ECSO Readiness Assessment
For energy entities designated as Systems of National Significance under SOCI Act Part 2C.
Learn moreOverview
The AESCSF v2 Cyber Security Maturity Assessment provides a comprehensive framework for evaluating your organisation's cybersecurity posture against the Australian Energy Sector Cyber Security Framework Version 2. With 122 questions across 11 domains, this assessment supports AEMO cyber security reporting obligations and SOCI Act alignment.
The assessment features Security Profile targeting (SP1/SP2/SP3), allowing you to filter questions based on your organisation's required security profile. Each question is mapped to specific AESCSF control references, enabling direct traceability to framework requirements.
Through structured evaluation criteria designed for energy sector operational environments, you will assess your organisation's IT and OT security posture, from governance through to incident response and supply chain management.
Who It's For
This assessment is designed for:
- Australian energy sector entities with AEMO reporting obligations
- Electricity generators, transmission, and distribution network operators
- Gas pipeline operators and storage facility operators
- Energy market participants required to comply with AESCSF
- SOCI Act critical infrastructure entities in the energy sector
- Security teams managing IT/OT convergence in energy environments
Typical Outcomes
Organisations using this assessment typically gain:
- Clear understanding of current maturity against target Security Profile
- Identification of gaps mapped to specific AESCSF controls
- Documentation to support AEMO cyber security reporting
- Evidence of SOCI Act alignment for critical infrastructure obligations
- Prioritised remediation plan addressing IT and OT security gaps
- Baseline for tracking maturity improvements over annual reporting cycles
Assessment Coverage
The assessment comprehensively evaluates AESCSF v2 across 11 domains:
- Risk Management (RM) — Cyber security risk identification, assessment, treatment, and governance oversight
- Cyber Security Program Management (CPM) — Executive sponsorship, programme governance, roles, and strategic planning
- Asset, Change & Configuration Management (ACM) — IT and OT asset inventory, change control, and configuration management
- Identity & Access Management (IAM) — Access control policies, privileged access, authentication, and account management
- Threat & Vulnerability Management (TVM) — Vulnerability scanning, patch management, penetration testing, and threat intelligence
- Situational Awareness (SA) — Security monitoring, logging, alerting, and control effectiveness evaluation
- Event & Incident Response (IR) — Incident response planning, testing, backup, and recovery capabilities
- Supply Chain & External Dependencies (EDM) — Vendor management, third-party risk, and supply chain security
- Workforce Management (WM) — Security awareness, training, personnel screening, and competency
- Cyber Security Architecture (CSA) — Network segmentation, defence in depth, IT/OT separation, and secure design
- Australian Privacy Management — Privacy Act alignment and personal information handling for energy customers
Security Profile Targeting
The assessment supports AESCSF Security Profile levels:
- SP1 (Baseline) — Foundational controls for all energy sector entities
- SP2 (Intermediate) — Enhanced controls for entities with elevated risk profiles
- SP3 (Advanced) — Comprehensive controls for critical national infrastructure
Select your target Security Profile and the assessment automatically filters questions and scoring to your required level.
Secure by Design for Critical Infrastructure
For SOCI-regulated entities, protecting information about your security posture is as important as the assessment itself. This tool is designed with critical infrastructure data handling requirements in mind:
- 100% Local Processing — The entire assessment runs in your browser. No data is transmitted to external servers.
- No Cloud Storage — Your responses, scores, and reports are never uploaded or stored outside your device.
- No Account Required — No registration, no login, no user tracking. Complete anonymity.
- You Control the Data — Export reports locally. Store them in your secure environment. Delete when required.
- Air-Gap Compatible — Can be used on isolated networks with no internet connectivity after initial download.
Your security posture information stays exactly where it should—within your organisation's control.
Important Disclaimer
This assessment is a self-assessment tool designed to help energy sector organisations evaluate their AESCSF maturity. It does not constitute a formal AESCSF assessment, AEMO compliance certification, or regulatory attestation. Organisations should refer to official AEMO guidance for reporting requirements.