APRA CPS 234 Assessment
Information security assessment for APRA-regulated entities, with the Essential Eight as a control baseline.
Learn moreEnterprise · ACSC Essential Eight
A purpose-built ACSC Essential Eight assessment. Score all eight mitigation strategies against Maturity Level 1, 2 or 3, see exactly which strategy is capping your overall level, and export board-ready Word and Excel reports — run entirely on your own device, owned by your team.
100% local · runs on your device · no data leaves your environment
All eight mitigation strategies with every Maturity Level 1, 2 and 3 control, mapped to the ACSC's current published guidance — not a generic checklist.
Because your overall maturity is only as high as your weakest strategy, the tool surfaces the exact strategy holding you back — and what it takes to lift it.
Self-assessment, independent reviewer override, and evidence-confidence ratings sit side by side, with a full audit trail — the evidence an auditor or regulator expects.
Runs in your browser — no SaaS, no account, air-gap compatible. Optional AI connects only when you choose, using your own API key, and never sends data to CyberAssure.
Why it matters now
The Essential Eight is already mandatory for federal non-corporate Commonwealth entities, and it has quietly become the de facto baseline that everyone else is measured against. Cyber insurers ask about it before they quote, government and enterprise contracts increasingly require it, and SOCI Act and APRA CPS 234 programs lean on it as a control baseline. When something goes wrong, “what was your Essential Eight maturity?” is one of the first questions asked — and a defensible, evidence-backed answer beats a spreadsheet guess.
Read: The Essential Eight explained — what Australian businesses need to implement →No installs, no accounts, no data leaving your environment.
Request access and we provide the assessment — a self-contained file that opens in your browser. Nothing to install, no account to create.
Score each strategy against your Maturity Level target and attach evidence — all on your own device. Optional AI assistance runs on your own Anthropic API key; data never leaves your environment.
Generate board-ready Word and Excel reports, the gap register, the strategy maturity dashboard and the evidence pack — in one click, ready for the board or the auditor.
Comprehensive Essential Eight outputs — every deliverable drawn from the same underlying data, so one assessment becomes every artefact you need.
Board-ready narrative deliverable — overall maturity level, strategy-by-strategy attainment, gap register, evidence register, and a prioritised remediation plan. When AI is enabled, includes an AI-generated executive summary and per-strategy narratives.
The same data in tabular form across multiple sheets — gap register, remediation plan, evidence register, full results matrix and N/A exclusions. Drops into JIRA, Asana or Smartsheet without re-keying.
A strategy-by-strategy dashboard showing current Maturity Level attainment and gap profile across all eight strategies — suitable for management review and regulatory reporting at a glance.
Every strategy mapped against Maturity Levels 1, 2 and 3, colour-coded by attainment — showing exactly where you sit and which strategy is capping your overall level.
Actionable recommendations ranked by risk severity and Maturity Level uplift, designed to support structured uplift planning and investment prioritisation. The gap register becomes a plan.
Every attached evidence file organised by strategy, with an Excel register cataloguing each file with metadata. Ships in one click when an auditor or assessor asks for substantiation.
Strategy-by-strategy change reports between any two periods — improvements, regressions, evidence added or removed, reviewer-decision changes, and maturity-level movement. AI-narrated when enabled.
An independent reviewer can override self-assessed and AI-suggested Maturity Levels with full justification — original answer, AI suggestion, and reviewer conclusion all preserved in the audit log.
Chronological record of every answer, note, evidence change and reviewer override — viewable in-app with full version history, exportable as JSON for long-term retention.
Team workspace via OneDrive, SharePoint, Microsoft Teams, Google Drive or Dropbox — with file locking, identity stamping, live change polling, sync conflict detection, and 30-day soft delete with restore.
The defensibility of a consultant engagement, the control of doing it yourself — without the cost of either failing you.
| Big-4 consultant | Internal spreadsheet | CyberAssure | |
|---|---|---|---|
| Cost | High, per engagement | Low, but hidden | A fraction of consultant cost |
| Model-accurate (all 8 strategies, ML1–ML3 controls) | ✓ | ✗ | ✓ |
| Repeatable, same method every quarter | ✗ | ~ | ✓ |
| Strategy-level ML breakdown & visuals | ~ | ✗ | ✓ |
| Independent reviewer & evidence audit trail | ✓ | ✗ | ✓ |
| Data stays on your device | ✗ | ✓ | ✓ |
| Board-ready reports in hours, not weeks | ✗ | ~ | ✓ |
| Expertise stays in-house | ✗ | ✓ | ✓ |
Licensed per organisation, per year. No per-seat fees and no usage metering — and because it runs on your own device, there are no hosting or data-residency surprises. Get in touch and we'll size a quote to your organisation.
Each of the eight strategies is scored individually against the ACSC's Maturity Level 1, 2 and 3 controls. Because the Essential Eight is meant to be implemented as a package, your overall level is the lowest level achieved across all eight strategies — one weak strategy caps the result. The tool shows your level per strategy and the single strategy holding the whole assessment back, so you know exactly where to invest first.
Yes — that's what it's built for. Every control pairs a self-assessment with an independent reviewer conclusion and an evidence-confidence rating, and a full audit log records who assessed what, when and why. The result is the structured, evidence-backed trail an auditor or assessor expects — plus the year-over-year history that shows a credible trajectory of improvement, which is exactly what a regulator examines post-incident. It doesn't replace a formal independent assurance engagement; it produces the evidence that makes one fast and defensible.
AI is off by default. When you switch it on, requests go directly from your browser to Anthropic using your own API key — never through CyberAssure's servers, and nothing is stored by us. A sensitive-data warning is shown before any evidence is submitted for AI review, and AI can be disabled site-wide in Settings for regulated or air-gapped environments.
Yes. It's a self-contained file that opens in any modern browser — no SaaS, no account, no install. With AI disabled it makes no outbound connections at all, so it runs fully offline inside a segregated or OT network — suitable for government and data-sovereign contexts.
You own everything outright. Assessments and evidence live in your own files and export to Word, Excel and JSON. There's no cloud database to be locked out of and no vendor hosting your data — your assessment history and evidence are yours, portable, and outlive any subscription.
Book a 20-minute demo and we'll show you the assessment, the reports, and how it fits your organisation.
The ACSC's Essential Eight is a prioritised set of eight mitigation strategies, each assessed against a four-level maturity model (Maturity Level 0 through Maturity Level 3). The strategies are designed to be implemented as a package: your overall maturity level is the lowest level achieved across all eight strategies, so a single under-implemented control caps the whole result. The tool assesses each strategy against the ACSC's published controls for ML1, ML2 and ML3, then computes your overall level and surfaces the strategy that's holding it back.
Each control integrates the ACSC's guidance and evidence expectations directly, so the question is never “did we score this correctly?” but rather “what does the evidence support?”.
All eight strategies, structured across the three Essential Eight objectives, assessed in full across Maturity Levels 1–3:
Prevent Malware Delivery & Execution
Limit the Extent of Incidents
Recover Data & System Availability
The Essential Eight Maturity Model defines four levels, based on mitigating increasing levels of adversary tradecraft and targeting:
The tool lets you set a target level (commonly ML2), auto-filters the controls in scope, and reports both per-strategy attainment and the overall level — which is only as high as your weakest strategy.
Each control presents the assessor with a structured answer scale (None, Partial, Strong, plus N/A with justification), an inline guide to what good evidence looks like, and a drag-and-drop area for attaching supporting documents — PDFs, Word, Excel, images, CSV — directly to the control.
An independent reviewer workflow captures observations against the evidence in structured fields. The reviewer can override the self-assessed Maturity Level where the evidence clearly contradicts it, with both the original answer and the reviewer override preserved in the audit trail. When AI is enabled, AI-suggested Maturity Levels (with confidence rating low/medium/high) sit alongside the self-assessment and the reviewer override — three independent signals, all visible side-by-side, all auditable.
Single-point assessments are necessary but insufficient. The tool treats assessment as a continuous activity, with first-class support for the time dimension:
This is the evidence trail that demonstrates credible intent — quarter by quarter, not just at year end.
Every answer, note, evidence change and reviewer override is captured in a chronological audit log — the complete record of who did what and when, with full version history accessible from the in-app log viewer.
Optional Shared Folder Mode turns the assessment into a team workspace. Multiple assessors work in parallel via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox. File locking prevents conflicting edits; identity stamping records who changed what; live change polling surfaces edits in seconds; and the sync conflict detector flags “conflicted-copy” files so you can resolve them rather than discovering them at audit time. A 30-day soft delete with one-click restore prevents accidental data loss.
Evidence storage is resilient by design — content-derived filenames (so evidence titles never leak through the folder browser), per-file and per-question caps, browser-storage quota monitoring, optional encryption-at-rest, a crash-recovery mirror, and a read-only Evidence Health Check audit available from Settings.
Optional AI capabilities — entirely opt-in via your own Anthropic API key — accelerate every phase of Essential Eight work, from understanding a control to drafting the board narrative inside the Word report itself. The tool works fully without them; with them, the effort that used to consume weeks of consultant time becomes a quarterly cadence your own team operates.
Phase 1
During the assessment
Phase 2
During review
Phase 3
Before & in the deliverables
Phase 4
Across periods
Phase 1
Connected Claude assistant that explains any Essential Eight strategy, control or maturity-level criterion in plain English — with conversational follow-up. Your target level, scores and notes are passed as context, so answers are tied to your actual posture, not generic boilerplate.
Phase 1
Turn bullet-point facts into a structured assessment note — the assessor captures key facts, AI drafts the defensible written rationale that lives with the control answer. The slow, low-energy step that usually gets skipped now takes seconds.
Phase 1
One-tap prompt chips built into the AI Advisor — “Biggest gaps?”, “Uplift plan”, “Evidence to gather”, “Board summary” — each pre-wired to your actual assessment data and target level. The fastest way to get useful AI output without crafting prompts.
Phase 2
Attached PDFs, images, Word, Excel and CSV files are read by AI and assessed against the control requirements — with a suggested Maturity Level and a low/medium/high confidence rating. The reviewer keeps the final call; AI does the first pass.
Phase 2
A more thorough AI pass for higher-criticality evidence — multi-pass analysis with finer-grained gap identification, traceable back to specific maturity-level criteria. For the controls where “looks about right” isn't good enough.
Phase 2
For each identified gap, AI drafts a specific remediation action — what to do, why it matters, how it lifts your Maturity Level. Regenerate if the first draft isn't quite right. The gap register stops being a list of problems and starts being a list of next actions.
Phase 3
Diagnostic AI scan over the entire assessment before export — surfaces empty notes on Strong answers, missing evidence on key controls, reviewer/confidence inconsistencies, and overrides without justification. Diagnostic only; no answers are changed.
Phase 3 · In the Word report
The Word report opens with an AI-generated executive summary written from your actual assessment data — overall maturity level, the strategy capping it, headline gaps, and recommended priorities. The board narrative, pre-drafted.
Phase 3 · In the Word report
Board-ready prose inside the Word report — for each of the eight strategies, an AI-written narrative explaining what the strategy covers, your posture, where the gaps sit, and what to do next. Audit-committee language, generated from your data.
Phase 4
When you load a previous assessment for year-over-year comparison, AI drafts the narrative of what changed — improvements, regressions, where evidence strengthened, and the trajectory story for the board. The “are we on track for ML2?” question, answered in prose.
Phase 4
AI drafts a sequenced uplift plan to move from your current level toward your target — grouped by strategy and ordered by the controls that unlock the most maturity for the least effort. The leverage points that turn findings into a funded programme.
All AI features connect using your own Anthropic Claude API key, stored only in your browser's session memory — never saved to disk, never sent to CyberAssure. Typical usage is a few dollars per full assessment cycle. AI can be disabled site-wide via Settings for regulated environments, and a sensitive-data warning is shown before evidence is submitted for AI review.
Organisations frequently combine the Essential Eight assessment with complementary frameworks to address broader governance and compliance requirements.
Information security assessment for APRA-regulated entities, with the Essential Eight as a control baseline.
Learn moreAssess your ISMS against ISO/IEC 27001 — broader governance coverage to complement Essential Eight technical controls.
Learn more