ECSO Readiness Assessment
For energy entities designated as Systems of National Significance under SOCI Act Part 2C.
Learn moreOverview
The AESCSF v2 Cyber Security Maturity Assessment provides a comprehensive framework for evaluating your organisation's cybersecurity posture against the Australian Energy Sector Cyber Security Framework Version 2. With up to 161 questions across 11 domains (scaled by Security Profile), this assessment supports AEMO cyber security reporting obligations and SOCI Act alignment, with references to Cyber and Infrastructure Security Centre (CISC) guidance.
The assessment features Security Profile targeting (SP1/SP2/SP3), automatically filtering questions based on your organisation's required security profile—95 questions for SP1, 139 for SP2, and 161 for SP3. Each question includes contextual help text explaining the control intent, specific evidence guidance detailing what documentation supports your response, target Maturity Indicator Level (MIL), and per-question notes fields for documenting your assessment rationale.
Maturity is measured on a four-level MIL scale: MIL0 (not performed), MIL1 (initial/ad-hoc), MIL2 (managed/documented), and MIL3 (optimised/measured). Each Security Profile defines target MIL levels for every question, enabling precise gap identification between current and required maturity states.
Organisation branding with logo upload ensures your exported reports are presentation-ready for Board meetings, AEMO submissions, and executive briefings. Through structured evaluation criteria designed for energy sector operational environments, you will assess your organisation's IT and OT security posture across all AESCSF domains.
Who It's For
This assessment is designed for:
- Australian energy sector entities with AEMO reporting obligations
- Electricity generators, transmission, and distribution network operators
- Gas pipeline operators and storage facility operators
- Energy market participants required to comply with AESCSF
- SOCI Act critical infrastructure entities in the energy sector
- Security teams managing IT/OT convergence in energy environments
Typical Outcomes
Organisations using this assessment typically gain:
- Clear understanding of current maturity against target Security Profile
- Identification of gaps mapped to specific AESCSF controls
- Documentation to support AEMO cyber security reporting
- Evidence of SOCI Act alignment for critical infrastructure obligations
- Prioritised remediation plan addressing IT and OT security gaps
- Baseline for tracking maturity improvements over annual reporting cycles
Assessment Coverage
The assessment comprehensively evaluates AESCSF v2 across 11 domains:
- Risk Management — Cyber security risk identification, assessment, treatment, and governance oversight including Board reporting
- Asset, Change & Configuration Management — IT and OT asset inventory, change control, configuration baselines, and decommissioning
- Identity & Access Management — Access control policies, privileged access, authentication, and OT credential management
- Threat & Vulnerability Management — Vulnerability scanning, patch management, penetration testing, and threat intelligence integration
- Situational Awareness — Security event logging for IT and OT systems, log retention and protection, centralised correlation, alert generation, network traffic monitoring, IT/OT boundary monitoring, threat hunting, and 24/7 monitoring capability
- Information Sharing & Communications — AEMO reporting, sector information sharing forums, threat intelligence, and internal communications
- Event & Incident Response — Incident response planning, testing, backup and recovery, business continuity, and lessons learned
- Supply Chain & External Dependencies — Vendor management, third-party risk assessment, supplier security requirements, and dependency mapping
- Workforce Management — Security awareness, training, personnel screening, competency development, and insider threat management
- Cybersecurity Program Management — Executive sponsorship, programme governance, roles and responsibilities, strategic planning, and Board oversight
- Cybersecurity Architecture — Network segmentation, defence in depth, IT/OT separation, secure design, and remote access controls
Security Profile Targeting
The assessment supports AESCSF Security Profile levels with automatic question filtering:
- SP1 (Baseline) — 95 questions covering foundational controls for all energy sector entities
- SP2 (Intermediate) — 139 questions with enhanced controls for entities with elevated risk profiles
- SP3 (Advanced) — 161 questions providing comprehensive controls for critical national infrastructure
Select your target Security Profile at assessment start and the tool automatically filters questions, adjusts target MIL levels, and tailors scoring and recommendations to your required level. Gap analysis clearly distinguishes between SP1 baseline gaps, SP2 enhanced requirements, and SP3 advanced expectations.
Built-In Guidance
Every assessment question includes contextual support to ensure consistent, high-quality responses:
- Help Text — Explanatory guidance clarifying what each control means in practice and how it applies to energy sector IT and OT environments
- Evidence Guidance — Specific examples of documentation that demonstrates control implementation, such as IAM improvement programs, maturity assessments, enhancement roadmaps, and policy documents
- Target MIL — The required maturity level for your selected Security Profile, enabling immediate gap visibility
- Notes Field — Per-question notes capture for documenting your assessment rationale, evidence references, and remediation context
Secure by Design for Critical Infrastructure
For SOCI-regulated entities, protecting information about your security posture is as important as the assessment itself. This tool is designed with critical infrastructure data handling requirements in mind:
- 100% Local Processing — The entire assessment runs in your browser. No data is transmitted to external servers.
- No Cloud Storage — Your responses, scores, and reports are never uploaded or stored outside your device.
- No Account Required — No registration, no login, no user tracking. Complete anonymity.
- You Control the Data — Export reports locally. Store them in your secure environment. Delete when required.
- Air-Gap Compatible — Can be used on isolated networks with no internet connectivity after initial download.
Your security posture information stays exactly where it should—within your organisation's control.