1. ISO 27001 & SOC 2 readiness (not yet certified)
We do not claim ISO 27001 certification or SOC 2 Type II attestation until an external body issues a certificate or report. That is deliberate — badge bluffing erodes trust faster than honest progress.
Since early 2026, Abilitix has run one structured readiness programme that supports both frameworks — the same engineering controls and monthly evidence packs:
- ISO 27001–aligned ISMS — policies, risk register, scope and Statement of Applicability (SoA) artefacts, and management review as part of monthly evidence collection (primary framing for ANZ enterprise and BPO procurement)
- SOC 2–aligned controls — mapping to Trust Services Criteria (Security, Availability, Confidentiality) for buyers who use SOC language
- Internal control reviews — monthly assessments of tenant isolation, audit logging, access control, and data-handling practices
- Engineering gates — automated tenant-isolation tests on every release; security controls documented in our engineering baseline
- Gap closure — partial controls tracked and remediated before a formal certification or observation window
Formal ISO 27001 certification and SOC 2 Type II attestation each require an external auditor and defined observation period — separate steps from readiness. Procurement teams can request our current evidence summary under NDA: security@abilitix.com.au