Assessments & compliance

You leave more secure. Not just measured.

A typical assessment tells you what’s wrong and leaves. Ours fixes the quick wins while we’re in there, then hands you a prioritised path for the rest: sized by the threats that actually target you, not by a framework’s table of contents. Win the tenders and contracts that require compliance, and be harder to breach when the paperwork’s done.

The report is the least valuable thing we leave behind.

Every assessment runs as uplift-and-assessment. Misconfigurations get corrected during fieldwork. Missing quick-win controls get implemented, not just recommended. You score better because you are better, and the final report describes an organisation that already improved. Assessors who spend their other days inside real breaches know exactly which findings matter and which are framework theatre.

Frameworks and assessments

  • Essential Eight assessment and uplift
  • NIST CSF assessment
  • ISM alignment
  • SOCI and CIRMP obligations, including critical supplier and personnel risk
  • Third-party and supplier risk assessment
  • Insider risk maturity  →  insider risk management
  • CMMC for the US defence supply chain (AUKUS-relevant, no Australian reciprocity: if your contracts touch US DoD work, talk to us early)

ISO 27001 and SOC 2, without the drawer full of policies nobody follows.

Procurement teams increasingly won’t buy without them: ISO 27001 for Australian enterprise and government, SOC 2 for anyone selling to US-headquartered customers. We do the readiness: gap assessment, control implementation, evidence preparation, and we coordinate the audit. Formal certification is issued by an accredited certification body, and SOC 2 attestation by a partner CPA firm; that’s how it legally works, and anyone implying otherwise is selling something. The two frameworks share most of their controls, so one uplift can carry you to both.

Penetration testing, overseen.

We’ve performed penetration tests. We don’t specialise in them, so we don’t pretend to. Instead we make sure the right testers do the right test well. We scope it against your real threat profile, select the specialist from our vetted partner network, supervise the engagement, and translate the findings into a remediation plan in priority order. You get specialist-grade testing without the scoping mistakes, the vendor roulette, or the 80-page PDF nobody actions. It usually costs less too, because the scope is right the first time.

Regulatory relevance

  • Essential Eight: Maturity Level 2 requirements for DISP members
  • SOCI Act: CIRMP and supplier risk obligations
  • APRA: CPS 234 and CPS 230
  • Procurement: ISO 27001 certification and SOC 2 attestation requirements
  • CMMC: US DoD supply chain participation

Straight answers.

Will you just tell us we need to buy things?

No. Vendor-neutral means the recommendation is whatever fixes the risk: sometimes configuration, sometimes process, occasionally a product we don’t sell.

Can you issue our SOC 2 report or ISO certificate?

No, and nobody like us can. SOC 2 reports come from CPA firms; ISO certificates from accredited bodies. We get you ready, coordinate the audit, and stand behind the preparation.

How disruptive is fieldwork?

Designed around your operations. Most uplift happens alongside your team, which is deliberate: they keep the knowledge when we leave.

Be measurably harder to breach by the time the report lands.