Testing & Assurance / Cybersecurity Audit
Cybersecurity audits
that actually find something.
Most audits produce a thick report and a false sense of security. Ours produce a clear, honest assessment of where your security programme works, where it doesn't, and what to fix first. We audit against the frameworks that matter to your organisation — ISO 27001, Essential Eight, APRA CPS 234 — with evidence-based findings and practical remediation guidance.
What we audit
Every layer of your security programme.
A cybersecurity audit covers more than technical controls. We assess governance, operations, compliance, and third-party risk to give you a complete picture of your security posture.
Review of security policies, standards, procedures, and governance structure. We assess whether your documentation reflects reality and whether accountability is clear across your organisation.
Assessment of network security, endpoint protection, identity and access management, encryption, logging, and detection capability against your threat model and applicable frameworks.
Mapping your current controls to the requirements of ISO 27001, Essential Eight, APRA CPS 234, or whichever framework applies. We identify genuine gaps, not theoretical deficiencies.
Privileged access management, MFA coverage, service account proliferation, directory hygiene, and role-based access controls. Identity is where most breaches start.
Evaluation of your incident response plan, escalation procedures, communication protocols, and evidence of testing. We assess whether your plan would survive a real incident.
Review of supplier security assessments, contractual obligations, data sharing agreements, and fourth-party risk visibility across your critical vendor ecosystem.
Our approach
How a cybersecurity audit works.
Structured, evidence-based, and designed to produce findings you can act on — not a compliance checkbox exercise.
Define audit scope, applicable frameworks, key systems, and specific objectives aligned to your risk priorities and compliance obligations.
Review existing policies, procedures, risk registers, previous audit findings, and incident records. Identify gaps between documented controls and actual practice.
Hands-on evaluation of technical controls, configurations, and security tooling. We verify that controls are not just deployed but operating effectively.
Every finding is documented with evidence, mapped to the relevant framework requirement, and rated by business risk — not just technical severity.
Prioritised remediation roadmap with effort estimates, dependencies, and quick wins identified. Followed by a debrief with your leadership and technical teams.
Audit types
The right audit for your situation.
Different triggers require different audit approaches. We scope every engagement to your specific compliance obligations and risk priorities.
Readiness assessment before ISO 27001 Stage 1 or Stage 2 certification audit. Identifies remaining gaps and prepares your team for auditor interviews.
Scheduled internal audits across your ISMS scope, fulfilling ISO 27001 Clause 9.2 requirements. Independent, evidence-based, and aligned to your risk register.
Assessment against APRA's information security standard for regulated financial entities. Covers information security capability, policy framework, and incident management.
Formal maturity level assessment across all eight strategies, following ASD's official assessment guidance. Evidence-based scoring at Levels 0 through 3.
After a security incident or near-miss, we conduct a structured audit to identify root causes, control failures, and improvements needed to prevent recurrence.
Assessment of critical third-party suppliers against your security requirements and relevant frameworks. Used for vendor due diligence, onboarding, and periodic reassessment.
Frequently asked questions.
How often should a cybersecurity audit be conducted?
At minimum annually, or whenever your environment changes significantly — new systems, acquisitions, regulatory shifts, or post-incident. Organisations subject to APRA CPS 234 or ISO 27001 typically require more frequent internal audits aligned to their surveillance and compliance cycles.
What is the difference between a cybersecurity audit and a penetration test?
A penetration test simulates an attacker to find exploitable vulnerabilities. A cybersecurity audit evaluates your broader security posture — governance, policies, technical controls, compliance, and operational practices. They are complementary: audits tell you whether your programme works; pen tests tell you whether your defences hold.
What compliance frameworks do your audits cover?
We audit against ISO 27001:2022, Essential Eight (all maturity levels), APRA CPS 234, the Australian Privacy Act, SOCI Act critical infrastructure obligations, and NIST CSF. We map findings to the specific framework your organisation is measured against.
What does a cybersecurity audit report include?
A structured report covering scope, methodology, findings with evidence, risk ratings, compliance gap analysis, and a prioritised remediation roadmap. Includes an executive summary for leadership and a technical appendix for your security and IT teams.
Start with an honest assessment.
Tell us what compliance frameworks apply to your organisation and where you think the gaps are. We'll scope an audit that answers the questions that matter, and give you a roadmap you can actually execute.