Enterprise

TSRMP Risk Management Program Assessment Tool

A purpose-built asset-and-portfolio assessment tool for Australian carriers and relevant carriage service providers — all-hazards material risk coverage across the four TSRMP hazard vectors, cyber maturity uplift targeting for ML1 and ML2, multi-asset portfolio rollups, year-over-year trend comparison, and a board-approved annual report generated straight from your data — supercharged by optional AI assistance at every stage of the workflow.

Overview

The TSRMP Risk Management Program Assessment Tool gives telecommunications security and risk teams a structured, evidence-backed way to build, evaluate and maintain their all-hazards risk management program — at the individual asset level and across the entire asset portfolio. Whether you are preparing your board-approved annual report, an annual attestation to the Cyber and Infrastructure Security Centre, a CISC information request, or your own internal gap analysis, the tool does the heavy lifting: material risk identification, hazard-vector scoring, gap analysis, evidence management, and report generation — entirely within your browser, with no data leaving your environment unless you explicitly enable an AI feature.

The assessment is structured around the four TSRMP hazard vectors — cyber and information security, personnel, supply chain, and physical security and natural hazards — with the "protect your asset" obligation and the telecommunications-specific risks (compromise, theft or manipulation of communications) woven through. A dedicated cyber maturity module lets you target the maturity level of a recognised framework per asset, with ML1 and ML2 milestones surfaced against the regulatory clock. Multi-asset portfolio mode aggregates assessments across every critical telecommunications asset you operate, and period tracking turns point-in-time scoring into the defensible trajectory regulators look for after an incident.

All-Hazards Coverage

Every TSRMP material risk is captured under the right hazard vector — cyber and information, personnel, supply chain, physical and natural — with the operational context, material risk, mitigation and residual impact recorded against each asset.

Multi-Asset Portfolio Mode

Every critical telecommunications asset you operate — network and non-network — scored consistently and rolled up into a single portfolio view, with cross-asset heatmaps, common gap analysis, common evidence weaknesses, and an AI-narrated portfolio executive summary.

Secure by Design

Runs entirely in your browser. No SaaS dependency, no account required, air-gap compatible. Optional AI features connect only when you choose to enable them, using your own API key — and can be disabled site-wide for regulated environments.

What the TSRMP Asks You to Do — and How the Tool Handles It

The Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 switch on the Part 2A risk management program obligations of the SOCI Act for critical telecommunications assets. They consolidate the national security obligations that previously sat under the Telecommunications Sector Security Reforms (TSSR) into the SOCI Act's all-hazards setting — and add telecommunications-specific risks, including the compromise, theft or manipulation of communications. For each critical telecommunications asset, a responsible entity must identify its operational context, identify every hazard that poses a material risk of relevant impact, minimise or eliminate that material risk so far as is reasonably practicable, and mitigate the relevant impact of the hazard.

The tool integrates every element of the program — the four hazard vectors, the "protect your asset" obligation, the telecommunications-specific risk additions, the cyber maturity uplift milestones, and the board-approved annual report structure — so the question is never "have we covered the obligation?" but rather "what does the evidence support?".

The Four Hazard Vectors

A TSRMP must address each hazard vector for every critical telecommunications asset. The tool structures the assessment around all four, mirroring the CIRMP Rules with the telecommunications-specific additions built in:

Cyber & Information Security

  • Maturity uplift to a recognised framework (ML1, ML2)
  • Compromise, theft or manipulation of communications
  • Network segregation & access controls
  • Cyber incident detection & reporting

Personnel

  • Screening of critical and trusted-access roles
  • Insider risk & malicious-insider controls
  • Offboarding & access revocation
  • Ongoing suitability assessment

Supply Chain

  • Vendor & managed-service provider risk
  • Offshoring & outsourcing risk-based approach
  • High-risk vendor & 5G considerations
  • Equipment & component provenance

Physical Security & Natural Hazards

  • Site & facility physical security
  • Natural hazard & environmental resilience
  • Power, environment & redundancy
  • Business continuity & recovery

Telecommunications-Specific Material Risks — Beyond a Generic CIRMP

The TSRMP Rules largely mirror the existing Critical Infrastructure Risk Management Program (CIRMP) Rules, but add the material risks that are distinctive to telecommunications: the compromise, theft or manipulation of communications, and the obligation to protect both the network assets used to provide a carriage service and the non-network assets that support them — billing and charging systems, provisioning and operational support systems, and the like. The tool flags these telecommunications-specific risks explicitly so they are never lost inside a generic all-hazards template.

The "protect your asset" obligation sits over the top: protect each critical telecommunications asset, so far as it is reasonably practicable to do so, where there is a material risk of harms that would have a relevant impact. Each material risk is recorded with its operational context, its assessed likelihood and impact, the mitigation in place, and the residual position — the structured record that turns a risk register into a defensible program rather than a tick-box exercise.

Cyber Maturity Uplift — ML1 by October 2026, ML2 by October 2027

The cyber and information security vector carries the most demanding milestones in the TSRMP regime. Responsible entities must reach the maturity equivalent of a recognised framework — commonly ISO/IEC 27001:2023, the ACSC Essential Eight, or the NIST Cyber Security Framework — with maturity level one due by 4 October 2026 and maturity level two by 4 October 2027. Critically, the obligation is to comply with the relevant maturity, not to become certified. The tool's cyber maturity module lets you:

  • Select your framework per asset — choose ISO 27001:2023, Essential Eight or NIST CSF for each asset and the tool filters to the right controls and maturity criteria.
  • Target ML1 and ML2 — set the target maturity level per asset, with live achievement scoring as you progress and the regulatory due dates surfaced against current posture.
  • Track the gap to target — every control below its target maturity is captured as a gap, prioritised and routed into the remediation plan with a date-aware view of how far you are from the next milestone.
  • Evidence the "comply, not certify" position — capture the evidence that demonstrates compliance with the framework's maturity without requiring a certification body, exactly as the Rules contemplate.

Multi-Asset Portfolio Mode

Most carriers and relevant CSPs operate many critical telecommunications assets — core network, access network, data centres, operational support systems, billing and charging platforms — each with its own scope and risk profile. The Asset Registry holds every asset in your portfolio, each with its own classification, framework selection, cyber maturity target, and assessment status, all visible on a single dashboard. The portfolio-level views go well beyond simple aggregation:

  • Asset × Hazard Heatmap — A colour-coded cross-portfolio matrix showing every asset against the four hazard vectors, with average posture by vector across assets, sortable to surface the weakest vectors across the portfolio.
  • Posture by Asset Type — Compare across asset types (network, non-network, data centre, OSS/BSS) to see whether systemic weaknesses cluster by operational context.
  • Common Gaps Across the Portfolio — Material risks and controls where multiple assets fall short, with the explicit list of affected assets. Fix one root cause at the policy or platform level, clear many asset-level gaps at once.
  • Common Evidence Weaknesses — Patterns where evidence quality is consistently weak across assets, pointing at systemic documentation deficiencies worth addressing centrally — plus reference examples of assets with strong evidence for the same control.
  • Common Low-Maturity Controls — The cyber controls that consistently score below their ML target across assets — the structural patterns worth a portfolio-wide programme rather than per-asset remediation.
  • Portfolio Overview Dashboard — Tile metrics across the top show total assets, average posture, cyber maturity achievement, and outstanding actions. Programme managers see exactly where to push next.

Evidence Workflow & Reviewer Overrides

Each material risk and control presents the assessor with a structured answer scale (None, Partial, Strong, plus N/A with justification), an inline guide to what good evidence looks like, and a drag-and-drop area for attaching supporting documents — PDFs, Word, Excel, images, CSV — directly to the item.

An independent reviewer workflow captures observations against the evidence in structured fields. The reviewer can override the self-assessed position where the evidence clearly contradicts it, with both the original answer and the reviewer override preserved in the audit trail. When AI is enabled, AI-suggested ratings (with confidence rating low/medium/high) sit alongside the self-assessment and the reviewer override — three independent signals, all visible side-by-side, all auditable.

Period Tracking, Baselines & the Annual Report Cycle

The TSRMP is not a point-in-time obligation. A board-approved annual report is required from FY2026, supported by an annual attestation — and the Secretary of the Department of Home Affairs can request information and documents, and direct variation of a program assessed to have a serious deficiency. The tool treats assessment as a continuous activity, with first-class support for the time dimension:

  • Maturity Snapshot & Baseline — Save a point-in-time baseline; capture manual overrides where appropriate; replace, clear or revert baselines as the programme evolves.
  • Annual Period Closure — Formally close a reporting period and archive it, freezing the state behind the board-approved annual report for audit and historical comparison.
  • Year-over-Year Comparison — Improvements, regressions, evidence added or removed, reviewer-decision changes, cyber maturity movement — all surfaced as a structured change report between any two reporting periods.
  • Multi-Period Trend Comparison — Load three or more historical periods to visualise trajectory by hazard vector and asset across time.
  • Per-Asset Maturity Trends — Each asset's trajectory over multiple closed periods, plus a portfolio-average trend line — the trajectory regulators will examine post-incident.

For carriers and relevant CSPs working toward the cyber maturity milestones of October 2026 and October 2027, this is the evidence trail that demonstrates credible intent — quarter by quarter, not just at year end.

Audit Log, Collaboration & Resilient Storage

Every answer, note, evidence change and reviewer override is captured in a chronological audit log — the complete record of who did what and when, with full version history accessible from the in-app log viewer.

Optional Shared Folder Mode turns the assessment into a team workspace. Multiple assessors work in parallel on a multi-asset portfolio via OneDrive, SharePoint, Microsoft Teams, Google Drive, or Dropbox. Per-asset file locking prevents conflicting edits; identity stamping records who changed what; live change polling surfaces edits in seconds; and the sync provider conflict detector flags "conflicted-copy" files so you can resolve them manually rather than discovering them at audit time. A 30-day soft delete with one-click restore prevents accidental data loss.

Evidence storage is resilient by design — content-derived filenames (so evidence titles never leak through the folder browser), per-file and per-question caps, browser-storage quota monitoring, optional encryption-at-rest, a crash-recovery mirror, and a read-only Evidence Health Check audit available from Settings.

Who It's For

  • Carriers holding a carrier licence with critical telecommunications assets
  • Relevant carriage service providers — those supplying 20,000+ active carriage services or supplying to the Commonwealth Government or defence
  • Telecommunications security and risk teams building or maintaining an all-hazards risk management program
  • Operators needing portfolio-wide visibility across network and non-network assets
  • Boards, risk committees and assurance teams preparing the annual report and attestation to the CISC

What You Receive

Comprehensive asset-level and portfolio-level TSRMP outputs — every deliverable drawn from the same underlying data, so one assessment becomes every artefact you need.

AI-Enhanced Asset Word Report

Per-asset narrative deliverable — hazard-vector posture, cyber maturity achievement, material risk register, gap register, evidence register, and prioritised remediation plan. When AI is enabled, includes an AI-generated executive summary and per-vector narratives.

Board-Approved Annual Report

The artefact the Rules actually require — an annual report structured for board approval and attestation, summarising the program, the material risks managed across the four hazard vectors, the cyber maturity position, and the year's changes. Drawn straight from your assessment data.

Multi-Worksheet Excel Workbook

The same data in tabular form across multiple sheets — material risk register, gap register, remediation plan, evidence register, full results matrix, N/A exclusions. Drops into JIRA, Asana or Smartsheet without re-keying.

Portfolio Word & Excel Reports

Cross-asset executive summary, asset × hazard heatmap, common gaps register, common evidence weaknesses, common low-maturity controls, and portfolio-wide recommendations — generated automatically from per-asset data.

Asset × Hazard Heatmap

Cross-portfolio matrix of assets against the four hazard vectors, colour-coded by posture, sortable to surface the weakest vectors and the weakest assets. Reveals patterns no per-asset view can show.

Cyber Maturity Matrix & Movement

At-a-glance ML1/ML2 achievement per asset against your chosen framework, with a movement view tracking which assets have advanced or slipped between reporting periods, and the due dates surfaced against current posture.

Material Risk Register

Every identified material risk across the four hazard vectors — operational context, likelihood and impact, mitigation in place, residual position, and the telecommunications-specific risks flagged explicitly. The defensible core of the program.

Evidence Package (ZIP)

Every attached evidence file organised by asset and item, with an Excel register cataloguing each file with metadata. Ships in one click when the CISC, an auditor or the Secretary asks for substantiation.

Year-over-Year Comparison

Vector-by-vector change reports between any two periods — improvements, regressions, evidence added/removed, reviewer-decision changes, and cyber maturity movement. AI-narrated when enabled.

Multi-Period Trend Comparison

Load three or more historical periods to visualise trajectory across time, with per-asset and per-vector trends. The trajectory regulators examine post-incident.

Reviewer Override Audit Trail

Independent reviewer can override self-assessed and AI-suggested ratings with full justification — original answer, AI suggestion, and reviewer conclusion all preserved in the audit log.

Shared Folder Collaboration

Team workspace via OneDrive, SharePoint, Microsoft Teams, Google Drive or Dropbox — with per-asset locking, identity stamping, live change polling, sync conflict detection, and 30-day soft delete with restore.

AI woven through every stage

AI assistance that earns its place.

Twelve AI capabilities — entirely optional, opt-in via your own Anthropic API key — accelerate every phase of TSRMP work, from understanding a hazard-vector obligation to drafting the board narrative inside the annual report itself. The tool works fully without them; with them, the per-cycle effort that used to consume weeks of consultant time becomes a quarterly cadence your own team operates.

Phase 1

During the assessment

Phase 2

During review

Phase 3

Before & in the deliverables

Phase 4

Across periods

Phase 1

AI Advisor Chat

Connected Claude assistant that explains any TSRMP obligation, hazard vector, material risk or maturity criterion in plain English — with conversational follow-up. Asset name, framework, target maturity, your scores and notes are passed as context, so answers are tied to your actual posture, not generic boilerplate.

Phase 1

Draft With AI

Turn bullet-point facts into a structured assessment note — the assessor captures key facts, AI drafts the defensible written rationale that lives with the answer. The slow, low-energy step that usually gets skipped now takes seconds.

Phase 1

Context-Aware Suggested Prompts

One-tap prompt chips built into the AI Advisor — "Biggest gaps?", "Uplift plan", "Evidence to gather", "Board summary" — each pre-wired to your actual assessment data and maturity target. The fastest way to get useful AI output without crafting prompts.

Phase 2

AI Evidence Review with Rating Suggestion

Attached PDFs, images, Word, Excel and CSV files are read by AI and assessed against the TSRMP control or material risk — with a suggested rating and a low/medium/high confidence level. The reviewer keeps the final call; AI does the first pass.

Phase 2

AI Deep Review

A more thorough AI pass for higher-criticality evidence — multi-pass analysis with finer-grained gap identification, traceable back to specific obligations or maturity criteria. For the items where "looks about right" isn't good enough.

Phase 2

AI Remediation Drafting

For each identified gap, AI drafts a specific remediation action — what to do, why it matters, how it lifts maturity or reduces residual risk. Regenerate if the first draft isn't quite right. The gap register stops being a list of problems and starts being a list of next actions.

Phase 3

Pre-Export Quality Review

Diagnostic AI scan over the entire asset or portfolio assessment before export — surfaces empty notes on Strong answers, missing evidence on key controls, reviewer/confidence inconsistencies, and overrides without justification. Diagnostic only; no answers are changed.

Phase 3 · In the annual report

AI Asset Executive Summary

The asset report opens with an AI-generated executive summary written from your actual assessment data — cyber maturity position, headline gaps, telecommunications-specific risk findings, and recommended priorities for this asset. The asset owner's board narrative, pre-drafted.

Phase 3 · In the annual report

AI Portfolio Executive Summary

A different summary — written from the cross-asset view. Portfolio average posture, weakest hazard vectors across the portfolio, common gaps with the highest leverage, systemic evidence weaknesses, and the cross-asset investment case. The CISO or programme director's narrative, drafted.

Phase 3 · In the annual report

AI Hazard-Vector Narratives

Board-ready prose inside the annual report — for each of the four hazard vectors, an AI-written narrative explaining what the vector covers, your posture, where the gaps sit, and what to do next. Attestation-grade language, generated from your data.

Phase 4

AI Period Comparison Narrative

When you load a previous assessment for year-over-year comparison, AI drafts the narrative of what changed — improvements, regressions, where evidence strengthened, and the trajectory story for the board. The "are we on track for ML2?" question, answered in prose.

Phase 4

AI Common-Gap Remediation Plan

For each Common Evidence Weakness or Common Low-Maturity Control across the portfolio, AI drafts a cross-asset systemic remediation plan — the leverage point that turns dozens of asset-level findings into a single funded programme.

Bring your own API key · Pay only for what you use

All twelve AI features connect using your own Anthropic Claude API key, stored only in your browser's session memory — never saved to disk, never sent to CyberAssure. Typical usage is a few dollars per full assessment cycle. AI can be disabled site-wide via Settings for regulated environments, and a sensitive-data warning is shown before evidence is submitted for AI review.

Regulatory Context

TSRMP: cyber ML1 by Oct 2026, ML2 by Oct 2027

The TSRMP Rules commenced on 4 April 2025 and required an all-hazards risk management program in place by 4 October 2025. The cyber and information security vector then steps up: maturity level one by 4 October 2026 and maturity level two by 4 October 2027, with a board-approved annual report required from FY2026. The tool's portfolio mode, period tracking, and AI-enhanced reporting were built precisely for this multi-milestone uplift.

Read: The TSRMP all-hazards clock for carriers and CSPs →

Ready to Build and Evidence Your TSRMP?

Get in touch to discuss access to the TSRMP Risk Management Program Assessment Tool.

Contact for Pricing

Often Used Alongside

Organisations frequently combine this assessment with complementary frameworks to address multiple governance requirements.

Cyber Maturity

Essential Eight Assessment

Evidence the cyber and information security vector against the ACSC Essential Eight Maturity Model across Levels 1–3.

Learn more
Third-Party Risk

Supply Chain Security Assessment

Extend supply chain hazard coverage with comprehensive vendor and third-party assessment across the vendor lifecycle.

Learn more

Have questions about how our assessments work?

Read the Enterprise Assessment FAQ →