ISO 27001 Framework-Aligned AI Receptionist — Security-Compliant Phone Answering for Australian Businesses with Enterprise Information Security Requirements

David runs a mid-sized accounting firm in North Sydney — 38 staff across audit, business advisory, and tax services. His client base includes ASX-listed companies, large private companies, and a number of federal government contractors. When the firm went to onboard a new AI receptionist to handle after-hours and overflow, his largest client's procurement team flagged it:

“We need to understand the security posture of any third-party tooling that touches our communications. Please complete the attached supplier security questionnaire — 47 questions covering data residency, encryption, access controls, incident response, certifications, sub-processor governance, and audit attestations. We require either ISO/IEC 27001 certification or an equivalent independent external audit attestation. Without it, your firm cannot use this tool for any client work.”

The procurement question alone meant David couldn't just pick any AI receptionist. He needed something that:

• Documents controls mapped to ISO/IEC 27001 in a form usable for client questionnaires
• Keeps data in Australia
• Has a documented incident response framework aligned with the NDB Scheme
• Manages sub-processors responsibly
• Provides clear retention and deletion controls
• Has a credible roadmap to formal independent attestation

That's a small minority of consumer-grade AI tools. It's table stakes for AAA, which has been built around the security expectations of regulated and enterprise-procurement contexts from the start.

This page is the security questionnaire answer, in narrative form.

David's story is an illustrative composite based on common patterns across Australian mid-tier accounting firms with enterprise client bases. Real named AAA customers with permission to publish include Line Marking Australia and Dinar Exchange.

Information Security Management System (ISMS) overview

AAA operates an Information Security Management System (ISMS) aligned with ISO/IEC 27001, with control selection guided by ISO/IEC 27002. Formal certification is on our roadmap. Key control areas:

A.5 — Information security policies. Documented, owner-assigned, reviewed annually.

A.6 — Organisation of information security. Roles defined, segregation of duties for sensitive operations, contact with authorities established.

A.7 — Human resource security. Background checks (where lawful), confidentiality undertakings, security awareness training, defined responsibilities at start / change / termination of employment.

A.8 — Asset management. Asset inventory maintained, classification scheme (public / internal / confidential / restricted), acceptable use policies.

A.9 — Access control. Role-based access (RBAC) to all systems, principle of least privilege, multi-factor authentication on administrative access, formal access provisioning and revocation procedures, regular access reviews.

A.10 — Cryptography. TLS 1.3 in transit (current best practice); AES-256 at rest; key management procedures documented; rotation cadence defined.

A.11 — Physical and environmental security. Australian data centres with documented physical security (locked facilities, access controls, environmental monitoring, fire suppression, redundant power, generator backup).

A.12 — Operations security. Change management procedures, capacity management, malware protection, backup procedures, logging and monitoring, vulnerability management, technical compliance reviews.

A.13 — Communications security. Network segmentation, secure file transfer, electronic messaging security.

A.14 — System acquisition, development and maintenance. Secure development lifecycle, separation of development / test / production environments, secure code review, dependency scanning.

A.15 — Supplier relationships. Sub-processor register, supplier security requirements in contracts, monitoring of supplier security.

A.16 — Information security incident management. Documented incident response plan, defined escalation, NDB Scheme alignment, post-incident review.

A.17 — Information security aspects of business continuity management. Business continuity plan, disaster recovery procedures, tested annually.

A.18 — Compliance. Identification of applicable legislation (Privacy Act 1988, telecommunications regulations, sector-specific), regular compliance review, independent reviews.

Controls aligned to common Trust Services Criteria categories

Our control framework also references the categories published by the AICPA under the SOC2 Trust Services Criteria. AAA does not currently hold a SOC2 Type II report; the categories below describe the structure of our controls, not an external attestation:

• Security — protection against unauthorised access
• Availability — system available for operation
• Processing Integrity — system processing complete, valid, accurate, timely, authorised
• Confidentiality — confidential information protected
• Privacy — personal information collected, used, retained, disclosed in conformity with privacy commitments

Full ISMS documentation and current control evidence are available under NDA to enterprise clients on request.

For your client's procurement team, here are the standard answers we provide to common supplier security questionnaire questions:

Data residency: 100% Australian. No cross-border data transfer.

Encryption: TLS 1.3 in transit. AES-256 at rest. Keys managed under documented ISMS procedures.

Authentication: Multi-factor authentication on administrative access. SSO available for Enterprise plan.

Access controls: Role-based access (RBAC). Principle of least privilege. Quarterly access reviews. Logged and auditable.

Audit logging: All access to customer data logged. Retention 90 days minimum.

Penetration testing: Annual third-party penetration testing.

Vulnerability management: Continuous vulnerability scanning. Critical vulnerabilities patched within 24 hours where feasible.

Incident response: Documented incident response plan. Notification to affected customers within 24 hours of confirmed breach (in line with NDB Scheme).

Business continuity: Multi-zone redundancy in Australian data centres. Disaster recovery tested annually. Documented RTO/RPO.

Sub-processors: Sub-processor register maintained and provided under NDA. Customers notified of material changes.

Data subject rights: APP 12 access, APP 13 correction, deletion, and portability supported.

Retention: Customer-configurable. Default aligned to standard Australian record-keeping requirements. Secure deletion at end of period.

Contractual: Standard Data Processing Agreement (DPA) available. Customised DPAs for Enterprise plan clients.

Audit attestations: AAA does not currently hold an ISO/IEC 27001 certificate or SOC2 Type II report. Independent certification is on our roadmap. ISMS documentation and current control evidence available under NDA.

For specific questions or to receive our security pack for your client's procurement team, email info@aussieaiagency.com.au.

Procurement-driven requirements

• Government contractors (federal, state, local) needing supplier security alignment
• Suppliers to ASX-listed enterprises with security questionnaires
• Defence-adjacent contractors handling unclassified work (classified work requires separate clearance frameworks)

Industry regulatory requirements

• Financial services (AFSL, ACL) — see ASIC compliant AI receptionist (ASIC)
• Healthcare regulated by AHPRA — see AHPRA compliant AI receptionist
• NDIS providers — registered with the NDIS Quality and Safeguards Commission
• Legal practices with elevated security expectations
• Accounting firms serving large clients
• Education providers handling minor data

Self-imposed requirements

• Boutique firms with security-conscious client bases
• Family offices and private wealth advisers
• Specialist consultancies

ISO 27001 framework-aligned ISMS controls are included in all plans. Enterprise plan adds custom DPA negotiation, SSO support, advanced integrations, and additional security questionnaire support.

14-day free trial. No setup fees. Cancel anytime. See full pricing.

Customers that contractually require a current SOC2 Type II report or active ISO/IEC 27001 certificate. AAA does not currently hold either attestation. Formal certification is on our roadmap, but if your procurement gate explicitly requires a current certificate or report at contract signature, we are not the right fit today. Talk to us about the roadmap — we may be the right fit at your next review cycle.

Classified or security-cleared environments. AAA is designed for unclassified business operations. Classified contexts require separate clearance frameworks AAA does not provide.

Air-gapped deployments. AAA is a cloud service. Air-gapped on-premises deployments are not supported.

Jurisdictions other than Australia for data residency. AAA is Australian-hosted. If contractual requirements specify a non-Australian jurisdiction for data, AAA isn't the right fit.

Sovereign defence systems. Out of scope.

For all other Australian businesses with mainstream commercial or regulated information security requirements, AAA's ISO 27001 framework-aligned posture handles standard procurement and regulatory expectations.