Our Purpose
CyberAssure exists to provide straightforward, high-quality cyber security assessment tools for organisations of all sizes—from small businesses to large enterprises.
We recognise that businesses face increasing pressure to demonstrate security maturity, meet regulatory obligations, and protect against threats that can be business-ending. Our assessments are designed to make this achievable without consultant dependency.
Created by Practitioners
Our assessments are developed by senior governance, risk, and compliance professionals with decades of combined experience across financial services, critical infrastructure, energy, healthcare, and technology sectors.
This practitioner-led approach means every assessment reflects real-world requirements: the questions auditors actually ask, the evidence regulators expect to see, and the maturity indicators that matter for board reporting. We've sat in the CISO chair, led GRC teams, and navigated complex regulatory environments—and we've built that experience into every assessment.
What We Do
We develop cybersecurity and privacy maturity assessment tools aligned to recognised frameworks and standards. Our assessments translate complex requirements into structured, practical evaluation criteria that organisations can apply consistently.
Each assessment is designed to:
- Provide comprehensive coverage of the relevant framework
- Enable consistent, repeatable evaluation across periods, sites, and entities
- Produce actionable insights that support decision-making
- Support tracking of maturity improvements over time with year-over-year comparison
- Generate outputs suitable for management, board reporting, and regulator engagement
- Stand up to independent assurance and post-incident review
How Our Assessments Are Built
Beyond covering the source framework, our enterprise assessments include the operating-rhythm capabilities that mature security programmes actually need:
- 100% local execution. Assessments run entirely in your browser. No SaaS account, no cloud database, no telemetry. Your assessment data never leaves your device unless you explicitly choose to share it.
- Multi-site and multi-entity portfolio mode. Every operating site or APRA-regulated entity scored consistently and rolled up into a single group view, with cross-portfolio heatmaps, common gap analysis, and group-level executive summaries — built into AESCSF, APRA CPS 234, and Hong Kong's PCICSO assessments.
- Optional AI assistance via your own API key. Twelve AI capabilities accelerate every phase of the workflow — explaining framework requirements, reviewing evidence with confidence-rated suggestions, drafting gaps and remediation actions, and generating board-ready executive summaries. AI uses your own Anthropic API key (stored only in browser session memory), can be disabled entity-wide for sensitive engagements, and is fully optional — every assessment works without it.
- Evidence workflow with independent reviewer overrides. Drag-and-drop evidence attachment, structured reviewer observations, and the ability to override self-assessed compliance levels — the dual-control pattern that supports ASAE 3000 / ASAE 3402 independent assurance engagements and internal audit review.
- Period closure, baselines, and year-over-year comparison. Formally close assessment periods to freeze state for audit. Compare any two periods to surface improvements, regressions, and evidence changes. Load multiple periods for multi-cycle trend visualisation — the trajectory of improvement regulators examine in supervisory engagement.
- Audit log and version history. Every answer, note, evidence change, and reviewer override captured chronologically and exportable as JSON for long-term retention and supervisory disclosure.
- Shared Folder collaboration. Multiple assessors working in parallel via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox, with per-entity file locking, identity stamping, live change polling, and conflict detection.
Our Approach
We believe assessment tools should be clear, practical, and respectful of the professionals who use them. Our assessments avoid unnecessary complexity while providing the depth needed for meaningful evaluation.
Privacy is fundamental to our approach. Assessment tools are designed to operate entirely within your environment — no CyberAssure account, no cloud upload, no telemetry. We do not collect, process, or store assessment responses. When AI features are enabled, requests go directly from your browser to Anthropic using your own API key; CyberAssure servers are never in the loop. Your data remains under your control at every step.
Framework Coverage
Our current assessment portfolio covers widely-adopted cybersecurity and privacy frameworks across Australia, Asia-Pacific, the European Union, and globally:
- AESCSF v2 (Australian Energy Sector Cyber Security Framework)
- APRA CPS 234 Information Security
- ACSC Essential Eight Maturity Model
- SOCI Act Part 2C Enhanced Cyber Security Obligations
- PCICSO — Hong Kong Protection of Critical Infrastructures (Computer Systems) Ordinance
- DORA — EU Digital Operational Resilience Act
- EU Cyber Resilience Act (CRA)
- GDPR (General Data Protection Regulation)
- NIST Cybersecurity Framework 2.0
- ISO/IEC 27001:2022 (Information Security Management)
- PCI DSS (Payment Card Industry Data Security Standard)
- SOC 2 Trust Services Criteria
- Third-Party and Supply Chain Security
We also provide industry-specific cyber security health checks for Australian small businesses across ten sectors: accounting, allied health, bookkeeping, childcare, financial planning, GP clinics and medical practice, legal practice, mortgage broking, NDIS providers, and real estate — plus a generic small-business health check for businesses outside these specific verticals.
We continue to develop assessments aligned to additional frameworks based on market requirements and customer needs.
Global Frameworks, Australian Roots
CyberAssure is based in Australia, with deep expertise in Australian regulatory requirements including APRA prudential standards (CPS 234, CPS 230), the Security of Critical Infrastructure Act and its enhanced CIRMP regime, the Privacy Act 1988 and Notifiable Data Breach scheme, the Cyber Security Act 2024 and ransomware reporting, and the ACSC Essential Eight.
Our assessments also cover the regimes Australian organisations increasingly need to operate under as they sell internationally or hold relationships with global service providers — DORA and the EU Cyber Resilience Act for European markets and supply chains, Hong Kong's PCICSO for Asia-Pacific critical infrastructure operations, GDPR for European personal data handling, and the globally adopted NIST CSF, ISO 27001, SOC 2, and PCI DSS standards.