Quality and security, audited together: Trucell is now ISO 9001:2015 and ISO 27001:2022 certified

Yesterday we announced ISO 27001:2022 information security management certification. Today Trucell has been awarded ISO 9001:2015 quality management system certification through Citation Certification (JAS-ANZ accredited), certificate number 500-27268-Q, valid through 11 May 2029.

Two independently audited management systems within forty-eight hours. That’s the part worth pausing on.

What ISO 9001 actually covers, in plain English

ISO 9001 is the quality management standard. Where ISO 27001 audits how we protect information, ISO 9001 audits how we deliver work: how we scope, plan, execute, document, review, and continually improve the services we sell. It is the standard procurement teams reach for first when they want evidence that a supplier’s delivery isn’t held together by individual heroics.

The scope of our certificate, verbatim:

The provision, delivery and support of managed IT services, cybersecurity and managed security services, IT support and helpdesk services, cloud services, DICOMJet medical imaging cloud hosting, network services, business VoIP and unified communications, and Microsoft 365 consulting to organisations across healthcare, construction, education, finance, hospitality, legal, transport, and print and advertising sectors in Australia.

Three things stand out about that scope.

It explicitly names DICOMJet. Most ISO 9001 certified Australian MSPs scope a generic “IT services” line. Ours names the medical imaging cloud hosting platform we operate, alongside the rest of the catalogue, because that’s how we sell it and that’s how it has to be audited.

It explicitly names eight industry sectors. Healthcare, construction, education, finance, hospitality, legal, transport, print and advertising. The QMS audit looked at how we deliver into each of those, not at a generic abstract service.

It explicitly names the full service catalogue. Managed IT, cybersecurity, IT support and helpdesk, cloud, networks, business VoIP and unified communications, Microsoft 365 consulting, DICOMJet medical imaging hosting. Same QMS, same processes, same audit.

Why the pair matters more than either certificate alone

ISO 9001 and ISO 27001 are different standards but they share an underlying logic. Both are management system standards: they audit how an organisation is run, not what an organisation produces. Both require documented processes, evidence of operation, management review, continual improvement, and the discipline to be inspected by a third party.

When the two are awarded against the same delivery scope, by the same certifying body, within a single week, what you get is consistency. The same change-control records that ISO 9001 reviewed for quality discipline are the records ISO 27001 reviewed for security control. The same incident process is graded against customer outcomes (ISO 9001) and confidentiality and integrity outcomes (ISO 27001). The same supplier-risk register satisfies both auditors.

That coherence is the practical benefit. For Trucell clients it means:

• Procurement reviewers see one set of evidence covering both quality and security questions, not two disconnected frameworks
• The information security controls in our ISO 27001:2022 scope live inside a quality management system that requires them to be operated consistently, reviewed regularly, and improved over time
• The quality of service we sign up to deliver under ISO 9001 is held to security controls that have been independently audited

Where this fits in the wider trust register

Our complete current set of independent assurance and credentials:

• ISO 9001:2015 Quality Management System (certificate 500-27268-Q, valid through 11 May 2029) — today’s announcement.
• ISO 27001:2022 Information Security Management System (certificate 500-27285-IS, valid through 10 May 2029) — yesterday’s announcement.
• SOC 2 Type II report — annual attestation covering security controls, available under NDA.
• Microsoft Cloud Solutions Provider — how we transact and support Microsoft 365, Azure, and Entra ID.
• ITAR/AUKUS Australian Authorized User (AUK0001996) — for export-controlled and defence-adjacent work.
• Vendor credentials: Fortinet Gold Partner, SentinelOne Certified, 3CX Silver, NVIDIA Partner Network registered.

The full register, with downloadable certificates and verification links, lives at /about/certifications/.

What this means for your next vendor review

If you are reviewing Trucell as part of a managed services, cybersecurity, medical imaging, or general IT engagement, you can now:

1. Request both certificates in writing. We will share copies of the ISO 9001:2015 and ISO 27001:2022 certificates plus the Statement of Applicability summary on request.
2. Verify on the JAS-ANZ register at register.jasanz.org/certified-organisations using certificate numbers 500-27268-Q (ISO 9001) and 500-27285-IS (ISO 27001).
3. Ask for the scope statement for either certificate. Both are on this page, verbatim, and on our certifications hub.
4. Ask about your specific area: identity, backup, DICOM administration, change management, supplier risk, customer feedback, project delivery. The audits covered all of these; we can speak to the controls and processes in scope.

Thank you

Two certifications in two days is the visible bit. The work behind it spanned eighteen months: documenting processes that already ran on muscle memory, building the evidence trail to defend them, training the team to keep the records the auditors actually look at, and submitting to the surveillance discipline that keeps both certifications live for the next three years.

Thanks to the Trucell team across Australia, the Philippines, New Zealand, and Chile. Thanks to Citation Certification for two thorough audits. Thanks to the clients whose trust over more than two decades made the investment worth making.

Talk to us

If your procurement, risk, or clinical governance team needs ISO 9001 or ISO 27001 evidence to clear Trucell as a supplier, we will send what your reviewers actually ask for, not a generic capability deck. Use the form below to start the conversation.