Framework-Aligned Maturity Assessments
NIST CSF, ISO 27001, AESCSF, APRA CPS 234, Essential Eight, PCI DSS, SOC 2, GDPR, EU CRA and more — scored maturity, prioritised gaps, audit-ready reports.
View Enterprise AssessmentsExplained
Security is what you do. Assurance is being able to prove it works — to your board, your regulator, your insurer, and your customers.
Most organisations do security: they buy tools, set policies, run antivirus, train staff. Cyber security assurance is something different — it is evidence that those controls exist, are working, and are appropriate for your risks. It answers the question every board, regulator, insurer and enterprise customer eventually asks: "How do you know you're secure?"
The distinction matters because the question is no longer hypothetical in Australia. APRA expects regulated entities to test the effectiveness of their information security controls under CPS 234. The SOCI Act requires critical infrastructure operators to demonstrate cyber maturity. The Privacy Act requires "reasonable steps" — and if you're breached, the OAIC will ask you to evidence what those steps were. Cyber insurers now deny claims when the controls declared on the application can't be substantiated. Enterprise customers send security questionnaires before they'll sign.
Activity: "We have MFA, we do backups, we patch our systems."
Assurance: "We assessed our controls against a recognised framework on this date, here is the scored result, here are the gaps we found, here is the remediation plan with owners and dates, and here is the re-assessment showing improvement." One is a claim. The other is evidence.
Boards and executives ask because directors carry personal accountability for cyber risk oversight. A maturity score against a recognised framework, tracked over time, is the answer that survives scrutiny.
Regulators — APRA, the OAIC, the SOCI regime, AEMO for the energy sector, professional bodies like the TPB and AHPRA — increasingly expect documented, framework-aligned evidence rather than verbal reassurance. A structured assessment with a gap register and remediation roadmap is exactly that evidence.
Insurers ask at application and again at claim time. The businesses that get paid are the ones whose declared controls match documented reality.
Customers and supply chains ask through security questionnaires and tender requirements. A current assessment report turns a two-week scramble into an attachment.
There are three routes, and they differ mainly in cost and repeatability. External audit or certification (such as ISO 27001 certification) provides the strongest independent assurance but costs the most and suits organisations whose customers demand a certificate. Consultant-led assessment provides expertise but delivers a point-in-time report — when the consultant leaves, the knowledge leaves, and the next assessment costs the same again. Structured self-assessment against a recognised framework produces the same category of evidence — scored results, gap registers, remediation plans — at a fraction of the cost. And it's repeatable quarter after quarter, so you can show improvement, not just status.
For most Australian organisations the practical answer is layered: structured self-assessment as the ongoing engine of assurance, with external validation added where a regulator or contract specifically requires it.
Assess against a recognised framework → Evidence the result in a dated, scored report → Remediate the prioritised gaps → Re-assess and show the trend. Run that loop and you can answer any board, regulator, insurer or customer — because you're not asserting security, you're demonstrating it.
CyberAssure builds downloadable assessment tools that run entirely on your own device — your answers never leave your machine. Each one produces the evidence assurance requires: a scored result against a recognised framework, a risk-ranked gap register, and board-ready Word and Excel reports.
NIST CSF, ISO 27001, AESCSF, APRA CPS 234, Essential Eight, PCI DSS, SOC 2, GDPR, EU CRA and more — scored maturity, prioritised gaps, audit-ready reports.
View Enterprise AssessmentsPlain-English, 60-minute cyber health checks for Australian small businesses — general and industry-specific versions with prioritised action plans.
View Health ChecksPurpose-built assessments where the regulator sets the bar: APRA CPS 234 for financial services, AESCSF for energy, Essential Eight for ASD-aligned maturity.
Explore Regulated AssessmentsRun a structured assessment this week and have evidence in hand — a scored result, a gap register, and a board-ready report. No consultants, no data leaves your device.