The Cyber Security Diagnostic helps organisations independently assess how well their security practices protect critical systems and information from cyber threats.
It identifies strengths, risks, and improvement opportunities across governance, technology, operations, and culture — from prevention and detection through to response and recovery.

This diagnostic provides a structured, evidence-based assessment that supports compliance with the Australian Government’s Essential Eight, aligns with ISO/IEC 27001, NIST Cybersecurity Framework 2.0, and APRA CPS 234, and strengthens resilience and assurance for boards, executives, and regulators.

The assessment draws on:
• ASD Essential Eight — foundational mitigation strategies for Australian organisations.
• ISO/IEC 27001:2022 and 27002:2022 — international standards for information security management systems and controls.
• NIST Cybersecurity Framework 2.0 — recognised global model covering Govern, Identify, Protect, Detect, Respond, and Recover.
• APRA CPS 234 — cyber resilience requirements for regulated entities, adapted for broader applicability.
• ISO 22301 — standard for business continuity and operational resilience.
• Industry practice — including emerging areas such as ransomware preparedness, cyber insurance, and supply chain security.

1. Cyber Governance and Accountability
   Examines oversight, leadership roles, policies, and integration of cyber risk into enterprise governance.

2. Risk Management and Asset Context
   Reviews how risks are identified, assessed, and prioritised across critical systems, assets, and data.

3. Baseline Controls – Essential Eight Implementation
   Assesses the maturity and coverage of the eight core mitigation strategies recommended by the Australian Cyber Security Centre.

4. Identity, Access, and Privilege Management
   Evaluates how access is granted, reviewed, and revoked, including privileged account governance and multi-factor authentication.

5. Vulnerability, Patch, and Configuration Management
   Examines processes for identifying, prioritising, and remediating vulnerabilities, and maintaining secure configurations.

6. Endpoint, Email, and Application Security
   Reviews protective measures for devices, applications, and communication channels, including secure development and threat filtering.

7. Network and Cloud Security Architecture
   Assesses segmentation, perimeter controls, and cloud security design aligned with zero-trust principles.

8. Data Protection and Key Management
   Evaluates encryption, key lifecycle management, data loss prevention, and secure handling across environments.

9. Security Monitoring and Detection
   Reviews visibility across systems, logging coverage, alert management, and threat detection capability.

10. Incident Response and Crisis Management
    Assesses readiness to respond to cyber incidents, including response plans, escalation paths, and communication processes.

11. Backup, Recovery, and Ransomware Readiness
    Evaluates backup frequency, testing, immutability, and recovery planning for ransomware and other disruptions.

12. Business Continuity and Operational Resilience
    Reviews the organisation’s ability to maintain critical services through disruption and integrate lessons learned.

13. Supplier and Third-Party Security
    Assesses how external providers are vetted, monitored, and governed for ongoing security assurance.

14. Security Awareness, Culture, and Human Risk
    Evaluates training, simulations, behavioural reinforcement, and leadership engagement in building a strong security culture.

15. Insurance and Financial Risk Transfer
    Reviews insurance coverage, exclusions, and the alignment between policy conditions and implemented controls.

16. Compliance Posture and Framework Mapping
    Examines alignment to standards such as ISO 27001, NIST CSF, and Essential Eight maturity levels, without being a certification audit.

17. Metrics, Testing, and Assurance
    Evaluates how performance, testing, and assurance activities are measured, reviewed, and continuously improved.

18. Optional Extensions
    Allows deeper exploration of topics such as OT/ICS security, IoT devices, software supply chain assurance, or high-value asset protection, where relevant.

You’ll receive three key outputs at the conclusion of the diagnostic:

Cyber Maturity Snapshot — A visual summary of your cyber maturity across governance, technology, and resilience dimensions.

Evidence Pack — A structured record of interviews, document reviews, and control evidence suitable for board and regulator briefings.

Roadmap for Uplift — Prioritised recommendations to strengthen governance, controls, and resilience, with practical next steps for improvement.

Effort depends on the size and complexity of the organisation.
Smaller entities typically involve one or two leads over about a week; medium organisations may take two weeks with contributions from IT, risk, and operations; larger or regulated entities may take two to three weeks with broader involvement from security, risk, and compliance functions.

The adaptive process tailors the depth of review to focus effort where evidence or assurance gaps exist, reducing time while maintaining rigour.

Traditional cyber audits can be rigid and expensive.
This diagnostic delivers independent assurance through a principle-based, adaptive approach that focuses on meaningful risk and maturity outcomes.

It is:
• Independent — Objective and framework-aligned, not tied to specific vendors or products.
• Adaptive — Focuses effort where risk and evidence gaps exist.
• Actionable — Produces a clear, prioritised roadmap to strengthen resilience.
• Board-Ready — Presents findings in clear business language aligned with risk appetite and resilience outcomes.

This is not a penetration test, red-team exercise, or a substitute for certification or forensic investigation.
Instead, it evaluates how effectively your organisation’s governance, controls, and culture combine to prevent, detect, and respond to cyber threats.

• Organisations seeking an independent view of cyber maturity.
• Boards and executives needing assurance over cyber resilience.
• Businesses preparing for Essential Eight, ISO 27001, or CPS 234 uplift.
• Consultants supporting clients in improving cyber readiness or resilience.