The Australian Energy Sector Cyber Security Framework version 2 (AESCSF v2) is the cyber security maturity framework used across the Australian energy sector, administered by AEMO. It comprises 161 practices and 42 anti-patterns organised across 11 domains, with three Security Profiles (SP1, SP2, SP3) representing escalating maturity expectations for entities of increasing criticality.

What are the 11 AESCSF v2 domains?

Asset, Change, and Configuration Management; Threat and Vulnerability Management; Risk Management; Identity and Access Management; Situational Awareness; Event and Incident Response, Continuity of Operations; Supply Chain and External Dependencies Management; Workforce Management; Cybersecurity Architecture; Cybersecurity Program Management; and Australian Privacy Management. Each domain has multiple practices grouped by Maturity Indicator Level (MIL-1, MIL-2, MIL-3).

What is the difference between SP1, SP2, and SP3?

AESCSF Security Profiles bundle Maturity Indicator Level (MIL) targets across the framework's 11 domains. SP1 reflects baseline practices appropriate for lower-criticality entities. SP2 is targeted at higher-criticality energy entities and requires MIL-2 across all 11 domains. SP3 is the highest profile, requiring MIL-3 practices in critical domains. The proposed SOCI Enhanced CIRMP Rules would require many responsible entities to lift to SP2 by 30 June 2028.

How does AESCSF relate to the SOCI Act and AEMO reporting?

The Security of Critical Infrastructure Act 2018 makes AESCSF the designated cyber security framework for the Australian energy sector. Responsible entities under SOCI must have a Critical Infrastructure Risk Management Program (CIRMP) that addresses cyber security, with AESCSF-aligned reporting to AEMO. The proposed Enhanced CIRMP Rules under SOCI Part 2C will require AESCSF SP-2 maturity across all 11 domains by 30 June 2028 for entities in designated high-risk asset classes.

Enterprise

AESCSF v2 Maturity Assessment Tool

A purpose-built site-and-portfolio assessment tool for Australian energy responsible entities — 161 practices and 42 anti-patterns across all 11 AESCSF v2 domains, Security Profile targeting for SP1, SP2 and SP3, multi-site portfolio rollups, year-over-year trend comparison, and AEMO-ready Word and Excel reports — supercharged by optional AI assistance at every stage of the workflow.

Overview

The AESCSF v2 Site Assessment Tool gives energy sector security teams a structured, evidence-backed way to evaluate their cybersecurity maturity — at the individual site level and across the entire site portfolio. Whether you are preparing for an AEMO submission, a Board briefing, a SOCI Act CIRMP attestation, or your own internal gap analysis, the tool does the heavy lifting: scoring, gap identification, risk prioritisation, evidence management, and report generation — entirely within your browser, with no data leaving your environment unless you explicitly enable an AI feature.

The assessment covers 161 practices and 42 anti-patterns across the 11 AESCSF v2 domains, with Security Profile targeting that auto-filters to the right MIL targets for your profile. Multi-site portfolio mode aggregates assessments across every site you operate, surfacing cross-portfolio patterns no single-site view can show. Period tracking and year-over-year comparison turn point-in-time scoring into a defensible trajectory of improvement — exactly the evidence regulators look for post-incident under the SOCI Act.

Security Profile Targeting

Select SP1, SP2, or SP3 per site and the tool filters to the right practices automatically — with target MIL levels set for your profile and live SP-target achievement scoring as you progress.

Multi-Site Portfolio Mode

Every site you operate, scored consistently, rolled up into a single portfolio view — with cross-site heatmaps, common gap analysis, common evidence weaknesses, and AI-narrated portfolio executive summary.

Secure by Design

Runs entirely in your browser. No SaaS dependency, no account required, air-gap compatible. Optional AI features connect only when you choose to enable them, using your own API key — and can be disabled site-wide for regulated environments.

What AESCSF v2 Asks You to Do — and How the Tool Handles It

AEMO's AESCSF v2 is a comprehensive cyber security maturity model: 11 domains grouped into logical capability areas, each domain composed of objectives that contain practices, with practices scored at Maturity Indicator Levels (MIL) 0 through 3. Three Security Profiles (SP1, SP2, SP3) bundle target MIL expectations across the framework — and an additional layer of 42 anti-patterns identifies practices that undermine effective cyber capability even when other controls are in place.

The tool integrates every element of the v2 framework — including the anti-patterns, the SP-target logic, and the MIL scoring rubric — so the question is never "did we score this correctly?" but rather "what does the evidence support?".

Assessment Domains

All 11 AESCSF v2 domains, structured across three functional categories aligned to the framework:

Governance & Strategy

Risk Management
Supply Chain & External Dependencies
Workforce Management
Cybersecurity Program Management

Protection & Defence

Asset, Change & Configuration Management
Identity & Access Management
Threat & Vulnerability Management
Cybersecurity Architecture

Detection & Response

Situational Awareness
Information Sharing & Communications
Event & Incident Response, Continuity of Operations

Anti-Pattern Assessment — Beyond Self-Scoring

One of the most distinctive features of AESCSF v2 is the explicit assessment of anti-patterns: practices or conditions that actively undermine cybersecurity capability, even when other controls appear adequate. The tool integrates the full set of 42 anti-patterns from the official AESCSF v2 Core (AEMO/CSIWG), distributed across nine of the eleven domains — concentrated most heavily in Identity & Access Management (11) and Situational Awareness (11), with additional anti-patterns in Asset, Architecture, Response, Risk, Threat and Workforce.

Anti-patterns are scored binary — present or not present — and contribute to a separate Anti-Pattern Assessment view that surfaces the practices most likely to compromise your overall maturity. This is what separates a real AESCSF assessment from a tick-box exercise.

Multi-Site Portfolio Mode

Most energy responsible entities operate multiple sites — generation, substations, control centres, gas pipelines, market operations — each with its own scope and risk profile. The Site Registry holds every site in your portfolio, each with its own SP target, classification, and assessment status — all visible on a single dashboard. The portfolio-level views go well beyond simple aggregation:

Site × Domain Heatmap — A colour-coded cross-portfolio matrix showing every site against the 11 AESCSF domains, with average maturity by domain across sites, sortable to surface the weakest domains across the portfolio.
Maturity by Site Type — Compare maturity across site types (generation, transmission, control centre, etc.) to see whether systemic weaknesses cluster by operational context.
Common Gaps Across the Portfolio — Practices where multiple sites are non-compliant, with the explicit list of affected sites. Fix one root cause at the policy or platform level, clear many site-level gaps at once.
Common Evidence Weaknesses — Patterns where evidence quality is consistently weak across sites, pointing at systemic documentation deficiencies worth addressing centrally — plus reference examples of sites with strong evidence for the same practice.
Common Low-Maturity Practices — The practices that consistently score below their SP target across sites — the structural patterns worth a portfolio-wide programme rather than per-site remediation.
Portfolio Overview Dashboard — Tile metrics across the top show total sites, average maturity, SP target achievement, and outstanding actions. Programme managers see exactly where to push next.

Evidence Workflow & Reviewer Overrides

Each practice presents the assessor with a structured answer scale (None, Partial, Strong, plus N/A with justification), an inline guide to what good evidence looks like, and a drag-and-drop area for attaching supporting documents — PDFs, Word, Excel, images, CSV — directly to the practice.

An independent reviewer workflow captures observations against the evidence in structured fields. The reviewer can override the self-assessed MIL where the evidence clearly contradicts it, with both the original answer and the reviewer override preserved in the audit trail. When AI is enabled, AI-suggested MIL levels (with confidence rating low/medium/high) sit alongside the self-assessment and the reviewer override — three independent signals, all visible side-by-side, all auditable.

Period Tracking, Baselines & Year-over-Year Comparison

Single-point assessments are necessary but insufficient. The tool treats assessment as a continuous activity, with first-class support for the time dimension:

Maturity Snapshot & Baseline — Save a point-in-time baseline; capture manual overrides where appropriate; replace, clear or revert baselines as the programme evolves.
Period Closure — Formally close an assessment period and archive it, freezing the state for audit and historical comparison.
Year-over-Year Comparison — Improvements, regressions, evidence added or removed, reviewer-decision changes, security profile movement — all surfaced as a structured change report between any two assessment periods.
Multi-Period Trend Comparison — Load three or more historical periods to visualise compliance trajectory by domain and site across time.
Per-Site Maturity Trends — Each site's maturity trajectory over multiple closed periods, plus a portfolio-average trend line — the trajectory of improvement that regulators will examine post-incident.

For SOCI Act responsible entities preparing for the proposed SP-2 uplift by 30 June 2028, this is the evidence trail that demonstrates credible intent — quarter by quarter, not just at year end.

Audit Log, Collaboration & Resilient Storage

Every answer, note, evidence change and reviewer override is captured in a chronological audit log — the complete record of who did what and when, with full version history accessible from the in-app log viewer.

Optional Shared Folder Mode turns the assessment into a team workspace. Multiple assessors work in parallel on a multi-site portfolio via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox. Per-site file locking prevents conflicting edits; identity stamping records who changed what; live change polling surfaces edits in seconds; and the sync provider conflict detector flags "conflicted-copy" files created by the sync provider so you can resolve them manually rather than discovering them at audit time. A 30-day soft delete with one-click restore prevents accidental data loss.

Evidence storage is resilient by design — content-derived filenames (so evidence titles never leak through the folder browser), per-file and per-question caps, browser-storage quota monitoring, optional encryption-at-rest, a crash-recovery mirror, and a read-only Evidence Health Check audit available from Settings.

Who It's For

Electricity generators, network operators, and gas pipeline operators
Energy market participants with AEMO reporting obligations
SOCI Act responsible entities in the energy sector preparing for the proposed SP-2 uplift
Multi-site operators needing portfolio-wide AESCSF visibility
Security teams managing IT/OT convergence in energy environments
Audit and assurance teams evidencing maturity to AEMO, the AER, or the board

What You Receive

Comprehensive site-level and portfolio-level AESCSF outputs — every deliverable drawn from the same underlying data, so one assessment becomes every artefact you need.

AI-Enhanced Site Word Report

Per-site narrative deliverable — domain maturity, SP-target achievement, gap register, anti-pattern findings, evidence register, and prioritised remediation plan. When AI is enabled, includes an AI-generated executive summary and per-domain narratives. AEMO-ready.

Multi-Worksheet Excel Workbook

The same data in tabular form across multiple sheets — gap register, remediation plan, evidence register, full results matrix, anti-pattern findings, N/A exclusions. Drops into JIRA, Asana or Smartsheet without re-keying.

Portfolio Word & Excel Reports

Cross-site executive summary, site × domain heatmap, common gaps register, common evidence weaknesses, common low-maturity practices, and portfolio-wide recommendations — generated automatically from per-site data.

Site × Domain Heatmap

Cross-portfolio matrix of sites against all 11 AESCSF domains, colour-coded by maturity score, sortable to surface the weakest domains and the weakest sites. Reveals patterns no per-site view can show.

Security Profile Matrix & Movement

At-a-glance SP1/SP2/SP3 achievement per site, with Security Profile Movement view tracking which sites have moved up or down between assessment periods.

Anti-Pattern Assessment

42 binary anti-pattern practices that undermine cyber capability — assessed alongside the 161 MIL-scored practices to surface the structural weaknesses traditional self-assessment misses.

Evidence Package (ZIP)

Every attached evidence file organised by site and practice, with an Excel register cataloguing each file with metadata. Ships in one click when a regulator, auditor or AEMO asks for substantiation.

Year-over-Year Comparison

Domain-by-domain change reports between any two periods — improvements, regressions, evidence added/removed, reviewer-decision changes, and Security Profile movement. AI-narrated when enabled.

Multi-Period Trend Comparison

Load three or more historical periods to visualise compliance trajectory across time, with per-site and per-domain trends. The trajectory regulators examine post-incident.

Reviewer Override Audit Trail

Independent reviewer can override self-assessed and AI-suggested MIL levels with full justification — original answer, AI suggestion, and reviewer conclusion all preserved in the audit log.

Audit Log & Version History

Chronological record of every answer, note, evidence change and reviewer override — viewable in-app with full version history, exportable as JSON for long-term retention.

Shared Folder Collaboration

Team workspace via OneDrive, SharePoint, Microsoft Teams, Google Drive or Dropbox — with per-site locking, identity stamping, live change polling, sync conflict detection, and 30-day soft delete with restore.

AI woven through every stage

AI assistance that earns its place.

Twelve AI capabilities — entirely optional, opt-in via your own Anthropic API key — accelerate every phase of AESCSF assessment work, from understanding a practice to drafting the board narrative inside the Word report itself. The tool works fully without them; with them, the per-cycle effort that used to consume weeks of consultant time becomes a quarterly cadence your own team operates.

Phase 1

During the assessment

Phase 2

During review

Phase 3

Before & in the deliverables

Phase 4

Across periods

Phase 1

AI Advisor Chat

Connected Claude assistant that explains any AESCSF practice, anti-pattern, or MIL criterion in plain English — with conversational follow-up. Site name, SP target, your scores and notes are passed as context, so answers are tied to your actual posture, not generic CRA boilerplate.

Phase 1

Draft With AI

Turn bullet-point facts into a structured assessment note — the assessor captures key facts, AI drafts the defensible written rationale that lives with the practice answer. The slow, low-energy step that usually gets skipped now takes seconds.

Phase 1

Context-Aware Suggested Prompts

One-tap prompt chips built into the AI Advisor — "Biggest gaps?", "Uplift plan", "Evidence to gather", "Board summary" — each pre-wired to your actual assessment data and SP target. The fastest way to get useful AI output without crafting prompts.

Phase 2

AI Evidence Review with MIL Suggestion

Attached PDFs, images, Word, Excel and CSV files are read by AI and assessed against the AESCSF practice requirements — with a suggested MIL level and a low/medium/high confidence rating. The reviewer keeps the final call; AI does the first pass.

Phase 2

AI Deep Review

A more thorough AI pass for higher-criticality evidence — multi-pass analysis with finer-grained gap identification, traceable back to specific MIL criteria. For the practices where "looks about right" isn't good enough.

Phase 2

AI Remediation Drafting

For each identified gap, AI drafts a specific remediation action — what to do, why it matters, how it lifts MIL. Regenerate if the first draft isn't quite right. The gap register stops being a list of problems and starts being a list of next actions.

Phase 3

Pre-Export Quality Review

Diagnostic AI scan over the entire site or portfolio assessment before export — surfaces empty notes on Strong answers, missing evidence on key practices, reviewer/confidence inconsistencies, and overrides without justification. Diagnostic only; no answers are changed.

Phase 3 · In the Word report

AI Site Executive Summary

The site Word report opens with an AI-generated executive summary written from your actual assessment data — SP-target achievement, headline gaps, anti-pattern findings, and recommended priorities for this site. The site owner's board narrative, pre-drafted.

Phase 3 · In the Word report

AI Portfolio Executive Summary

A different summary — written from the cross-site view. Portfolio average maturity, weakest domains across the portfolio, common gaps with the highest leverage, systemic evidence weaknesses, and the cross-site investment case. The CISO or programme director's narrative, drafted.

Phase 3 · In the Word report

AI Domain Narratives

Board-ready prose inside the Word report — for each of the 11 AESCSF domains, an AI-written narrative explaining what the domain covers, your posture, where the gaps sit, and what to do next. Audit-committee language, generated from your data.

Phase 4

AI Period Comparison Narrative

When you load a previous assessment for year-over-year comparison, AI drafts the narrative of what changed — improvements, regressions, where evidence strengthened, and the trajectory story for the board. The "are we on track for SP-2?" question, answered in prose.

Phase 4

AI Common-Gap Remediation Plan

For each Common Evidence Weakness or Common Low-Maturity Practice across the portfolio, AI drafts a cross-site systemic remediation plan — the leverage point that turns dozens of site-level findings into a single funded programme.

Bring your own API key · Pay only for what you use

All twelve AI features connect using your own Anthropic Claude API key, stored only in your browser's session memory — never saved to disk, never sent to CyberAssure. Typical usage is a few dollars per full assessment cycle. AI can be disabled site-wide via Settings for regulated environments, and a sensitive-data warning is shown before evidence is submitted for AI review.

Regulatory Context

SOCI Act: AESCSF SP-2 proposed by 30 June 2028

The Exposure Draft of enhanced CIRMP Rules under the SOCI Act proposes that designated high-risk responsible entities in the energy sector achieve AESCSF Security Profile 2 maturity across all 11 domains by 30 June 2028. Most responsible entities sit at SP-1 today. The tool's portfolio mode, period tracking, and AI-enhanced reporting were built precisely for the SP-1-to-SP-2 transition workload.

Read: Why 25 months is not as much time as it sounds →

Ready to Assess Your AESCSF Maturity?

Get in touch to discuss access to the AESCSF v2 Assessment Tool.

Contact for Pricing

Often Used Alongside

Organisations frequently combine this assessment with complementary frameworks to address multiple governance requirements.

Critical Infrastructure

ECSO Readiness Assessment

For energy entities designated as Systems of National Significance under SOCI Act Part 2C.

Learn more

Third-Party Risk

Supply Chain Security Assessment

Extend supply chain domain coverage with comprehensive vendor and third-party assessment.

Learn more