Cyber Security Assessments
Know where you stand.
Fix what matters first.
Downloadable assessment tools that run entirely on your device — answer guided questions and get your gaps ranked by risk, with board-ready Word and Excel reports. No consultants, no data sent anywhere, no subscriptions.
Run locally · results in minutes · no sales call required
| Profile / Domain | Overall | Risk | Asset & Change | Identity | Threat & Vuln | Situ. | Incident | Third Parties | Workforce | Program | Arch. | Privacy | Anti‑Pat |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Overall | 65% | 78% | 50% | 64% | 53% | 53% | 57% | 81% | 61% | 71% | 71% | 82% | 86% |
| Security Profile 1 | 76% | 100% | 58% | 71% | 80% | 50% | 65% | 100% | 90% | 100% | 80% | 100% | 86% |
| Security Profile 2 | 65% | 78% | 50% | 64% | 53% | 53% | 57% | 81% | 61% | 71% | 71% | 82% | 86% |
| Security Profile 3 | — | — | — | — | — | — | — | — | — | — | — | — | 86% |
Cyber attacks are common — and the fallout is expensive.
The numbers Australian businesses are up against right now:
small businesses that suffer a cyber attack close or go bankrupt
maximum penalty under the Australian Privacy Act for serious breaches
average cost of a cybercrime incident for an Australian small business
average cost of a data breach for an Australian organisation
Sources: ASD Annual Cyber Threat Report 2024–25; IBM Cost of a Data Breach Report 2024; Privacy Act 1988 (Cth); Mastercard SMB survey 2025.
Two audiences, one clear answer.
Whether you're proving security maturity to the board or protecting a small business, there's a version built for exactly what you need.
Enterprise
Framework-aligned maturity and compliance assessments for CISOs, GRC leaders, and security teams — across every major Australian, EU, and global regime.
- Prioritised gap analysis—see every weakness ranked by risk
- Clear remediation actions—know exactly what to fix and why
- Answer the board's "how secure are we?" with data
- Audit-ready evidence without the consultant bill
- Track maturity improvements quarter over quarter
Small Business
Practical health checks for business owners. No jargon, no IT expertise needed. Industry-specific versions for accounting, legal, healthcare, and more.
- Prioritised action plan—gaps ranked by risk level
- Plain-English recommendations—fix gaps yourself or hand to IT
- Find out if you're protected—or just hoping you are
- Answer supplier and insurer security questions
- Complete in 60 minutes—no IT expertise needed
From download to board-ready in three steps.
No installs, no accounts, nothing to set up.
Get the tool
Choose your framework and we provide the assessment — a self-contained file that opens in your browser. Nothing to install, no account to create.
Assess locally
Answer guided questions and attach evidence, all on your own device. Optional AI runs on your own API key — data never leaves your environment.
Export your reports
Generate Word and Excel reports, a prioritised gap register and the maturity dashboard in one click — ready for the board or the auditor.
Optional AI that earns its place.
Optional AI features speed up the work — explaining requirements, reviewing your evidence, and drafting the board-ready summary inside the Word report. Every assessment works fully without AI. It runs on your own Anthropic key, and nothing is sent to CyberAssure.
Built for the frameworks you actually face.
Each assessment is purpose-built for its source framework — not a generic checklist. Pick the regime you need to demonstrate against.
AESCSF v2 Maturity Assessment
161 practices and 42 anti-patterns across 9 of the 11 AESCSF domains, SP1/SP2/SP3 targeting, multi-site portfolio mode, AEMO-ready output.
Explore AESCSF v2 → EU Product SecurityEU Cyber Resilience Act
For organisations selling or exporting digital products to Europe — two complementary assessments covering organisational readiness and per-product conformity.
Explore the CRA Suite → APRA FinancialAPRA CPS 234 Assessment
Nine obligation areas, the six common gaps from APRA's tripartite programme, multi-entity group mode, FAR Accountable Person mapping.
Explore CPS 234 → Hong Kong CIOPCICSO Assessment
Hong Kong's Protection of Critical Infrastructures (Computer Systems) Ordinance — three obligation categories across the eight designated sectors.
Explore PCICSO → ACSC BaselineEssential Eight Assessment
All eight mitigation strategies and Maturity Levels 1–3 — application control, patching, MFA, backups, admin privileges, and more.
Explore Essential Eight → EU FinancialDORA Readiness Assessment
EU Digital Operational Resilience Act — five pillars covering ICT risk, incident reporting, resilience testing, third-party risk, and information sharing.
Explore DORA → Global StandardNIST CSF 2.0 Assessment
All six NIST CSF 2.0 functions — Govern, Identify, Protect, Detect, Respond, Recover — with tier-aligned scoring and maturity tracking over time.
Explore NIST CSF 2.0 → Global StandardISO/IEC 27001:2022 Assessment
Annex A control assessment plus ISMS clauses 4–10 — pre-certification gap analysis or annual surveillance audit preparation.
Explore ISO 27001 → Global StandardThird-Party & Supply Chain Assessment
Vendor and supply chain cyber risk across the full lifecycle — due diligence, onboarding, monitoring, and offboarding.
Explore Third-Party Risk →Regulation has caught up
Non-compliance now carries real penalties
From Australian critical infrastructure to EU digital products and Hong Kong's new regime, regulators have moved from guidance to enforceable fines. Better to find your gaps than have a regulator find them first.
civil penalty under Australia's SOCI Act for critical-infrastructure operators
or 2.5% of global turnover — EU Cyber Resilience Act penalties for non-compliant products
of global annual turnover — DORA penalties on financial entities for serious breaches
plus daily fines — Hong Kong's Critical Infrastructure (Computer Systems) Ordinance
Sources: Security of Critical Infrastructure Act 2018 (Cth); EU Cyber Resilience Act (Reg. 2024/2847); Digital Operational Resilience Act (Reg. 2022/2554); Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653, Hong Kong).
Compliance, explained.
Practical explainers on the regulations that matter to Australian businesses right now.
Do CyberAssure assessments use AI?
AI is built in but entirely optional — every assessment works fully without it. When enabled, twelve AI features speed up the workflow, like an AI Advisor that explains framework requirements, evidence review with confidence-rated suggestions, and an executive summary drafted into the Word report. AI uses your own Anthropic API key, stored only in your browser’s session memory and never sent to CyberAssure.
Does my assessment data leave my device?
No. Assessments run entirely in your web browser. Your answers and evidence are saved locally on your own device and are never transmitted to CyberAssure or anywhere else. We literally cannot see your assessment data — there is no cloud database, no telemetry, no account required. When optional AI features are enabled, requests go directly from your browser to Anthropic using your own API key, with no CyberAssure server in the middle.
Which frameworks does CyberAssure cover?
CyberAssure covers Australian frameworks (AESCSF v2, APRA CPS 234, ACSC Essential Eight, SOCI Act Part 2C Enhanced CIRMP), Asia-Pacific frameworks (Hong Kong PCICSO), European frameworks (EU Cyber Resilience Act, DORA, GDPR), and global frameworks (NIST Cybersecurity Framework 2.0, ISO/IEC 27001:2022, SOC 2, PCI DSS, Third-Party and Supply Chain Security). Industry-specific small business health checks are also available across ten sectors.
Can I use the assessments across multiple sites or entities?
Yes. Multi-site and multi-entity portfolio mode is built into the AESCSF (multi-site), APRA CPS 234 (multi-entity group), and Hong Kong PCICSO (multi-CCS portfolio) assessments. Every site or entity is scored consistently and rolled up into a single group view, with cross-portfolio heatmaps, common gap analysis, and group-level executive summaries.
Are CyberAssure assessments a substitute for formal audit or certification?
No. These are self-assessment tools designed to help organisations understand their current maturity, identify gaps, and prepare for formal certification, audit, or supervisory engagement. They support independent assurance engagements (such as ASAE 3000 and ASAE 3402 for APRA CPS 234) by producing the structured evidence trail an independent assessor needs, but the formal assurance opinion is still issued by the independent party.
Start your assessment today
Download, run locally, get results. No sales calls, no waiting, no data shared.
