Skip to main content

Strategy & Architecture / Security Governance

Governance that your
team can actually run.

Security governance that exists only on paper is worse than useless; it creates false assurance and absorbs resources without reducing risk. Cliffside builds governance frameworks, policy suites, and risk management structures that are practical to operate, meaningful to the board, and genuinely aligned to how your business actually works.

Start with an assessment → All strategy services

What we deliver

The full governance stack.

Effective security governance requires more than a policy document. It requires a clear structure of accountability, mechanisms for decision-making, and the processes to keep it all current as the business evolves.

Security policy suite

A complete, coherent set of information security policies, written for your organisation, not copied from a template. Covering acceptable use, access control, incident management, data classification, and more.

Risk management framework

A structured approach to identifying, assessing, and treating security risks, with a risk register, appetite statement, and governance processes your team can maintain ongoing.

Governance structure & accountability

Clear roles and responsibilities for security across your organisation, including board, executive, and operational accountability frameworks.

Third-party risk management

Vendor and supplier security assessment processes, ensuring your supply chain doesn't become your biggest security liability.

Metrics & reporting

Meaningful security metrics and reporting structures for the board, executive, and operational teams; the right information at the right level.

Compliance alignment

Governance structures mapped to ISO 27001, APRA CPS 234, Essential Eight, NIST CSF, and other relevant frameworks, without unnecessary duplication.

Our philosophy

Governance is not compliance theatre.

Most organisations have experienced security governance that doesn't govern anything. Policies nobody reads, risk registers nobody maintains, and board reports that communicate nothing useful. The underlying problem is usually that the framework was designed to pass an audit, not to actually work.

Cliffside builds governance from the operational reality backwards. We start with how decisions actually get made in your organisation, who actually owns risk in practice, and what constraints your team is actually operating under. The result is governance that works, because it fits.

For AFS licensees & market participants

Evidence, not assurances.

On 8 May 2026 ASIC Commissioner Simone Constant issued open letter 26-092MR to AFS licensees, market participants and their directors. Four governance expectations sit at the heart of it: cyber resilience proportionate to the evolving threat, adequate resourcing and capability, end-to-end control reporting (not activity metrics), and active board oversight of emerging risks including AI. ASIC is explicit: "governance should not rely only on assurances. It should be supported by evidence: test results, audit findings, lessons from incidents, and independent validation."

This is the standard our governance work is built for. We design board reporting that evidences control effectiveness, risk frameworks that surface combinatorial risk (not just discrete items), and policy suites that map directly to the FIIG Securities standard of "demonstrably effective and proportionate" cyber risk management. The output is a governance pack that survives the next supervisory interaction, the next licence review, or the next incident.

Frameworks

Governance frameworks for Australian organisations.

Three frameworks dominate security governance, and they solve different problems. Choosing the wrong one means building governance that does not fit how your organisation actually makes decisions.

ISO/IEC 27014 is the international standard for information security governance. It sits a level above ISO 27001: where 27001 specifies the controls and the management system, 27014 sets the principles that direct them. Five principles anchor it: establish enterprise-wide information security, adopt a risk-based approach, set the direction of investment decisions, ensure conformance with internal and external requirements, and foster a security-positive environment. If you already run an ISMS, 27014 is the governance layer that tells the board what to do with it. It pairs naturally with ISO 27001 information security management.

NIST CSF 2.0 added Govern (GV) as a new sixth function when it was released in February 2024, the first time board accountability is made explicit in the framework. Its categories span Organizational Context (GV.OC), Risk Management Strategy (GV.RM), Roles, Responsibilities and Authorities (GV.RR), Policy (GV.PO), Oversight (GV.OV), and Cybersecurity Supply Chain Risk Management (GV.SC). Govern is not a list of controls. It is the structure that decides how every other function gets resourced and reported.

COBIT 2019 approaches governance from the IT side. Its governance domain, Evaluate, Direct, Monitor (EDM), separates governance from management deliberately. Five EDM processes carry it: EDM01 (ensured governance framework setting and maintenance), EDM02 (ensured benefits delivery), EDM03 (ensured risk optimisation), EDM04 (ensured resource optimisation), and EDM05 (ensured stakeholder transparency).

When to apply which: ISO 27014 for ISMS-aligned organisations, NIST CSF 2.0 for organisations adopting a broader cyber risk framework, and COBIT 2019 for IT-governance-led organisations. Most organisations do not need all three. They need one applied properly.

Regulation

Board accountability in AU regulated entities.

Australian regulators have stopped treating cyber governance as an IT matter. Three regulatory shifts now put security governance squarely on the board's agenda, and each one expects a documented framework rather than a security policy.

APRA CPS 230 commences on 1 July 2026. It mandates board attestation of operational resilience, cyber included, and consolidates the older CPS 231 and CPS 232 along with parts of SPS 231/232. Boards must define their critical operations explicitly and attest annually that material service provider arrangements are sound. It is a cousin of the existing APRA CPS 234 information security obligations, not a replacement: CPS 234 still governs information security specifically, while CPS 230 raises the resilience bar around it.

The Privacy Act 1988, as amended through 2024, strengthens the Notifiable Data Breaches scheme and lowers the threshold for mandatory board notification of serious breaches. A statutory tort for serious invasions of privacy has commenced, and the OAIC's enforcement powers have expanded. Privacy is now a board-level liability with teeth, not a compliance footnote.

ASIC's 2024 letter to AFS licensees on AI risk governance sets specific board-level expectations for licensees deploying AI in financial services. Cyber risk governance and AI governance now intersect for ASIC-regulated entities, and the board is expected to oversee both as one accountability, not two.

The common thread is documentation. Each of these regimes assumes a governance framework exists, is maintained, and can be evidenced on request. A security policy is not a governance framework, and regulators have become very good at telling the two apart. For a practical walk-through of the standard that started this shift, see our APRA CPS 234 compliance guide.

Our approach

How we build a governance framework.

Governance work fails when it produces documents nobody runs. We build in three stages, and the Lighthouse Assessment is where it starts.

First, we assess the existing governance state, board reporting, policy hierarchy, and risk register, to establish what actually operates versus what exists on paper. Second, we map the gaps against the framework you have chosen, whether that is ISO 27014, NIST CSF 2.0, or COBIT 2019, so the remediation is specific rather than generic. Third, we deliver a board-ready governance pack: policy templates, a RACI that assigns real accountability, and a board-reporting cadence your team can sustain after we leave.

The output is governance that survives the next audit, the next licence review, or the next incident, because it was built to be run, not filed. Start with a Lighthouse Assessment and we will tell you honestly where your governance actually stands.

Related services & insights

Deeper reading on this topic.

Virtual CISO Australia

When your organisation needs senior security leadership without the full-time hire. Strategic governance, board reporting, and programme oversight.

Explore →
Virtual CISO Service

Fractional CISO engagements that provide strategic direction, risk management, and board-level security reporting.

Explore →
Security Architecture

Governance without architecture is policy without enforcement. Design security controls that match your governance framework.

Explore →
ASIC Cyber Letter to AFS Licensees

ASIC's 26-092MR open letter: the 12 actions, four governance expectations, and what boards must table and evidence. Anchored in the FIIG Securities judgment.

Explore →
APRA CPS 234 Practical Guide

The mandatory information security standard for all 680 APRA-regulated entities, written for boards that need to evidence proportionate control execution.

Explore →
ISO 27001 Certification Guide

ISO 27001 is a governance framework at its core. Practical guidance on building an ISMS that works.

Explore →

Governance that
actually governs.

Book a free consultation. We'll review your current governance posture and give you an honest assessment of what's working, what's missing, and what to do next.

Book a free consultation →All strategy services

Not sure where to start?

Book a free 30-minute consultation. Honest, no lock-in, no sales pitch.

Book a Free Consultation