When the board asks about your security posture, what do you show them?

Every quarter, you face the same problem: produce a maturity assessment that satisfies the board, survives audit scrutiny, and meets regulatory expectations. The options aren't great. Consultants charge $50,000+ for a single assessment—and every firm produces different results using different methodologies. Your internal spreadsheet has drifted so far from any recognised framework it won't survive external review. Generic checklists lack the rigour anyone takes seriously.

After a breach, the first question regulators ask is: what assessments did you have? Can you demonstrate a consistent, defensible approach to measuring your security posture? Or will you be explaining why your methodology changed every time a new consultant walked in the door?

Regulatory pressure is intensifying across every sector — and every market you sell into.

In Australia, the pressure is already here. APRA CPS 234 requires security capability matched to the threats you face. The SOCI Act requires critical infrastructure operators to prove cyber maturity. And AESCSF reporting is now mandatory for the energy sector. Sell or operate offshore and more applies — the EU Cyber Resilience Act, DORA and GDPR each carry hard deadlines and penalties, and PCI DSS 4.0 raises the bar for anyone handling card data. These aren't suggestions — they're requirements with real consequences for non-compliance.

Your board is asking harder questions.

Directors face personal liability for cyber security failures. They're no longer satisfied with "we're working on it." They want to see maturity scores, trend lines, gap closure rates, and benchmark comparisons. They want cyber security assurance that's defensible—not a consultant's subjective opinion that changes with whoever's in the room.

Consultant dependency is expensive and inconsistent.

A Big 4 maturity assessment is expensive and slow. The methodology varies by firm, by partner, sometimes by consultant. You can't compare this quarter's results to last quarter's because different people assessed you differently. And when the partner who "understood your business" leaves, you start from scratch.

Accountability is now personal — and documented.

Accountability for cyber risk now sits with named individuals. Directors carry explicit duties for cyber risk oversight, and regulators have shown they will test them. When something goes wrong, the question isn't whether you took security seriously — it's whether you can produce the record: a consistent methodology, dated assessments, identified gaps, and a documented trajectory of improvement. That record is the difference between a defensible position and an exposed one.

Not just findings—a prioritised roadmap to fix them.

Every gap identified, ranked by risk level, with specific remediation actions. Framework-aligned maturity assessments you run yourself, using the same methodology every time. Board-ready outputs in hours, not weeks. Results you can track quarter-over-quarter to demonstrate genuine progress. No consultant dependency. No methodology drift. Complete control over your assessment process.

Featured Frameworks

AU Energy Sector • SOCI Act Aligned

AESCSF v2 Cyber Security Maturity Assessment

Evaluate cybersecurity maturity against the Australian Energy Sector Cyber Security Framework v2 with SP1/SP2/SP3 Security Profile targeting. 60–161 questions across the AESCSF v2 framework. 100% local — no data leaves your device.

Best suited for: Australian energy sector entities with AEMO reporting obligations

View AESCSF v2 Assessment
EU EU Regulation • Product Security

EU Cyber Resilience Act — Assessment Suite

The CRA imposes two kinds of duty — organisational and per-product. The suite covers both: an Organisational Readiness Assessment (100 questions, 12 domains, role-adaptive for manufacturers, importers, distributors, authorised representatives and open-source software stewards) and a Product Compliance Assessment (136 questions, 9 domains, classification engine and draft Declaration of Conformity).

Best suited for: Organisations placing products with digital elements on the EU market

View EU CRA Suite
AU APRA-Regulated Financial Services

APRA CPS 234 Information Security Assessment

Assess compliance against APRA Prudential Standard CPS 234 across all nine assessable obligation areas. Includes the six common gaps from APRA's tripartite assessment programme, FAR Accountable Person mapping, and multi-entity group mode. 100% local — no data leaves your device.

Best suited for: ADIs, general insurers, life insurers, private health insurers, RSE licensees, and APRA-regulated NOHCs

View CPS 234 Assessment
AU ACSC • Government & Baseline Control

Essential Eight Maturity Assessment

Assess all eight ACSC mitigation strategies across Maturity Levels 1, 2 and 3, with the overall level set by your weakest strategy. Independent reviewer overrides, evidence management, and board-ready Word and Excel reports. 100% local — no data leaves your device.

Best suited for: government agencies and contractors, and any organisation using the Essential Eight as a security baseline

View Essential Eight Assessment

European Union Frameworks

EU EU Regulation • Financial Sector

EU Digital Operational Resilience Act (DORA) — Readiness Assessment

Assess organisational readiness for DORA (Regulation 2022/2554) with role-based assessments for Financial Entities and ICT Third-Party Service Providers. Covers all five DORA pillars including ICT risk management, incident reporting, resilience testing, and third-party risk.

Best suited for: Banks, insurers, investment firms, payment institutions, and ICT service providers to the financial sector

View DORA Assessment
EU EU Data Privacy

GDPR Compliance Maturity Assessment

Assess organisational compliance maturity against the General Data Protection Regulation. Covers data protection principles, individual rights, accountability requirements, and international transfers.

Best suited for: Organisations processing EU personal data or serving EU customers

View GDPR Assessment

Asia-Pacific Frameworks

HK Critical Infrastructure • Cap. 653

Hong Kong PCICSO Information Security Assessment

Assess compliance against Hong Kong's Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) and the Commissioner's Code of Practice. Covers all three statutory obligation categories — Organisational, Preventive, and Incident Reporting & Response — across the eight designated sectors, with multi-CCS portfolio mode, section 57 handling, and OCCICS-ready Word and Excel reports. 100% local — no data leaves your device.

Best suited for: designated Critical Infrastructure Operators (CIOs) across Hong Kong's eight essential service sectors, and their material suppliers

View PCICSO Assessment

Global Frameworks

GLOBAL Information Security

ISO 27001 Maturity Assessment

Evaluate your Information Security Management System against the ISO/IEC 27001:2022 standard. Covers all ISMS clauses (4–10) and Annex A controls with structured maturity scoring.

Best suited for: Organisations preparing for or maintaining ISMS certification

View ISO 27001 Assessment
GLOBAL Cybersecurity Framework

NIST CSF v2.0 Maturity Assessment

Evaluate your cybersecurity program against the NIST Cybersecurity Framework 2.0. Comprehensive coverage of all six functions: Govern, Identify, Protect, Detect, Respond, and Recover.

Best suited for: Organisations seeking a globally recognised cybersecurity baseline

View NIST CSF Assessment
GLOBAL Service Organisations

SOC 2 Readiness Assessment

Prepare for SOC 2 examination with a structured evaluation against the Trust Services Criteria. Covers Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Best suited for: SaaS providers and service organisations with enterprise customers

View SOC 2 Assessment
GLOBAL Third-Party Risk

Third-Party & Supply Chain Security Assessment

Evaluate third-party and supply chain cybersecurity risks. A comprehensive framework for assessing vendor security posture and managing supply chain risk across the full vendor lifecycle.

Best suited for: Organisations managing vendor and supply chain security risk

View Third-Party Risk Assessment
GLOBAL Payment Security

PCI DSS Maturity Assessment

Assess your organisation's readiness against the Payment Card Industry Data Security Standard. Comprehensive coverage of all PCI DSS requirements with SAQ-type filtering and maturity-based evaluation.

Best suited for: Organisations handling cardholder data or preparing for QSA audit

View PCI DSS Assessment

Questions about our assessments?

Contact us to discuss which assessment is right for your organisation.

Get in Touch View FAQ