Whether you're facing a supply chain questionnaire, a Defence contract requirement, a SOCI Act obligation, a Privacy Act audit, or a customer security review — we have a managed service built for it.
Resources & Energy
Defence
Schools
Essential Eight
ASD's baseline cyber controls — mandatory for Australian government contractors and increasingly required by resources and energy sector prime contractors. We manage your controls, evidence, and maturity uplift from ML1 through to ML3.
What we deliver
- Current-state gap assessment against ML1, ML2, or ML3
- Remediation roadmap and implementation support
- Ongoing control monitoring and evidence maintenance
- Audit-ready reporting and questionnaire response support
Resources & Energy
Defence
Product Companies
ISO 27001
International information security management standard. Required by enterprise clients, government tenders, and product companies pursuing enterprise sales or export markets. High control overlap with Essential Eight and DISP — significant efficiency gains when bundled.
What we deliver
- Scoped ISMS design and implementation
- Risk register and treatment plan development
- Policy and procedure library
- Certification readiness and audit preparation
Defence
AUKUS Supply Chain
DISP
Defence Industry Security Program membership is mandatory to win and hold Defence contracts in Australia. We manage the full application, implement required security controls, and maintain your DISP obligations on an ongoing basis.
What we deliver
- DISP application preparation and submission support
- Essential Eight ML2 implementation required for DISP
- Facility Security Officer (FSO) advisory and support
- Ongoing DISP obligations management
Resources & Energy
Critical Infrastructure
AESCSF
The Australian Energy Sector Cyber Security Framework — mandatory for energy sector organisations designated as critical infrastructure assets under the SOCI Act. We specialise in AESCSF for LNG, offshore, pipeline, and mining operators across the WA supply chain.
What we deliver
- AESCSF maturity self-assessment and gap analysis
- IT/OT convergence compliance scoping
- SOCI Act obligations mapping and incident response planning
- Maturity uplift program and evidence management
Schools
Product Companies
All Segments
Privacy Act / APP
Australian Privacy Principles compliance — mandatory for any organisation handling personal information. Critical for schools managing student data and product companies handling customer data. 2024 reforms increased maximum penalties to $50M for serious breaches.
What we deliver
- Privacy Act obligations assessment and gap analysis
- Privacy management framework and policy development
- Data mapping and third-party risk assessment
- Breach response procedures and staff awareness
Defence
Federal Govt Contractors
PSPF
Protective Security Policy Framework — mandatory for Federal government agencies and their service providers. Pairs directly with Essential Eight for defence contractors and is a core component of DISP compliance.
What we deliver
- PSPF maturity assessment across all four outcomes
- Personnel, physical, and information security controls
- PSPF reporting framework and evidence collection
- Integration with DISP and Essential Eight programs
Product Companies
US Market Entry
SOC 2
Trust Services Criteria attestation — required by US enterprise buyers and increasingly by Australian enterprise procurement teams. 65–70% control overlap with ISO 27001 means significant efficiency gains for companies pursuing both. We manage readiness through to Type II report.
What we deliver
- SOC 2 readiness assessment and gap analysis
- Trust Services Criteria control design and implementation
- Evidence collection and continuous monitoring program
- Auditor liaison and Type I / Type II report preparation
Schools
Product Companies
Resources & Energy
PCI DSS
Payment Card Industry Data Security Standard — mandatory for any organisation that stores, processes, or transmits cardholder data. Applies to schools collecting fees and donations, product companies with payment surfaces, and larger contractors with procurement portals. We manage SAQ preparation through to RoC readiness.
What we deliver
- Merchant level assessment and SAQ scope determination
- Cardholder data environment (CDE) scoping and reduction
- Control gap remediation and evidence management
- SAQ completion support and QSA liaison
Product Companies
Defence
Resources & Energy
ISO 42001
The AI Management System standard — the emerging benchmark for organisations developing, deploying, or procuring AI systems. Enterprise buyers and government agencies are beginning to require it. For product companies with AI in their stack, it pairs directly with ISO 27001 with significant control overlap.
What we deliver
- AI management system design against ISO 42001 requirements
- AI risk assessment and impact evaluation framework
- Responsible AI policy and governance documentation
- Certification readiness and ongoing compliance management
Product Companies
Resources & Energy
Defence
Australian AI Obligations
Mandatory guardrails for high-risk AI are expected in legislation by 2025–2026, covering AI used in credit decisioning, employment, critical infrastructure, and safety-critical systems. We deliver AI governance readiness now — so you're not caught reactive when obligations become law.
What we deliver
- High-risk AI use case identification and obligation mapping
- Voluntary AI Ethics Framework alignment assessment
- AI governance policy and register development
- Readiness program ahead of mandatory guardrail legislation
Resources & Energy
Critical Infrastructure
SOCI Act
Security of Critical Infrastructure Act obligations for designated asset owners and operators — including mandatory incident reporting, risk management program requirements, and enhanced cyber security obligations.
What we deliver
- Critical Infrastructure Risk Management Program (CIRMP)
- 72-hour incident notification framework and procedures
- Asset register and responsible entity documentation
- Ongoing SOCI obligations management and reporting