time CISO advisory and full ISMS build-out to land ISO/IEC 27001 certification for an Australian digital health services and software organisation handling sensitive patient data.

Challenge

Senior stakeholders needed a defensible security posture and a path to certification while shipping a regulated product. There was no formal ISMS, limited endpoint hardening, and only ad-hoc DLP coverage for sensitive information.

Approach

Operated as part-time vCISO covering governance, risk, and advisory. Built the ISMS end to end: policy framework, risk assessment, control ownership, evidence management, audit readiness, and continuous improvement. Implemented foundational uplift in parallel—Microsoft Intune MDM enrolment, endpoint configuration and hardening, Microsoft Defender Antivirus configuration, Windows Security Baselines, and Microsoft Purview DLP policies for sensitive information.

Results

ISO/IEC 27001 certification achieved on first audit
Sustainable ISMS the in-house team continues to run
Ongoing security advisory across access control, SaaS/cloud usage, backup and recovery, vendor risk, awareness, and incident response readiness

Stack

ISO/IEC 27001Microsoft IntuneMicrosoft DefenderMicrosoft PurviewWindows Security Baselines

Next case study

Global 24x7 SOC stand-up with Google SecOps →