How It Works

Assessment Methodology

Structured. Transparent. Defensible. Built by practitioners who understand what auditors and boards actually need.

Beyond Compliance Checklists

Checklists answer a binary question: compliant or not. But boards, regulators, and auditors expect more. They want evidence of capability, measurable progress, and governance oversight. Maturity assessments deliver what checklists cannot.

Defensible Under Scrutiny

Structured scoring criteria that hold up when auditors, regulators, or board members ask "how did you arrive at this?"

Progress You Can Measure

Quantified baselines that let you track improvement quarter over quarter and demonstrate continuous improvement.

Board-Ready Language

Results that translate technical controls into business risk language that executives and directors understand.

Consistent & Repeatable

Run the same assessment quarterly, annually, or before audits—with comparable results regardless of who completes it.

Designed by Practitioners

CyberAssure assessments are built by senior GRC professionals with direct experience leading security programmes, facing regulatory scrutiny, and reporting to boards across financial services, critical infrastructure, healthcare, and technology sectors.

This means every assessment reflects real-world requirements: the questions auditors actually ask, the evidence regulators expect to see, and the maturity indicators that matter for board reporting.

Practitioner Background Includes:

Leadership & Roles

CISO and Head of Security • Head of GRC / IT Risk • Security Architecture Lead • Privacy Officer / DPO

Certifications

ISO 27001 Lead Auditor • ISO 27001 Lead Implementer • CISM, CISSP, CRISC • PCI DSS ISA / QSA liaison

Regulatory & Framework Experience

APRA CPS 230, 231, 234 • SOCI Act / AESCSF • Privacy Act / GDPR • Essential Eight • NIST CSF • SOC 2

Industry Sectors

Financial services & banking • Energy & utilities • Healthcare • Government & defence • Technology & SaaS

Practical Experience

Board & audit committee reporting • Incident response & breach management • Third-party risk programmes • M&A security due diligence • Cyber insurance assessments

Five-Level Maturity Model

Our assessments go beyond yes/no compliance checks. Each question evaluates maturity on a five-level scale that captures not just whether a control exists, but how well it's implemented, documented, and maintained.

Level 1
Initial

Processes are ad-hoc or reactive. Success depends on individual effort rather than organisational capability.

Level 2
Developing

Basic processes exist but are inconsistently applied. Documentation may be incomplete or outdated.

Level 3
Defined

Processes are documented, standardised, and consistently applied. Responsibilities are clearly assigned.

Level 4
Managed

Processes are measured and controlled. Performance data drives improvement. Management oversight is active.

Level 5
Optimising

Continuous improvement is embedded. Processes are regularly reviewed and enhanced based on performance data.

Framework Alignment

Each assessment is developed through careful analysis of the relevant standard or regulation. Questions map directly to specific clauses, controls, or requirements—so you always know exactly what's being evaluated and why.

Where frameworks allow flexibility in implementation, our assessments evaluate the effectiveness of your chosen approach rather than prescribing specific solutions. This respects the risk-based nature of modern security frameworks.

Assessment Design Principles

Every CyberAssure assessment follows consistent design principles:

  • Clarity: Questions use unambiguous language that security professionals interpret consistently.
  • Completeness: Full coverage of framework requirements without gaps or unnecessary overlap.
  • Practicality: Questions focus on observable, assessable characteristics—not abstract concepts.
  • Consistency: Uniform scoring criteria enable meaningful aggregation and comparison.
  • Actionability: Results clearly indicate where attention is needed and support prioritisation.

Outputs and Reporting

Assessment results support both detailed analysis and executive reporting:

  • Executive Summary (Word): Board-ready overview with maturity scores, key findings, and prioritised recommendations.
  • Gap Register (Excel): Detailed question-level results for remediation planning and tracking.
  • Visual Dashboards: Charts and radar diagrams showing domain-level maturity at a glance.

How to Use Assessment Results

CyberAssure assessments are designed to support specific use cases across the security programme lifecycle.

Baseline Assessment

Establish your starting point. Understand current maturity before setting improvement targets or committing to roadmaps.

Audit Preparation

Identify gaps before external auditors arrive. Use results to prioritise remediation and prepare evidence.

Board Reporting

Provide directors with quantified maturity metrics and clear progress tracking. Support governance oversight.

Continuous Improvement

Run assessments quarterly or annually to track progress, validate remediation, and demonstrate improvement over time.

Budget Justification

Use gap analysis to build evidence-based business cases for security investment and resource allocation.

M&A Due Diligence

Assess acquisition targets' security maturity quickly. Identify inherited risk before deals close.

Evidence That Satisfies Regulators

When regulators examine your cybersecurity governance, they want to see more than policies—they want evidence of action. CyberAssure assessments create the documented trail that demonstrates proactive, risk-based security management.

Documented Assessments

Timestamped reports prove when assessments were conducted. Show regulators a consistent pattern of evaluation—not reactive scrambling after an incident.

Risk-Based Prioritisation

Gap registers ranked by risk severity demonstrate mature decision-making. Regulators expect you to address critical issues first—our outputs make that prioritisation explicit and defensible.

Remediation Tracking

Excel exports enable tracking of remediation progress over time. Demonstrate to regulators that gaps aren't just identified—they're being systematically addressed.

Repeatable Methodology

Consistent scoring criteria enable period-over-period comparison. Show regulators measurable improvement—not subjective claims of progress.

"What have you done to assess your security posture, and how are you addressing the gaps?" — With CyberAssure, you'll have the documented answer.

Appropriate Use & Limitations

Self-assessment tools have inherent limitations. Results depend on the knowledge, objectivity, and candour of those completing the assessment.

✓ Assessments Are Designed For

  • Internal maturity evaluation
  • Gap identification and prioritisation
  • Board and management reporting
  • Audit preparation
  • Progress tracking over time

✗ Assessments Do Not Replace

  • Formal certification audits
  • Third-party attestation (SOC 2, etc.)
  • Penetration testing
  • Legal or regulatory advice
  • External compliance validation

Use assessment results as one input alongside other assurance activities. For formal compliance obligations, engage qualified auditors and advisors.

See the methodology in action.

Choose a framework and complete your first assessment today.

Explore Assessments