Independently audited information security you can rely on.
VCare operates under a certified ISO/IEC 27001:2022 information security management system (ISMS), ensuring structured controls are in place to manage risk and protect sensitive clinical and operational data.
Why Information Security Matters in Aged Care
Organisations delivering care manage highly sensitive clinical and personal information every day. Protecting this data is essential to maintaining trust, meeting regulatory obligations, and supporting safe, high-quality care delivery.
Working with VCare, an ISO 27001 certified organisation provides independent assurance that appropriate security controls, governance, and risk management processes are in place and consistently applied.
What is ISO 27001?
ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). It defines how organisations identify risks, implement controls, and continuously improve their approach to protecting information.
Certification requires independent third-party audit and ongoing compliance review.
What ISO 27001 Means for VCare Customers
ISO/IEC 27001 certification provides assurance that your data is protected through defined controls, governance, and risk management practices.
This includes structured policies, access controls, monitoring processes, and ongoing risk assessment designed to protect clinical, resident, and organisational information.
Independent Certification and Audit
Certification is issued by an accredited certification body and maintained through regular surveillance audits and periodic recertification.
This ensures that security controls are independently verified and remain effective over time.
Continuous Improvement
Maintaining ISO/IEC 27001 certification requires ongoing risk assessment, internal audit, and management review.
This ensures that security controls continue to evolve in response to emerging risks and changing operational requirements.
Security and Compliance Resources
We provide access to supporting security and compliance information to assist with due diligence processes.
Available on request:
- ISO/IEC 27001 Certificate
- Information Security Policy (summary)
- Risk Management Approach
- Data Protection and Privacy Overview
- Security Questionnaire responses
All 93 ISO 27001:2022 Controls
All 93 ISO/IEC 27001:2022 Annex A controls are implemented and independently verified as part of our certified information security management system.
A.5 — Organizational Controls
Governance frameworks, policies, and information security management
1. Governance and Leadership:
- 5.1 Policies for information security
- 5.2 Information security roles and responsibilities
- 5.4 Management responsibilities
2. External Engagement & Intelligence:
- 5.5 Contact with authorities
- 5.6 Contact with groups
- 5.7 Threat intelligence
3. Security in Delivery & Operations:
- 5.3 Segregation of duties
- 5.8 Security in project management
4. Asset & Information Management:
- 5.9 Inventory of assets
- 5.10 Acceptable use
- 5.11 Return of assets
- 5.12 Classification
- 5.13 Labelling
- 5.14 Information transfer
5. Identity & Access Management:
- 5.15 Access control
- 5.16 Identity management
- 5.17 Authentication
- 5.18 Access rights
6. Supplier & Third-Party Security:
- 5.19 Information security in supplier relationships
- 5.20 Addressing information security within supplier agreements
- 5.21 Managing information security in the ICT supply chain
- 5.22 Monitoring, review and change management of supplier services
- 5.23 Information security for use of cloud services
7. Resilience & Business Continuity:
- 5.29 Information security during disruption
- 5.30 ICT readiness for business continuity
8. Asset & Information Management:
- 5.31 Legal, statutory, regulatory and contractual requirements
- 5.32 Intellectual property rights
- 5.33 Protection of records
- 5.34 Privacy and protection of personally identifiable information
9. Audit & Operational Discipline:
- 5.35 Independent review of information security
- 5.36 Compliance with policies, rules and standards for information security
- 5.37 Documented operating procedures
A.6 — People Controls
Human resource security, training, and personnel obligations
1. Hiring & Employment Foundations:
- 6.1 Screening
- 6.2Terms and conditions of employment
2. Security Awareness & Culture:
- 6.3 Information security awareness, education and training
3. Accountability & Behaviour:
- 6.4 Disciplinary process
- 6.8 Information security event reporting
4. Employment Lifecycle Security:
- 6.5 Responsibilities after termination or change of employment
- 6.6 Confidentiality or non-disclosure agreements
5. Remote & Flexible Working:
- 6.7 Remote working
A.7 — Physical Controls
Physical security, environmental protection, and secure facilities
1. Secure Facilities & Access:
- 7.1 Physical security perimeters
- 7.2 Physical entry
- 7.3 Securing offices, rooms and facilities
- 7.6 Working in secure areas
2. Monitoring & Environmental Protection:
- 7.4 Physical security monitoring
- 7.5 Protecting against physical and environmental threats
3. Workspace Security Practices:
- 7.7 Clear desk and clear screen
4. Equipment & Asset Protection:
- 7.8 Equipment siting and protection
- 7.9 Security of assets off-premises
- 7.10 Storage media
5. Infrastructure & Utilities:
- 7.11 Supporting utilities
- 7.12 Cabling security
6. Lifecycle Management of Equipment:
- 7.13 Equipment maintenance
- 7.14 Secure disposal or re-use of equipment
A.8 — Technological Controls
Technical security measures, secure development, and infrastructure protection
1. Endpoint & Access Security:
- 8.1 User endpoint devices
- 8.2 Privileged access rights
- 8.3 Information access restriction
- 8.4 Access to source code
- 8.5 Secure authentication
2. System Protection & Hardening:
- 8.6 Capacity management
- 8.7 Protection against malware
- 8.8 Management of technical vulnerabilities
- 8.9 Configuration management
3. Data Protection & Handling:
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.13 Information backup
4. Resilience & Availability:
- 8.14 Redundancy of information processing facilities
5. Logging, Monitoring & Control:
- 8.15 Logging
- 8.16 Monitoring activities
- 8.17 Clock synchronisation
6. System Operations & Controls:
- 8.18 Use of privileged utility programs
- 8.19 Installation of software on operational systems
7. Network Security:
- 8.20 Networks security
- 8.21 Security of network services
- 8.22 Segregation of networks
- 8.23 Web filtering
8. Cryptography & Encryption:
- 8.24 Use of cryptography
9. Secure Development Practices:
- 8.25 Secure development life cycle
- 8.26 Application security requirements
- 8.27 Secure system architecture and engineering principles
- 8.28 Secure coding
- 8.29 Security testing in development and acceptance
- 8.30 Outsourced development – Not Applicable
10. Environment & Change Control:
- 8.31 Separation of development, test and production environments
- 8.32 Change management
- 8.33 Test information
11. Audit Protection:
- 8.34 Protection of information systems during audit testing
Request Compliance Documents
Our compliance documentation is available to customers, prospective customers, and partners upon request. All documents are kept up to date, reflecting our current ISO 27001:2022 certification status.
Information Security Policy
Our master ISMS policy — the top-level commitment to information security management
Business Continuity Plan
Our ICT and business continuity strategy, covering recovery time objectives and resilience measures.
Privacy Policy
How we collect, handle, store, and protect personally identifiable information under applicable privacy law.