Achieving ISO/IEC 27001 certification: How SHAPE is setting the benchmark for information security

Peter Marix-Evans

SHAPE has achieved certification to ISO/IEC 27001 – Information Security Management Systems, making it one of the few organisations within the Australian construction industry to attain this global and independently verified certification.

With cybercrime increasing in Australia and around the world, we believe that companies need to prioritise the safeguarding of their information and the information of their people, clients, and other stakeholders.

More so than ever before, the construction industry needs to increase its security posture.

Achieving ISO/IEC 27001 Certification

ISO/IEC 27001 is the world’s best-known standard for information security management systems.

The certification provides assurance that the systems we have in place to protect our information have been independently verified as meeting or exceeding the best practices and principles enshrined in the international standard.

It takes a team

SHAPE has always prided itself on its supportive culture and its ability to attract the best people in the business – our philosophy is to be ‘the place where everyone wants to work’.

Achieving our ISO/IEC 27001 certification is a testament to our people and their alignment with our company’s stated values and objectives, as achieving the certification requires everyone to be security conscious and security aware – constantly, and always.

Information Security Committee
SHAPE’s Information Security Committee which delivered the ISO/IEC 27001 certification project consisted of representatives from across various business disciplines – Information Technology, Business Technology, Legal, People and Culture, Finance and Environmental, Health, Safety and Quality.

The committee knew that leveraging SHAPE’s exceptional culture and bringing the whole business together to achieve the outcome was critical, as at SHAPE we know that information security is everyone’s responsibility.

Maintaining our robust information security culture requires transparency and trust in each other. Being open with our people about digital threats and risks, welcoming feedback and suggestions for improvement from every part of the business, and consistently monitoring the implementation of our management system guidelines regarding who is provided with access to various systems, facilities, and information (including education about why these guidelines are set).

“Achieving our ISO/IEC 27001 certification is a testament to our people… as achieving the certification requires everyone to be security conscious and security aware – constantly, and always.”


Other ways SHAPE is security conscious

DISP Membership
In 2022, SHAPE was granted Defence Industry Security Program (DISP) membership by the Australian Defence Force for the Governance, Personnel, Information & Cyber, and Physical Security elements of DISP. DISP ensures SHAPE has the right security requirements to deliver Defence projects and helps us better understand and manage security risks across our business.

We have more than 15 security-cleared personnel at a baseline level, with extensive capability and experience to deliver construction projects in this security conscious environment.

Technical Expertise
By engaging with third-party and specialist information security consultants, we were able to leverage their technical experience, enhancing our internal capabilities and further challenging and refining our management systems. Our use of independent information security experts was not seen as an additional cost, but as an investment in the highest quality outcomes.

The future

There is no denying that information security is an ever-evolving journey fuelled by an age of rapid technological advancements.

SHAPE’s ISO/IEC 27001 certification attests to our business maturity, underscoring our commitment to continuously improve our information security management systems in the changing cyber threat landscape to ensure we continue to remain a secure and trusted organisation.