Cyber Security Assessments

Know where you stand.
Fix what matters first.

Downloadable assessment tools that run entirely on your device — answer guided questions and get your gaps ranked by risk, with board-ready Word and Excel reports. No consultants, no data sent anywhere, no subscriptions.

Run locally · results in minutes · no sales call required

100% local execution No data leaves your device Optional AI — your own key 12+ frameworks covered Built in Australia

Cyber attacks are common — and the fallout is expensive.

The numbers Australian businesses are up against right now:

1 in 5

small businesses that suffer a cyber attack close or go bankrupt

$50M

maximum penalty under the Australian Privacy Act for serious breaches

$56,600

average cost of a cybercrime incident for an Australian small business

$4.26M

average cost of a data breach for an Australian organisation

Sources: ASD Annual Cyber Threat Report 2024–25; IBM Cost of a Data Breach Report 2024; Privacy Act 1988 (Cth); Mastercard SMB survey 2025.

Two audiences, one clear answer.

Whether you're proving security maturity to the board or protecting a small business, there's a version built for exactly what you need.

Enterprise

Framework-aligned maturity and compliance assessments for CISOs, GRC leaders, and security teams — across every major Australian, EU, and global regime.

  • Prioritised gap analysis—see every weakness ranked by risk
  • Clear remediation actions—know exactly what to fix and why
  • Answer the board's "how secure are we?" with data
  • Audit-ready evidence without the consultant bill
  • Track maturity improvements quarter over quarter
View Enterprise Assessments

Small Business

Practical health checks for business owners. No jargon, no IT expertise needed. Industry-specific versions for accounting, legal, healthcare, and more.

  • Prioritised action plan—gaps ranked by risk level
  • Plain-English recommendations—fix gaps yourself or hand to IT
  • Find out if you're protected—or just hoping you are
  • Answer supplier and insurer security questions
  • Complete in 60 minutes—no IT expertise needed
View Small Business Health Checks

From download to board-ready in three steps.

No installs, no accounts, nothing to set up.

1

Get the tool

Choose your framework and we provide the assessment — a self-contained file that opens in your browser. Nothing to install, no account to create.

2

Assess locally

Answer guided questions and attach evidence, all on your own device. Optional AI runs on your own API key — data never leaves your environment.

3

Export your reports

Generate Word and Excel reports, a prioritised gap register and the maturity dashboard in one click — ready for the board or the auditor.

AI assistance · optional · private

Optional AI that earns its place.

Optional AI features speed up the work — explaining requirements, reviewing your evidence, and drafting the board-ready summary inside the Word report. Every assessment works fully without AI. It runs on your own Anthropic key, and nothing is sent to CyberAssure.

AI Advisor & Drafting AI Evidence Review AI Executive Summary AI Period Comparison
See how AI fits into an assessment

Built for the frameworks you actually face.

Each assessment is purpose-built for its source framework — not a generic checklist. Pick the regime you need to demonstrate against.

Energy Sector

AESCSF v2 Maturity Assessment

161 practices and 42 anti-patterns across 9 of the 11 AESCSF domains, SP1/SP2/SP3 targeting, multi-site portfolio mode, AEMO-ready output.

Explore AESCSF v2 →
EU Product Security

EU Cyber Resilience Act

For organisations selling or exporting digital products to Europe — two complementary assessments covering organisational readiness and per-product conformity.

Explore the CRA Suite →
APRA Financial

APRA CPS 234 Assessment

Nine obligation areas, the six common gaps from APRA's tripartite programme, multi-entity group mode, FAR Accountable Person mapping.

Explore CPS 234 →
Hong Kong CIO

PCICSO Assessment

Hong Kong's Protection of Critical Infrastructures (Computer Systems) Ordinance — three obligation categories across the eight designated sectors.

Explore PCICSO →
ACSC Baseline

Essential Eight Assessment

All eight mitigation strategies and Maturity Levels 1–3 — application control, patching, MFA, backups, admin privileges, and more.

Explore Essential Eight →
EU Financial

DORA Readiness Assessment

EU Digital Operational Resilience Act — five pillars covering ICT risk, incident reporting, resilience testing, third-party risk, and information sharing.

Explore DORA →
Global Standard

NIST CSF 2.0 Assessment

All six NIST CSF 2.0 functions — Govern, Identify, Protect, Detect, Respond, Recover — with tier-aligned scoring and maturity tracking over time.

Explore NIST CSF 2.0 →
Global Standard

ISO/IEC 27001:2022 Assessment

Annex A control assessment plus ISMS clauses 4–10 — pre-certification gap analysis or annual surveillance audit preparation.

Explore ISO 27001 →
Global Standard

Third-Party & Supply Chain Assessment

Vendor and supply chain cyber risk across the full lifecycle — due diligence, onboarding, monitoring, and offboarding.

Explore Third-Party Risk →
View all enterprise assessments

Regulation has caught up

Non-compliance now carries real penalties

From Australian critical infrastructure to EU digital products and Hong Kong's new regime, regulators have moved from guidance to enforceable fines. Better to find your gaps than have a regulator find them first.

Sources: Security of Critical Infrastructure Act 2018 (Cth); EU Cyber Resilience Act (Reg. 2024/2847); Digital Operational Resilience Act (Reg. 2022/2554); Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653, Hong Kong).

Do CyberAssure assessments use AI?

AI is built in but entirely optional — every assessment works fully without it. When enabled, twelve AI features speed up the workflow, like an AI Advisor that explains framework requirements, evidence review with confidence-rated suggestions, and an executive summary drafted into the Word report. AI uses your own Anthropic API key, stored only in your browser’s session memory and never sent to CyberAssure.

Does my assessment data leave my device?

No. Assessments run entirely in your web browser. Your answers and evidence are saved locally on your own device and are never transmitted to CyberAssure or anywhere else. We literally cannot see your assessment data — there is no cloud database, no telemetry, no account required. When optional AI features are enabled, requests go directly from your browser to Anthropic using your own API key, with no CyberAssure server in the middle.

Which frameworks does CyberAssure cover?

CyberAssure covers Australian frameworks (AESCSF v2, APRA CPS 234, ACSC Essential Eight, SOCI Act Part 2C Enhanced CIRMP), Asia-Pacific frameworks (Hong Kong PCICSO), European frameworks (EU Cyber Resilience Act, DORA, GDPR), and global frameworks (NIST Cybersecurity Framework 2.0, ISO/IEC 27001:2022, SOC 2, PCI DSS, Third-Party and Supply Chain Security). Industry-specific small business health checks are also available across ten sectors.

Can I use the assessments across multiple sites or entities?

Yes. Multi-site and multi-entity portfolio mode is built into the AESCSF (multi-site), APRA CPS 234 (multi-entity group), and Hong Kong PCICSO (multi-CCS portfolio) assessments. Every site or entity is scored consistently and rolled up into a single group view, with cross-portfolio heatmaps, common gap analysis, and group-level executive summaries.

Are CyberAssure assessments a substitute for formal audit or certification?

No. These are self-assessment tools designed to help organisations understand their current maturity, identify gaps, and prepare for formal certification, audit, or supervisory engagement. They support independent assurance engagements (such as ASAE 3000 and ASAE 3402 for APRA CPS 234) by producing the structured evidence trail an independent assessor needs, but the formal assurance opinion is still issued by the independent party.

Start your assessment today

Download, run locally, get results. No sales calls, no waiting, no data shared.

Enterprise Assessments Small Business Health Checks