AESCSF v2 Assessment
Energy sector entities often combine ECSO readiness with AESCSF maturity assessment for comprehensive SOCI Act coverage.
Learn moreOverview
The ECSO Readiness Assessment provides a comprehensive framework for evaluating your organisation's preparedness against the Enhanced Cyber Security Obligations (ECSO) under the Security of Critical Infrastructure Act 2018 Part 2C. With 108 questions across 6 domains, this assessment is specifically designed for entities designated as Systems of National Significance (SoNS).
The assessment directly maps to the six ECSO requirements, enabling you to evaluate your readiness for incident response plan adoption, cyber security exercises, vulnerability assessments, system information provision, government security software installation, and cyber security incident reporting.
Through structured evaluation criteria aligned to SOCI Act requirements and supporting guidance, you will assess your organisation's capability to meet these enhanced obligations when directed by the Australian Government.
Who It's For
This assessment is designed for:
- Australian critical infrastructure entities designated as Systems of National Significance
- Entities anticipating SoNS designation across critical infrastructure sectors
- Security teams preparing for potential ECSO directions
- Boards and executives overseeing SOCI Act compliance
- GRC professionals managing critical infrastructure obligations
- Organisations seeking to understand ECSO requirements proactively
Typical Outcomes
Organisations using this assessment typically gain:
- Clear understanding of readiness for each of the six ECSO requirements
- Identification of gaps that could impede compliance with government directions
- Prioritised remediation plan for ECSO preparedness
- Documentation to demonstrate proactive compliance efforts to regulators
- Baseline for tracking ECSO readiness improvements over time
- Evidence of due diligence for Board and executive reporting
Assessment Coverage
The assessment comprehensively evaluates readiness across the six ECSO requirements:
- Incident Response Plan Adoption — Capability to adopt incident response plans prepared by government, integration with existing plans, and organisational readiness to implement directed plans
- Cyber Security Exercises — Capability to undertake cyber security exercises as directed, exercise planning and execution maturity, and lessons learned processes
- Vulnerability Assessments — Capability to undertake vulnerability assessments of systems as directed, assessment methodology maturity, and remediation tracking
- System Information Provision — Capability to provide information about systems to government, asset inventory completeness, and information sharing processes
- Government Security Software — Capability to install and maintain government security software on systems, software deployment processes, and integration considerations
- Cyber Security Incident Reporting — Capability to report cyber security incidents as required, incident detection and classification, and reporting processes and timeliness
SOCI Act Context
The Enhanced Cyber Security Obligations apply to Systems of National Significance — critical infrastructure assets of the highest criticality to Australia. While ECSO directions are discretionary government powers, designated entities must be prepared to comply when directed. This assessment helps organisations proactively build capability rather than reacting to government directions.
Secure by Design for National Significance Assets
For SoNS entities, information about your security posture and gaps is itself highly sensitive. This tool is specifically designed with national security considerations in mind:
- 100% Local Processing — The entire assessment runs in your browser. No data is transmitted to external servers—ever.
- No Cloud Storage — Your responses, readiness scores, and gap analysis never leave your device.
- No Account Required — No registration, no login, no user tracking. Complete operational security.
- You Control the Data — Export reports locally to your secure environment. No third-party data retention.
- Air-Gap Compatible — Fully functional on isolated networks after initial download—critical for secure OT environments.
- No Foreign Data Transfer — Assessment data stays within your organisation, supporting Australian data sovereignty requirements.
Your ECSO readiness information remains under your complete control—as it should be for systems of national significance.
Important Disclaimer
This assessment is a self-assessment tool designed to help critical infrastructure entities evaluate their ECSO readiness. It does not constitute legal advice, a formal SOCI Act compliance assessment, or government certification. Organisations should refer to official CISC guidance and seek appropriate legal counsel for specific compliance requirements.