Cybersecurity audits
that actually find something.

What frameworks we audit against.

We do not audit against a generic checklist and hand you a RAG-rated spreadsheet. Every engagement is scoped to the frameworks your organisation is actually measured against, whether that is a regulator, a certification body, a cyber insurer, or your board. The goal is to quantify your cyber risk against the specific requirements that matter to your stakeholders.

ISO 27001:2022

Full clause-by-clause assessment covering Annex A controls, Statement of Applicability gaps, and ISMS operational effectiveness. We conduct both pre-certification readiness audits and ongoing internal audits required under Clause 9.2. Our lead auditors have held ISO 27001 credentials since 2008.

Essential Eight

Maturity level assessments across all eight mitigation strategies, following the ASD's official assessment guidance. We test at the control level, not the policy level. If your organisation claims Maturity Level 2 but your application control configuration tells a different story, we will find it.

APRA CPS 234

Information security capability assessments for APRA-regulated financial entities. We cover the full CPS 234 scope: information security capability relative to threat exposure, policy framework, information asset management, and incident notification obligations. Our cyber risk assessment approach maps directly to APRA's expectations for how regulated entities should identify and manage cyber risk. We also assess alignment with the newer CPS 230 operational resilience requirements.

NIST CSF and SOCI Act

For critical infrastructure operators and organisations aligning to US frameworks, we audit against the NIST Cybersecurity Framework and the Security of Critical Infrastructure Act obligations. Both are increasingly relevant for Australian organisations in energy, telecommunications, and government supply chains.

What you receive.

Every audit engagement produces a structured set of deliverables designed to be useful at every level of your organisation, from the board to the team remediating findings. Our advisory services go beyond handing you a report -- we ensure your team understands the cyber risk implications and has a clear path to remediation.

• Executive summary. A concise overview of your security posture, key findings, and strategic recommendations. Written for leadership, not for security practitioners.
• Detailed findings report. Every finding documented with evidence, mapped to the relevant framework requirement, and rated by business cyber risk. No generic risk ratings copied from a scanner.
• Compliance gap analysis. A clause-by-clause or control-by-control mapping of your current state against the applicable framework, with clear identification of gaps and partial implementations.
• Prioritised remediation roadmap. Sequenced actions with effort estimates, dependencies, quick wins, and longer-term architectural changes. This is the document your team uses to actually fix things.
• Debrief sessions. A leadership debrief covering strategic findings and risk posture, plus a technical debrief with your security and IT teams covering implementation detail.

How long an audit takes.

Timelines vary by scope and organisational complexity. As a guide for planning purposes:

• Focused audit (single framework, limited scope): 2 to 4 weeks from kickoff to final report.
• Comprehensive audit (multiple frameworks, full environment): 4 to 8 weeks, including stakeholder interviews, technical testing, and report preparation.
• Pre-certification readiness (ISO 27001 Stage 1 preparation): 3 to 6 weeks depending on ISMS maturity.

We scope every engagement honestly. If we think your timeline expectation is unrealistic for the depth of audit you need, we will tell you before we start rather than rushing to meet a deadline and delivering a shallow result.

Who needs a cybersecurity audit.

Some organisations seek audits proactively. Others are responding to a specific trigger. Both are valid, but the triggers that should prompt an audit sooner rather than later include:

• Regulatory obligation. APRA-regulated entities, critical infrastructure operators under the SOCI Act, and organisations pursuing ISO 27001 certification all have formal audit requirements.
• Board or investor scrutiny. When leadership needs independent assurance that the security programme is effective and that reported risk posture reflects reality.
• Cyber insurance renewal. Insurers increasingly require evidence of specific controls. A recent audit report is one of the most effective tools for securing reasonable coverage.
• Post-incident review. After a breach, near-miss, or significant security event, a structured audit identifies root causes and prevents recurrence.
• Environmental change. Cloud migrations, acquisitions, new business systems, or organisational restructures that materially change your attack surface.
• Suspicion that the last audit was not rigorous enough. If your previous audit produced no significant findings and that does not match your gut feeling about your security posture, trust your instincts.

Cybersecurity audits for small and mid-sized businesses

Small businesses and mid-market organisations often assume cybersecurity audits are only for large enterprises or heavily regulated entities. That assumption creates blind spots. The ASD's Annual Cyber Threat Report consistently shows that small businesses are targeted because attackers assume their security measures are weaker -- and they are usually right. A focused cybersecurity audit for a smaller organisation does not need to be a six-figure enterprise engagement. A scoped audit covering governance basics, technical hygiene, and the highest-priority cyber risk areas can be completed in two to three weeks and provides a clear baseline for improvement.

Building cyber resilience through regular audits.

A single cybersecurity audit provides a point-in-time snapshot. Cyber resilience requires ongoing assurance -- regular audits that track whether your security programme is improving, stagnating, or falling behind as threats evolve and your environment changes.

Organisations that conduct regular audits on a structured cadence (typically annual comprehensive audits with interim focused reviews) build genuine cyber resilience because they catch control drift before it becomes a material cyber risk. They identify new threats introduced by environmental changes -- cloud migrations, acquisitions, new business systems -- before those changes create exploitable gaps.

We work with organisations to design audit programmes that build maturity progressively, rather than treating each audit as an isolated event. The first audit establishes a baseline. Subsequent audits measure progress against the remediation roadmap and assess new cyber risk introduced since the previous assessment. Over time, this approach shifts your organisation from reactive compliance to proactive governance and genuine cyber defence capability.

How we price audit engagements.

We price on a fixed-fee basis wherever possible. You get a defined scope, a clear price, and no surprise invoices. For engagements where the scope genuinely cannot be fixed upfront (complex environments with unknown boundaries), we agree a capped time-and-materials arrangement with regular check-ins.

We do not pad audit scopes to inflate fees, and we do not include services you have not asked for. If a narrower audit scope would answer your actual questions, we will recommend the narrower scope. That is what assessment-first means in practice.