Four segments. One specialist.

Built for organisations
with obligations they can't ignore

Our practice focuses on four types of organisations that share a common challenge — external compliance pressure with no internal team to manage it. We bring the right practitioners to each engagement, drawn from our senior team and specialist associate network.

Resources, Energy & Critical Infrastructure

WA contractors supplying
the resources & energy sector

BHP, Rio Tinto, Fortescue, Woodside, Chevron, and INPEX are tightening their supply chain security requirements. Whether you're in hard rock mining or LNG and offshore, your compliance obligations are a condition of doing business — not a box-tick exercise.

Common pain points

  • Received an Essential Eight questionnaire from a tier-1 client with a 30-day deadline
  • Notified by a major energy operator that AESCSF assessment is required to maintain supplier status
  • Designated as a critical infrastructure asset under SOCI Act but unsure of your obligations
  • No dedicated cyber or IT security staff — compliance falls on the IT manager or CFO
  • Previous attempts to use a generalist IT company resulted in failed or incomplete assessments
Frameworks we manage for this segment
Essential Eight ML1–ML3 AESCSF SOCI Act ISO 27001 Privacy Act / APP
Book a scoping call
Why resources & energy contractors choose Outplat
30+
days — typical deadline for supply chain questionnaires
ML2
Minimum Essential Eight level required by most tier-1 contractors
72hr
SOCI Act incident notification window
1
Fixed monthly retainer — no billing surprises

"Our tier-1 client just sent a compliance questionnaire and we have no idea where to start."

Defence Supply Chain

Contractors pursuing
DISP membership

DISP membership is mandatory to hold or bid for Defence contracts in Australia. With AUKUS driving significant new opportunities in Western Australia, more WA businesses are seeking DISP — but the application process and ongoing compliance obligations are complex without specialist support.

Common pain points

  • Need DISP membership to bid for a specific Defence contract or prime contractor subcontract
  • DISP applications take 90+ days — unsure how to start or what security controls are required
  • Essential Eight ML2 required for DISP but no internal security capability to implement it
  • Holding DISP but struggling to maintain the ongoing security obligations and evidence
  • AUKUS opportunities are visible but compliance readiness is the barrier to bidding
Frameworks we manage for this segment
DISP Essential Eight ML2 PSPF ISO 27001
Book a scoping call
Why defence contractors choose Outplat
90+
days — minimum DISP application processing time
ML2
Essential Eight level required for DISP membership
3
Frameworks typically required: E8, PSPF, ISO 27001
1
Partner managing all DISP obligations ongoing

"We need DISP membership to bid for this Defence contract but we don't have a security team."

Anglican & Independent Schools

Schools managing
student data obligations

Your school holds sensitive personal data on thousands of students and families. Under the Privacy Act, you have significant obligations — and with 2024 reforms dramatically increasing penalties, the cost of non-compliance is no longer theoretical. We work directly with Anglican and independent schools across WA.

Common pain points

  • Small IT team with no dedicated privacy or security compliance capability
  • Board or diocese requesting evidence of Privacy Act and cyber security compliance
  • Cyber insurance requiring evidence of Essential Eight controls at renewal
  • Data breach headlines in the education sector creating board-level anxiety
  • No budget for a full-time security hire — fixed monthly fee is the only viable model
Frameworks we manage for this segment
Privacy Act / APP Essential Eight PCI DSS ISO 27001
Book a scoping call
Why schools choose Outplat
$50M
Maximum penalty for a serious Privacy Act breach (2024 reforms)
16+
Anglican schools across WA, VIC and NSW in our network
1
Fixed monthly fee your board can approve
0
Internal cyber hires required

"Our school holds data on thousands of students and I'm not confident we're meeting our Privacy Act obligations."

Australian Product Companies

SaaS & fintech companies
unlocking enterprise sales

Your enterprise prospect won't sign until you have ISO 27001 or SOC 2. Your US expansion requires a Type II report. You're a 20–150 person product company with no internal GRC function and a deal on the line. We manage the certification pathway on a fixed monthly retainer so your team can stay focused on the product.

Common pain points

  • Enterprise deal blocked — procurement team requesting ISO 27001 certificate or SOC 2 report
  • US market entry requiring SOC 2 Type II but no internal team to run the readiness program
  • Investor due diligence flagging absence of a formal information security management system
  • One security engineer handling everything — certification work is pulling them off product
  • Quoted $80k+ by a Big 4 firm for ISO — need a fixed-fee model that fits a startup budget
Frameworks we manage for this segment
ISO 27001 SOC 2 Privacy Act / APP PCI DSS
Book a scoping call
Why product companies choose Outplat
65%
Control overlap between ISO 27001 and SOC 2 — we deliver both in one program
6mo
Typical time from engagement start to ISO 27001 certification readiness
1
Fixed monthly retainer — no Big 4 hourly billing
0
Internal GRC hires required

"Our enterprise prospect won't sign until we have ISO 27001. We're a 40-person SaaS company with no GRC function."

Get Started

Not sure which segment
fits your situation?

Book a free 30-minute discovery call. We'll confirm which frameworks apply to your organisation and what it would take to get compliant.

Book a free discovery call See our services