Do NDIS Providers need ISO 27001 Certification?
Updated: Apr 19, 2022
Becoming certified to ISO 27001 is becoming increasingly popular as online security threats continue to escalate. This includes both external cyber attacks and internal data breaches.
While ISO 27001 certification is not mandatory for NDIS providers, it may be appropriate for some organisations to implement an ISO 27001 certified system to demonstrate suitable and effective information (security) management as specified by the ‘Provider Governance and Operational Management’ core module requirements from the NDIS practice Standards.
Information Management NDIS Practice Standards.
Outcome: Management of each participant’s information ensures that it is identifiable, accurately recorded, current and confidential. Each participant’s information is easily accessible to the participant and appropriately utilised by relevant workers.
To achieve this outcome, the following indicators should be demonstrated:
Each participant’s consent is obtained to collect, use and retain their information or to disclose their information (including assessments) to other parties, including details of the purpose of collection, use and disclosure. Each participant is informed in what circumstances the information could be disclosed, including that the information could be provided without their consent if required or authorised by law.
Each participant is informed of how their information is stored and used, and when and how each participant can access or correct their information, and withdraw or amend their prior consent.
An information management system is maintained that is relevant and proportionate to the size and scale of the organisation and records each participant’s information in an accurate and timely manner.
Documents are stored with appropriate use, access, transfer, storage, security, retrieval, retention, destruction and disposal processes relevant and proportionate to the scope and complexity of supports delivered.
If you are certified to the “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements” standard, you can provide your key customers and business partners (e.g., NDIS Quality and Safeguards Commission) with enhanced confidence in the reliability and security of the way you handle their information.