31 Oct, 2025
Chargefox operates Australia’s largest electric-vehicle charging network. As demand surged, enterprise customers asked for clear, verifiable assurance that the production platforms — the Chargefox apps and the data they store and process — were governed by a robust, living ISMS. Midnyte City was engaged to provide ISO 27001:2022 readiness and guide the organisation to certification without slowing delivery.
The issue wasn’t technology; it was structure and visibility. Policies and procedures existed in parts, ownership was uneven, and there was no simple, cyclic framework to keep everything current. Teams delivered quickly but couldn’t always surface the evidence customers and auditors expect. Supplier oversight was periodic rather than continuous, and risk signals were trapped in separate tools.
We grounded the work in the real scope: the production platforms, the Chargefox apps, and the data flows that serve customers. Together, we defined the boundaries, assets, and interfaces so everyone understood what was in scope and why it mattered.
We then anchored the Information Management System (ISMS) in Vanta to replace spreadsheets with live signals. Source control, CI/CD, cloud accounts, identity, endpoints, ticketing, and documentation systems were connected so risks, controls, and evidence flowed automatically. This gave leaders and engineers a single view of control health and drift.
To make the ISMS a habit rather than a project, we set a steady cadence for Management Review, Risk Management, and Supplier Management. Each session ran to a short agenda and a one-page pack pulled from Vanta: what changed, what’s red, what improved, and what’s next. We clarified ownership, linked risks to controls, and mapped decisions to simple, task-level procedures people could actually follow.
Mitigations were aligned to ISO 27001:2022 Annex A with a clear focus on identity, change, secure software delivery, and actionable process. The Statement of Applicability was tied to the risk register so nothing lived in isolation. The ISMS meetings, risk reviews, and supplier reviews kept the loop turning.
By integrating Chargefox’s business applications with Vanta, we reduced vulnerabilities and blind spots through real-time insight, allowing fast resolution of vulnerabilities and continuously improving our security posture. Evidence collection shifted from ad-hoc tasks to an always-on pipeline, and a short monthly review closed the loop: new risks captured, controls tuned, suppliers and risk scheduled on a regular cadence.
Supplier risk moved from annual checklists to active management. Vanta reminders, owner assignments, and lightweight questionnaires kept due diligence current. Findings and renewals were tracked, discussed in the Supplier Management session, and resolved with clear actions.
The gap analysis translated directly into action. With Vanta surfacing control health and missing evidence, Chargefox eliminated all Critical and High risks in scope and brought documentation to an audit-ready state. The organisation passed Stage 1 and Stage 2 on the first attempt with only minimal minor nonconformities, confirming that the ISMS works in practice, not just on paper.
Certification is a milestone; the engine is the improvement cycle. Plan the next set of risks and objectives, do the work inside normal sprints, check outcomes with metrics and exercises, and act by tuning controls and managing internal and supplier risk. Automating evidence early makes each turn lighter. The cadence keeps the ISMS aligned with how the business actually operates and gives customers ongoing confidence in the production platforms and their data.
The journey wasn’t only about certification, it was about verifiable trust. Chargefox stood up a customer-facing trust portal so partners can see current certifications, key policies, and up-to-date security posture. Prospects get answers faster, customers gain confidence, and the team shares a single source of truth.
Our approach is technology agnostic and scales from start-ups to enterprises. By grounding everything in clear scope, live telemetry via Vanta, prioritised controls, and a cadence teams can live with, we help organisations achieve ISO 27001 certification and keep improving without unnecessary overhead.
"A big thank you to Paul for all the effort he put in to getting us ISO certified. He made a huge difference and got Chargefox to a great place so quickly. I enjoyed working with Paul and appreciate his positivity and hard work."
Kieran Andrews
Engineering Manager, Chargefox
If you would like to speak to someone about similar challenges in your team or organisation, reach out below to schedule a time.