What we do
Every framework. One methodology.
Evidence gathered first. Locally processed. Human-verified before delivery. The framework changes. The rigour does not.
Every service uses the same methodology. Evidence gathered first. Locally processed. Human-verified before delivery.
How we work →ASD Essential Eight Maturity Model
Australian FocusEssential Eight
The Essential Eight is the Australian Signals Directorate's baseline cybersecurity framework — eight mitigation strategies that, when implemented correctly, make it significantly harder for adversaries to compromise systems. Most Australian organisations do not know exactly where their ML2 gaps are. We find them.
What we do
We conduct Essential Eight gap assessments against Maturity Level 1, 2, and 3 using evidence gathered from live system interrogation — registry values, feature states, Active Directory queries, and configuration exports. Every finding traces to a specific, observed artefact. No assumptions. No template-filled gaps.
What we do differently
- Live PowerShell interrogation of actual system state — not policy review or interview-based assessment.
- Every finding references the specific registry key, value, and observed data that supports it.
- Methodology aligned to the ASD Assessment Process Guide standard for good evidence.
- Built on open source tooling and public ACSC documentation — no proprietary access required.
Suited for
Australian organisations preparing for ASD Essential Eight assessment, IT teams wanting to understand their actual ML2 posture before engaging a certified assessor, and small businesses seeking evidence-based gap identification.
Deliverables
- Current-state ML2 gap assessment report
- Finding-by-finding evidence documentation
- Registry and configuration evidence artefacts
- ASD framework control mapping
- Prioritised remediation roadmap
- Re-assessment support after remediation
Governance, Risk & Compliance
GRC Consulting
GRC is not a framework you install — it is a capability you build. Most organisations have policies without evidence, controls without testing, and risk registers that bear no relationship to actual exposure.
What we do
Governance, Risk and Compliance consulting covers the full spectrum of your organisation's security and compliance posture. We assess what you have, identify what you need, and build frameworks that function in your actual environment.
What we do differently
- We assess your actual control environment before recommending a framework — not after.
- Risk registers built from evidence, not interviews alone.
- Every gap traceable to a specific control failure, not a general observation.
- We stay through remediation — we do not hand over a report and disappear.
Suited for
Organisations building their compliance function from scratch, preparing for a first audit, or rationalising a compliance programme that has grown without structure.
Deliverables
- Current-state maturity assessment
- Evidence-backed gap analysis
- Risk register with traceable findings
- Governance framework design
- Policy and procedure development
- Remediation roadmap with prioritised actions
AI Governance, Risk & Compliance
NewAI GRC
Organisations are deploying AI faster than they are governing it. The EU AI Act is in force. NIST AI RMF is the operational standard. Most AI deployments have no audit trail, no documented risk assessment, and no structured oversight.
What we do
AI GRC covers the full governance, risk, and compliance lifecycle for AI systems — from classification and risk assessment through control implementation, documentation, audit trail design, and ongoing monitoring across the EU AI Act, NIST AI RMF, and ISO 42001.
What we do differently
- We assess your actual AI systems and data flows before any framework mapping.
- Audit trail design built into the engagement from day one — not added as an afterthought.
- We assess all six layers of your AI security stack: identity, data protection, prompt security, output validation, governance, and observability.
- Evidence-first methodology applied to AI systems the same way as every other engagement.
Suited for
Organisations deploying AI in high-risk use cases, technology companies whose AI products interact with EU residents, and businesses building internal AI systems that handle personal data or make consequential decisions.
Deliverables
- AI system inventory and risk classification
- EU AI Act applicability assessment
- NIST AI RMF mapping and gap analysis
- AI audit trail architecture and design
- Data protection and prompt security assessment
- Output validation and human oversight framework
- AI governance policy and procedure development
- Monitoring and observability programme design
SOC 2 Type I & Type II
SOC 2
SOC 2 is the most widely requested security assurance report in the B2B technology sector. A poorly evidenced SOC 2 report is worse than no report — it creates liability without credibility.
What we do
SOC 2 attestation covers the Trust Services Criteria relevant to your business. We scope engagements precisely, gather evidence systematically, and produce reports that auditors and clients can rely on.
What we do differently
- We scope based on your actual service commitments — not the broadest possible scope.
- Evidence gathered before the report period for Type I, throughout for Type II — no retrospective reconstruction.
- We prepare you for auditor questions with traceable evidence packages, not verbal explanations.
- Our pipeline cross-references evidence against TSC criteria to identify gaps before the auditor does.
Suited for
SaaS companies, cloud service providers, and technology businesses whose enterprise clients require SOC 2 attestation as a condition of doing business.
Deliverables
- Scope definition and boundary documentation
- Control environment mapping against TSC
- Evidence collection and management
- Gap remediation support
- Auditor-ready evidence packages
- Type I or Type II report production support
- Management assertion drafting
ISO/IEC 27001:2022
ISO 27001
ISO 27001 certification demonstrates that your organisation has built and operates an information security management system that meets an internationally recognised standard.
What we do
We guide organisations through the full ISO 27001 implementation and certification lifecycle — from initial gap assessment through ISMS design, control implementation, internal audit, and certification audit support. We work to the 2022 standard.
What we do differently
- Controls implemented against your actual asset inventory — not a generic Annex A checklist.
- Internal audits conducted with the same evidence-first methodology as external engagements.
- Statement of Applicability built from your risk assessment — not pre-populated justifications.
- We remain engaged through the certification audit to respond to auditor queries with documented evidence.
Suited for
Organisations seeking ISO 27001 certification for the first time, organisations recertifying against the 2022 standard, and businesses whose procurement requirements mandate certified ISMS.
Deliverables
- ISO 27001:2022 gap assessment
- ISMS scope and boundary definition
- Asset inventory and risk assessment
- Risk treatment plan
- Statement of Applicability
- Control implementation support
- Internal audit programme and execution
- Certification audit preparation and support
Health Insurance Portability and Accountability Act
HIPAA
HIPAA compliance is not a one-time assessment — it is an ongoing programme. Healthcare organisations and their business associates face significant liability from documentation that does not reflect actual practice.
What we do
We conduct HIPAA Security Rule risk analysis and risk management, assess Administrative, Physical, and Technical safeguards against your actual environment, and produce documentation that demonstrates genuine compliance.
What we do differently
- Risk analysis conducted against your actual ePHI inventory — we identify where ePHI lives before assessing controls.
- We assess implemented safeguards, not just documented policies.
- Business Associate Agreement review included as standard.
- Findings traced to specific control gaps, not general risk categories.
Suited for
Covered entities, business associates, and subcontractors handling ePHI who require formal risk analysis documentation or are preparing for an HHS audit.
Deliverables
- ePHI inventory and data flow mapping
- Security Rule risk analysis
- Administrative, Physical, and Technical safeguards assessment
- Risk management plan
- Policy and procedure gap analysis
- Business Associate Agreement review
- Remediation roadmap
General Data Protection Regulation
GDPR
GDPR compliance requires that your policies, practices, and technical controls are aligned. Most organisations have policies. Far fewer can demonstrate that their practices match them.
What we do
We assess GDPR compliance across all six lawful bases, data subject rights obligations, controller and processor responsibilities, and technical and organisational measures.
What we do differently
- We map your actual data flows before assessing compliance — not after.
- Records of Processing Activities built from evidence, not self-reported inventories.
- Technical and organisational measures assessed against implemented controls, not policy statements.
- We identify accountability gaps that DPAs look for specifically.
Suited for
Organisations established in the EU or UK, international businesses with EU or UK data subject exposure, and companies whose enterprise clients require demonstrable GDPR compliance.
Deliverables
- Data mapping and flow documentation
- Records of Processing Activities (RoPA)
- Lawful basis assessment
- Data subject rights gap analysis
- Technical and organisational measures review
- DPIA support
- Controller/processor agreement review
- Remediation roadmap
Not sure where to start?
Every engagement starts with understanding your environment — not selling you a framework.
Tell us where you are and what you need to achieve. We will tell you honestly whether we are the right fit and what the engagement looks like.