ISO 27001 & Essential 8 specialists — Australia-wide.
Our compliance-first IT team with in-house ISO 27001 Lead Auditors who can implement your ISMS, run your Essential 8 assessment, and prepare you for certification — not just tick boxes.
ISMS implementation & certification readiness
ISO 27001 is the international standard for Information Security Management Systems. For Australian businesses tendering to government or enterprise clients, it is increasingly a mandatory requirement — not a differentiator.
Your IT Managers has ISO 27001 Lead Auditors on staff, meaning we don't just implement your ISMS — we understand exactly what the certification auditors will look for, and we prepare you accordingly.
- ✓Gap Analysis — Know exactly where you stand against all ISO 27001:2022 Annex A controls
- ✓ISMS Design & Implementation — Policies, procedures, risk register, and Statement of Applicability tailored to your business
- ✓Technical Controls — Integrated with your Microsoft 365, Azure, and on-premise infrastructure
- ✓Audit Preparation — Internal audit cycle, management review, and certification body readiness
- ✓Certification Liaison — We work with your chosen certification body throughout the Stage 1 and Stage 2 audits
Typical ISO 27001 timeline
For a 20–100 person Australian business
Weeks 1–2: Gap Assessment
Current-state audit, gap report, remediation roadmap
Months 1–3: ISMS Design
Policies, procedures, risk register, SoA, asset register
Months 4–8: Implementation
Technical controls, staff training, internal audits
Month 9–12: Certification
Stage 1 & Stage 2 audit, certificate issued
ACSC Essential 8 maturity assessments & implementation
Required for all Australian government contracts and increasingly demanded by enterprise supply chains. We take you from Level 0 to Level 3 with a clear, costed roadmap.
Level 0
Controls not yet implemented. Significant vulnerability exposure. Most enterprise vendor questionnaires and government tenders will fail at this maturity.
Contact us for pricing
Level 1
Baseline hygiene in place. Targeted attacks from commodity tools are mitigated. Suitable for low-sensitivity contracts and many enterprise vendor assessments.
Contact us for pricing
Level 2
Stronger controls. More sophisticated attack vectors mitigated. The baseline most AusTender, State government, and enterprise supply-chain audits ask for.
Contact us for pricing
Level 3 ★
Highest baseline. Adversaries with advanced tradecraft are mitigated. Required for Defence, intelligence, APRA-regulated financial services, and high-sensitivity multinational supply chains.
Contact us for pricing
The 8 mitigation strategies we assess & implement
Application Control
Only approved software can execute on your systems
Patch Applications
Applications patched within defined timeframes
Configure Macro Settings
Microsoft Office macros blocked or restricted
User Application Hardening
Browsers and office apps hardened against exploitation
Restrict Admin Privileges
Admin access limited to those who require it
Patch Operating Systems
OS patches applied within required timeframes
Multi-Factor Authentication
MFA enforced across all user and privileged accounts
Regular Backups
Backups tested, secured, and restorable on demand
Privacy Act compliance (APP 11 & NDB)
The 2025 Privacy Act reforms significantly strengthen obligations for businesses handling personal information. Non-compliance carries penalties of up to $50M for serious breaches.
APP 11 — Security of Personal Information
We assess and implement the technical and organisational controls required under Australian Privacy Principle 11.
Notifiable Data Breach (NDB) response
Incident response planning, breach detection capabilities, and the OAIC notification framework — ready before you need it.
APRA CPS 234 & CPS 235 support
Australian financial services businesses — banks, insurers, superannuation funds — face binding APRA cyber security standards with significant penalties for non-compliance.
CPS 234 — Information Security
Capability assessment, control implementation, and notification obligation management under the APRA CPS 234 standard.
CPS 235 — Data Risk
Data risk framework alignment, third-party data management, and incident response — aligned with updated 2025 requirements.
When your customer hands you a security questionnaire.
Banks, super funds, hospital networks, and multinational tech buyers run vendor due diligence on every supplier. They send you a 200-question SIG, a CAIQ, an Essential 8 assessment, an ISO 27001 evidence pack, or their own custom enterprise form. You've got two weeks. The deadline is the contract you want to close.
Most of the questions need someone who actually understands the controls — not a sales person guessing. That's where we sit.
Get help with a vendor assessmentQuestionnaire response
We complete your customer's vendor security questionnaire on your behalf — SIG Lite, full SIG, CAIQ, ASD Essential 8, ISO 27001 evidence packs, or custom enterprise forms. Each answer is technically accurate, evidenced where required, and flags any genuine gaps with a remediation plan attached.
Pre-audit dry runs
Before your customer runs their actual audit, we run a mock audit against the same scope using the same standard. We identify what will fail, fix what we can, and brief your team on what the auditor will likely test. No surprises on audit day.
Audit-day standby
When your customer's audit team turns up — in person, on Teams, or via a long questionnaire thread — we sit alongside your team. We answer the technical questions, produce the evidence on request, and represent your security posture credibly to your customer's assessors.
Stay certified. Stay compliant. Zero surprises.
Certification isn't a one-time event — it's a continuous cycle. Our compliance service agreement keeps your ISMS maintained, your controls up-to-date, and your next audit straightforward.
Continuous monitoring
Monthly control testing, vulnerability scanning, and ISMS maintenance so your framework stays effective — not just documented.
Internal audit cycle
Quarterly internal audits, management reviews, and risk assessments — all the housekeeping required to maintain certification.
Incident response
When a security incident occurs, we activate your incident response plan, handle containment, and manage any mandatory reporting obligations.
Fixed-scope compliance engagements
No hourly billing. No scope creep surprises. Every engagement is quoted at a fixed price before we start.
| Service | Timeline | Pricing | |
|---|---|---|---|
| Essential 8 Gap Assessment | 5 business days | Contact us for a proposal | Enquire |
| Essential 8 Level 0 → Level 1 | 4–8 weeks | Contact us for a proposal | Enquire |
| Essential 8 Level 1 → Level 2 | 8–16 weeks | Contact us for a proposal | Enquire |
| Essential 8 Level 2 → Level 3 | 12–20 weeks | Contact us for a proposal | Enquire |
| ISO 27001 Gap Analysis | 2 weeks | Contact us for a proposal | Enquire |
| ISO 27001 Full ISMS Implementation | 6–12 months | Contact us for a proposal | Get a quote |
| Ongoing Compliance Service Agreement | Monthly | Contact us for a proposal | Enquire |
All pricing excludes GST. Final scope and investment confirmed after initial assessment. Fixed-scope engagement means no billing surprises.
Common questions about compliance
Know where you stand in 5 business days
Our gap assessment gives you a plain-English report on exactly where your compliance gaps are — and what fixing them will cost. No obligation.