Enterprise Assessment FAQ

Is my assessment data secure?

Yes—completely. Assessments run entirely in your web browser. Your answers are saved locally on your own device and are never transmitted to CyberAssure or anyone else. There's no cloud storage, no database, no account. We literally cannot see your assessment data. This architecture is intentional—organisations conducting security assessments shouldn't have to trust a third party with sensitive gap analysis.

Can I run assessments in air-gapped or restricted environments?

Yes. Once downloaded, the assessment requires no internet connection. It runs entirely offline in any modern browser, making it suitable for secure environments, classified networks, or locations with restricted connectivity.

Where is my data stored?

Your assessment data is stored only in your browser's local storage on your device. When you export reports, files are saved to your local machine. At no point does any assessment data leave your device or reach CyberAssure servers.

Do the assessments use AI?

AI is built in but entirely optional. The assessments work fully without it. When enabled, twelve AI capabilities accelerate every phase of the workflow — from an AI Advisor chat that explains framework requirements, to AI evidence review with suggested compliance levels, AI gap drafting and remediation drafting, AI executive summaries in the Word report, and AI period-comparison narratives across assessment cycles. AI is opt-in per-organisation and can be disabled entity-wide via Settings.

Who provides the AI? Does my assessment data go to CyberAssure?

The AI features use the Anthropic Claude API directly. You bring your own Anthropic API key, which is stored only in your browser's session memory — never saved to disk, never sent to CyberAssure. When you use an AI feature, the relevant assessment context (the question, your answer, attached evidence file content) is sent directly from your browser to Anthropic for that single request, with no CyberAssure server in the middle. We do not see, store, or process any of your AI requests or responses.

How much does the AI cost?

You pay Anthropic directly for the API usage at their published rates. Typical usage for a full assessment cycle is in the range of a few Australian dollars — varying with how heavily AI features are used (AI Deep Review on every piece of evidence costs more than just generating the executive summary). Pricing is fully transparent at anthropic.com/pricing.

Can AI features be disabled for sensitive engagements?

Yes. AI can be disabled organisation-wide via Settings — appropriate for regulated environments, APRA supervisory engagement, classified networks, or any context where outbound API calls are restricted. A sensitive-data warning is also shown before evidence is submitted for AI review, so reviewers can opt out on a per-document basis even when AI is generally enabled. The assessments are fully functional with AI disabled — no feature requires AI to work.

How is evidence captured and managed?

Each practice has a drag-and-drop area for attaching supporting documents — PDF, Word, Excel, images, CSV. Files are stored locally with content-derived filenames (so evidence titles never leak through the folder browser), per-file and per-question size caps, browser-storage quota monitoring, optional encryption-at-rest, and a crash-recovery mirror. The evidence register is exportable as a ZIP package cataloguing every file with its metadata — typically what auditors, regulators, or independent assessors ask for as substantiation.

Does the tool support independent reviewer workflows?

Yes — there's a dedicated reviewer workflow alongside the self-assessment. Reviewers capture observations in structured fields and can override the self-assessed compliance level where the evidence contradicts it. The original answer, the reviewer override, and (when AI is enabled) the AI-suggested compliance level all sit side-by-side in the audit log — three independent signals, fully traceable. This is the dual-control pattern that supports ASAE 3000 / ASAE 3402 independent assurance engagements, APRA tripartite assessments, and internal audit review.

Is there an audit log?

Yes. Every answer, note, evidence change and reviewer override is captured in a chronological audit log with full version history — viewable in-app and exportable as JSON for long-term retention. The log is the complete record of who did what and when, suitable for supervisory disclosure and post-incident review.

How does the tool support year-over-year comparison?

Assessment periods can be formally closed and archived, freezing the state for audit and historical comparison. Year-over-year comparison surfaces improvements, regressions, evidence added or removed, reviewer-decision changes, and domain-level compliance movement between any two closed periods. Multi-period trend comparison loads three or more historical periods to visualise compliance trajectory across time — exactly the evidence regulators look at when assessing whether maturity is being actively improved rather than just snapshotted.

What format are the assessments delivered in?

Assessments are delivered as self-contained HTML files that run entirely in your browser. No installation, account creation, or internet connection is required after download. Simply open the file in any modern browser to begin.

What outputs do I receive?

Each assessment generates a comprehensive set of outputs, all built from the same underlying data — so one assessment becomes every artefact you need. The core deliverables are a narrative Word report (with AI-enhanced executive summary and per-domain narratives when AI is enabled) and a multi-worksheet Excel workbook covering the gap register, remediation plan, evidence register, and full results matrix. For multi-site or multi-entity assessments (AESCSF, APRA CPS 234, PCICSO), portfolio-level Word and Excel reports add cross-site or cross-entity heatmaps, common gap analysis, common evidence weaknesses, and a group-level executive summary. Additional outputs include an evidence package ZIP cataloguing every attached file, year-over-year comparison reports between assessment periods, multi-period trend visualisations, and a chronological audit log exportable as JSON. Specific frameworks add framework-specific outputs — for example, FAR Accountable Person mapping for CPS 234, AEMO-aligned output for AESCSF, and section 57 compliance support for PCICSO.

How long does an assessment take to complete?

Completion time varies by framework scope and organisational complexity. A typical first-time assessment runs 4–8 hours of working time for the largest frameworks (AESCSF with 161 practices across 11 domains, NIST CSF, ISO 27001), with smaller-scope assessments completing faster. Progress is saved automatically and assessments can be paused and resumed across multiple sessions or multiple users. With the optional AI features enabled, evidence review, gap drafting, remediation drafting, and executive summary generation can collapse what was hours of work into minutes — many customers report that the per-cycle effort that used to consume a full week becomes a manageable internal cadence.

Can multiple people collaborate on an assessment?

Yes — through the built-in Shared Folder Mode. Point the assessment at a shared folder on OneDrive, SharePoint, Microsoft Teams, Google Drive or Dropbox, and multiple assessors can work in parallel from their own devices. The sync provider handles file replication; the assessment tool layers on per-site or per-entity file locking to prevent conflicting edits, identity stamping so the audit log records who changed what, live change polling that surfaces edits within seconds, and a sync provider conflict detector that flags any "conflicted-copy" files for manual resolution. A 30-day soft delete with one-click restore prevents accidental data loss. For organisations without shared-folder infrastructure, the standalone HTML file can still be opened on individual devices and the assessment data exported and merged manually.

Who are these assessments designed for?

Our assessments are designed for CISOs, Heads of GRC, and senior security, risk, and compliance leaders who need structured, framework-aligned tools for evaluating organisational maturity. They're used by organisations ranging from mid-market companies to ASX-listed enterprises and government agencies.

Are these assessments a substitute for formal certification or audit?

No. These assessments are self-assessment tools designed to help organisations understand their current maturity level, identify gaps, and prepare for formal certification or audit. They do not constitute formal audits, certifications, or attestations. However, the consistent methodology and documented outputs can support your certification journey and demonstrate due diligence.

How is maturity scored?

Scoring models vary by framework to align with how the source framework itself measures conformance. AESCSF uses MIL-1 / MIL-2 / MIL-3 Maturity Indicator Levels with Security Profile targeting (SP1, SP2, SP3). NIST CSF, ISO 27001, and PCI DSS use a five-level maturity model (Initial, Developing, Defined, Managed, Optimised). APRA CPS 234 and Hong Kong's PCICSO are compliance-based and use a three-point answer scale (None, Partial, Strong) plus N/A with justification, mapped against proportionality tiers. Essential Eight uses ACSC's Maturity Level 1–3 model. In every case, the scoring approach is tied directly to the source framework's guidance so outputs translate cleanly into the regulator's or auditor's expectations.

How often should we run assessments?

Most organisations run quarterly assessments to track progress and demonstrate improvement to boards and regulators. The consistent methodology ensures meaningful quarter-over-quarter comparisons. Some organisations also run assessments after significant changes (new systems, acquisitions, incidents) or in preparation for external audits.

What does the license include?

Each assessment purchase provides a license for organisational use. You receive a downloadable HTML file that runs locally on your device. The license is tied to your organisation, not individual users or devices. Please refer to our terms of service for full licensing details.

Can I use assessments across multiple business units or subsidiaries?

Yes — the relevant assessments include built-in portfolio modes. AESCSF has Multi-Site Portfolio Mode (operating sites under a responsible entity), APRA CPS 234 has Multi-Entity Group Mode (every APRA-regulated entity in a Level 2 or Level 3 group), and Hong Kong's PCICSO has Multi-CCS Portfolio Mode. Each site or entity is scored consistently and rolled up into a single group view with cross-portfolio heatmaps, common gap analysis, common evidence weaknesses, and a group-level executive summary. For organisations with a broader licensing question — for example, an enterprise wanting to deploy multiple distinct framework assessments across several subsidiaries — please contact us to discuss arrangements.

Do you offer consulting or advisory services alongside assessments?

CyberAssure focuses on assessment tools. We don't provide consulting services directly, which allows us to offer unbiased tools without the conflict of interest that comes from selling remediation services. If you need advisory support, we can recommend independent consultants who are familiar with our assessment outputs.

How is payment processed?

Payments are processed securely through Payhip using Stripe or PayPal. CyberAssure does not directly handle or store payment card information. For enterprise purchases requiring invoicing or purchase orders, please contact us directly.

Do you offer refunds?

Due to the digital nature of our products, we generally do not offer refunds after download. However, we're committed to customer satisfaction—if you experience issues with an assessment, please contact us and we'll work to resolve the situation.

How do I get support if I have questions?

For product questions, technical issues, or general enquiries, use our contact form. We typically respond within one business day.