ECSO Readiness Assessment
For energy entities designated as Systems of National Significance under SOCI Act Part 2C.
Learn moreA purpose-built AESCSF v2 assessment for Australian energy responsible entities. Score every site against Security Profile 1, 2 or 3, roll up your whole portfolio, and export AEMO-ready board reports — run entirely on your own device, owned by your team.
100% local · runs on your device · no data leaves your environment
All 161 AESCSF v2 practices plus the 42 official anti-patterns, with SP1/SP2/SP3 targeting that auto-filters to the right MIL targets — not a generic checklist.
Multi-site portfolio mode rolls every generation site, substation and control centre into one dashboard — cross-site heatmaps, common gaps, and a portfolio executive summary.
Self-assessment, independent reviewer override, and evidence-confidence ratings sit side by side, with a full audit trail — the evidence a regulator or AEMO expects.
Runs in your browser — no SaaS, no account, air-gap compatible. Optional AI connects only when you choose, using your own API key, and never sends data to CyberAssure.
Regulatory Context
The enhanced CIRMP Rules under the SOCI Act were registered on 9 June 2026. For designated high-risk energy responsible entities, AESCSF Security Profile 2 across all 11 domains is the named compliance pathway — due within the rules’ 24-month grace period, around mid-2028. Most responsible entities sit at SP-1 today. The tool's portfolio mode, period tracking, and AI-enhanced reporting were built precisely for the SP-1-to-SP-2 transition workload.
Read: The SOCI enhanced CIRMP Rules are now law → Deep dive: why the SP-1 to SP-2 jump is the hard part →For years, an annual consultant report or an internal spreadsheet was enough to evidence AESCSF maturity. Under SP-2, it isn’t — and most teams won’t feel the gap until a regulator, an auditor, or an incident asks the question.
A control that regresses the week after your assessment stays invisible for eleven months. After an incident, the regulator’s question is not whether last year’s snapshot looked fine — it is whether maturity was actively being improved.
Scored by hand, the same practice gets read three different ways across three sites. A maturity picture you don’t fully trust is one you can’t defend — and defensibility is the entire point of the exercise.
When maturity, gaps, anti-patterns and trajectory live in one place, the board-ready report writes itself. When they live in twelve spreadsheets and an inbox, every board cycle is a fire drill.
None of this needs a bigger team or a bigger budget. It needs the assessment to stop being an event and start being a system — which is exactly what this tool is built to do.
No installs, no accounts, no data leaving your environment.
Request access and we provide the assessment — a self-contained file that opens in your browser. Nothing to install, no account to create.
Score practices against your SP target and attach evidence — all on your own device. Optional AI assistance runs on your own Anthropic API key; data never leaves your environment.
Generate AEMO-ready Word and Excel reports, the gap register, the site × domain heatmap and the evidence pack — in one click, ready for the board or the auditor.
A guided, click-through tour of the actual assessment — scoring, evidence, multi-site portfolio and the AEMO-ready reports.
Comprehensive site-level and portfolio-level AESCSF outputs — every deliverable drawn from the same underlying data, so one assessment becomes every artefact you need.
Per-site narrative deliverable — domain maturity, SP-target achievement, gap register, anti-pattern findings, evidence register, and prioritised remediation plan. When AI is enabled, includes an AI-generated executive summary and per-domain narratives. AEMO-ready.
The same data in tabular form across multiple sheets — gap register, remediation plan, evidence register, full results matrix, anti-pattern findings, N/A exclusions. Drops into JIRA, Asana or Smartsheet without re-keying.
Cross-site executive summary, site × domain heatmap, common gaps register, common evidence weaknesses, common low-maturity practices, and portfolio-wide recommendations — generated automatically from per-site data.
Cross-portfolio matrix of sites against all 11 AESCSF domains, colour-coded by maturity score, sortable to surface the weakest domains and the weakest sites. Reveals patterns no per-site view can show.
At-a-glance SP1/SP2/SP3 achievement per site, with Security Profile Movement view tracking which sites have moved up or down between assessment periods.
42 binary anti-pattern practices that undermine cyber capability — assessed alongside the 161 MIL-scored practices to surface the structural weaknesses traditional self-assessment misses.
Every attached evidence file organised by site and practice, with an Excel register cataloguing each file with metadata. Ships in one click when a regulator, auditor or AEMO asks for substantiation.
Domain-by-domain change reports between any two periods — improvements, regressions, evidence added/removed, reviewer-decision changes, and Security Profile movement. AI-narrated when enabled.
Load three or more historical periods to visualise compliance trajectory across time, with per-site and per-domain trends. The trajectory regulators examine post-incident.
Independent reviewer can override self-assessed and AI-suggested MIL levels with full justification — original answer, AI suggestion, and reviewer conclusion all preserved in the audit log.
Chronological record of every answer, note, evidence change and reviewer override — viewable in-app with full version history, exportable as JSON for long-term retention.
Team workspace via OneDrive, SharePoint, Microsoft Teams, Google Drive or Dropbox — with per-site locking, identity stamping, live change polling, sync conflict detection, and 30-day soft delete with restore.
The defensibility of a consultant engagement, the control of doing it yourself — without the cost of either failing you.
| Big-4 consultant | Internal spreadsheet | CyberAssure | |
|---|---|---|---|
| Cost | $15k–$40k per site assessment | Low, but hidden | A fraction of consultant cost |
| Framework-accurate (161 practices + 42 anti-patterns + SP logic) | ✓ | ✗ | ✓ |
| Repeatable, same method every quarter | ✗ | ~ | ✓ |
| Multi-site portfolio rollup & heatmaps | ~ | ✗ | ✓ |
| Independent reviewer & evidence audit trail | ✓ | ✗ | ✓ |
| Data stays on your device | ✗ | ✓ | ✓ |
| Board-ready reports in hours, not weeks | ✗ | ~ | ✓ |
| Expertise stays in-house | ✗ | ✓ | ✓ |
Licensed per site, per year, with portfolio pricing for multi-site operators. No per-seat fees and no usage metering — and because it runs on your own device, there are no hosting or data-residency surprises. Get in touch and we'll size a quote to your portfolio.
Yes — that's what it's built for. Every practice pairs a self-assessment with an independent reviewer conclusion and an evidence-confidence rating, and a full audit log records who assessed what, when and why. The result is the structured, evidence-backed trail an auditor or AEMO expects behind a CIRMP attestation — plus the year-over-year history that shows a credible trajectory of improvement, which is exactly what a regulator examines post-incident. It doesn't replace a formal independent assurance engagement; it produces the evidence that makes one fast and defensible.
AI is off by default. When you switch it on, requests go directly from your browser to Anthropic using your own API key — never through CyberAssure's servers, and nothing is stored by us. A sensitive-data warning is shown before any evidence is submitted for AI review, and AI can be disabled site-wide in Settings for regulated or air-gapped environments.
Yes. It's a self-contained file that opens in any modern browser — no SaaS, no account, no install. With AI disabled it makes no outbound connections at all, so it runs fully offline inside a segregated or OT network.
You own everything outright. Assessments and evidence live in your own files and export to Word, Excel and JSON. There's no cloud database to be locked out of and no vendor hosting your data — your assessment history and evidence are yours, portable, and outlive any subscription.
The same MIL rubric and Security-Profile logic apply to every practice for every assessor, an independent-reviewer step catches drift, and period-over-period comparison shows exactly what changed between assessments. That's the consistency a rotating consultant or an ageing spreadsheet can't give you — the methodology doesn't change just because the person did.
Book a 20-minute demo, or request access and run your first assessment.
AEMO's AESCSF v2 is a comprehensive cyber security maturity model: 11 domains grouped into logical capability areas, each domain composed of objectives that contain practices, with practices scored at Maturity Indicator Levels (MIL) 0 through 3. Three Security Profiles (SP1, SP2, SP3) bundle target MIL expectations across the framework — and an additional layer of 42 anti-patterns identifies practices that undermine effective cyber capability even when other controls are in place.
The tool integrates every element of the v2 framework — including the anti-patterns, the SP-target logic, and the MIL scoring rubric — so the question is never "did we score this correctly?" but rather "what does the evidence support?".
All 11 AESCSF v2 domains, structured across three functional categories aligned to the framework:
Governance & Strategy
Protection & Defence
Detection & Response
One of the most distinctive features of AESCSF v2 is the explicit assessment of anti-patterns: practices or conditions that actively undermine cybersecurity capability, even when other controls appear adequate. The tool integrates the full set of 42 anti-patterns from the official AESCSF v2 Core (AEMO/CSIWG), distributed across nine of the eleven domains — concentrated most heavily in Identity & Access Management (11) and Situational Awareness (11), with additional anti-patterns in Asset, Architecture, Response, Risk, Threat and Workforce.
Anti-patterns are scored binary — present or not present — and contribute to a separate Anti-Pattern Assessment view that surfaces the practices most likely to compromise your overall maturity. This is what separates a real AESCSF assessment from a tick-box exercise.
Most energy responsible entities operate multiple sites — generation, substations, control centres, gas pipelines, market operations — each with its own scope and risk profile. The Site Registry holds every site in your portfolio, each with its own SP target, classification, and assessment status — all visible on a single dashboard. The portfolio-level views go well beyond simple aggregation:
Each practice presents the assessor with a structured answer scale (None, Partial, Strong, plus N/A with justification), an inline guide to what good evidence looks like, and a drag-and-drop area for attaching supporting documents — PDFs, Word, Excel, images, CSV — directly to the practice.
An independent reviewer workflow captures observations against the evidence in structured fields. The reviewer can override the self-assessed MIL where the evidence clearly contradicts it, with both the original answer and the reviewer override preserved in the audit trail. When AI is enabled, AI-suggested MIL levels (with confidence rating low/medium/high) sit alongside the self-assessment and the reviewer override — three independent signals, all visible side-by-side, all auditable.
Single-point assessments are necessary but insufficient. The tool treats assessment as a continuous activity, with first-class support for the time dimension:
For SOCI Act responsible entities preparing for the now-mandatory SP-2 uplift, this is the evidence trail that demonstrates credible intent — quarter by quarter, not just at year end.
Every answer, note, evidence change and reviewer override is captured in a chronological audit log — the complete record of who did what and when, with full version history accessible from the in-app log viewer.
Optional Shared Folder Mode turns the assessment into a team workspace. Multiple assessors work in parallel on a multi-site portfolio via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox. Per-site file locking prevents conflicting edits; identity stamping records who changed what; live change polling surfaces edits in seconds; and the sync provider conflict detector flags "conflicted-copy" files created by the sync provider so you can resolve them manually rather than discovering them at audit time. A 30-day soft delete with one-click restore prevents accidental data loss.
Evidence storage is resilient by design — content-derived filenames (so evidence titles never leak through the folder browser), per-file and per-question caps, browser-storage quota monitoring, optional encryption-at-rest, a crash-recovery mirror, and a read-only Evidence Health Check audit available from Settings.
Twelve AI capabilities — entirely optional, opt-in via your own Anthropic API key — accelerate every phase of AESCSF assessment work, from understanding a practice to drafting the board narrative inside the Word report itself. The tool works fully without them; with them, the per-cycle effort that used to consume weeks of consultant time becomes a quarterly cadence your own team operates.
Phase 1
During the assessment
Phase 2
During review
Phase 3
Before & in the deliverables
Phase 4
Across periods
Phase 1
Connected Claude assistant that explains any AESCSF practice, anti-pattern, or MIL criterion in plain English — with conversational follow-up. Site name, SP target, your scores and notes are passed as context, so answers are tied to your actual posture, not generic AESCSF boilerplate.
Phase 1
Turn bullet-point facts into a structured assessment note — the assessor captures key facts, AI drafts the defensible written rationale that lives with the practice answer. The slow, low-energy step that usually gets skipped now takes seconds.
Phase 1
One-tap prompt chips built into the AI Advisor — "Biggest gaps?", "Uplift plan", "Evidence to gather", "Board summary" — each pre-wired to your actual assessment data and SP target. The fastest way to get useful AI output without crafting prompts.
Phase 2
Attached PDFs, images, Word, Excel and CSV files are read by AI and assessed against the AESCSF practice requirements — with a suggested MIL level and a low/medium/high confidence rating. The reviewer keeps the final call; AI does the first pass.
Phase 2
A more thorough AI pass for higher-criticality evidence — multi-pass analysis with finer-grained gap identification, traceable back to specific MIL criteria. For the practices where "looks about right" isn't good enough.
Phase 2
For each identified gap, AI drafts a specific remediation action — what to do, why it matters, how it lifts MIL. Regenerate if the first draft isn't quite right. The gap register stops being a list of problems and starts being a list of next actions.
Phase 3
Diagnostic AI scan over the entire site or portfolio assessment before export — surfaces empty notes on Strong answers, missing evidence on key practices, reviewer/confidence inconsistencies, and overrides without justification. Diagnostic only; no answers are changed.
Phase 3 · In the Word report
The site Word report opens with an AI-generated executive summary written from your actual assessment data — SP-target achievement, headline gaps, anti-pattern findings, and recommended priorities for this site. The site owner's board narrative, pre-drafted.
Phase 3 · In the Word report
A different summary — written from the cross-site view. Portfolio average maturity, weakest domains across the portfolio, common gaps with the highest leverage, systemic evidence weaknesses, and the cross-site investment case. The CISO or programme director's narrative, drafted.
Phase 3 · In the Word report
Board-ready prose inside the Word report — for each of the 11 AESCSF domains, an AI-written narrative explaining what the domain covers, your posture, where the gaps sit, and what to do next. Audit-committee language, generated from your data.
Phase 4
When you load a previous assessment for year-over-year comparison, AI drafts the narrative of what changed — improvements, regressions, where evidence strengthened, and the trajectory story for the board. The "are we on track for SP-2?" question, answered in prose.
Phase 4
For each Common Evidence Weakness or Common Low-Maturity Practice across the portfolio, AI drafts a cross-site systemic remediation plan — the leverage point that turns dozens of site-level findings into a single funded programme.
All twelve AI features connect using your own Anthropic Claude API key, stored only in your browser's session memory — never saved to disk, never sent to CyberAssure. Typical usage is a few dollars per full assessment cycle. AI can be disabled site-wide via Settings for regulated environments, and a sensitive-data warning is shown before evidence is submitted for AI review.
Organisations frequently combine this assessment with complementary frameworks to address multiple governance requirements.
For energy entities designated as Systems of National Significance under SOCI Act Part 2C.
Learn moreExtend supply chain domain coverage with comprehensive vendor and third-party assessment.
Learn more