Service · Defensive baseline

Security Posture Assessment

A two-week, fixed-price assessment that maps your information security posture against ISO/IEC 27001:2022, NIST CSF 2.0, APRA CPS 234, and the ASD Essential Eight. Board-ready, regulator-aligned, with a remediation roadmap your team can actually operate.

Book a discovery call See penetration testing

Why this engagement exists

A baseline that drives decisions, not a binder that sits on a shelf.

Most mid-market organisations have a partial picture of their security posture: a SOC 2 from a customer ask, an Essential Eight scorecard from a vendor demo, an outdated ISMS from a long-departed CISO. None of them give the board the answer it actually needs to the question are we secure enough, given who we are and what we hold?

The posture assessment produces that answer in ten business days. Fixed scope, fixed fee, fixed deliverable. Not a discovery engagement that grows in scope, not a generic gap analysis that ignores your context. The output is the document your CISO hands the audit committee on Monday.

Scope

What we cover in ten business days.

Asset and data discovery

External attack surface scan, cloud and SaaS inventory, identity and access posture, data classification position. We build the picture your asset register is missing.

Document and configuration review

Existing policies, supplier register, M365/Google Workspace tenant configuration, IdP configuration, EDR coverage, backup posture, incident response plans. Reviewed against the relevant control framework.

Stakeholder interviews

Six to ten focused interviews across security, IT, risk, legal, and one or two business unit owners. Built around evidence and observed practice, not policy claims.

Threat modelling

Crown-jewel data flows assessed against MITRE ATT&CK and the relevant threat actor profile for your sector. We name the realistic threat scenarios, not generic ones.

Control gap analysis

Findings mapped to ISO/IEC 27001 Annex A, NIST CSF 2.0, APRA CPS 234, ASD Essential Eight maturity levels, and the Australian Privacy Principles where applicable. Each finding sized by impact and effort.

Reporting and briefing

Written posture report, executive summary suitable for board pack inclusion, prioritised remediation roadmap, and an optional one-hour committee briefing.

Deliverables

What you take away.

›Posture report (50 to 80 pages)
›Executive summary suitable for board pack
›Findings register with severity, effort, and owner estimates
›Prioritised remediation roadmap (90, 180, 365 days)
›ASD Essential Eight maturity scoring with evidence
›Threat model summary for crown-jewel data flows
›Optional one-hour board or audit committee briefing

Engagement parameters

Fixed-fee, fixed-scope.

Investment: AUD 18,000 to 30,000; Final fee scoped at engagement based on environmental complexity.
Duration: 10 business days; From engagement kickoff. Two weeks elapsed time.
Lead time: Within 14 days of signature; Scoped SOW issued within two business days of discovery call.

Frameworks

Standards we deliver against.

NIST AI RMF 1.0 ISO/IEC 42001:2023 APRA CPS 234 APRA CPS 230 Australian Privacy Principles OWASP Top 10 for LLMs MITRE ATLAS ASD Essential Eight

Get started

Two weeks to a defensible security position.

Discovery call, fixed-fee SOW, kickoff, ten business days of delivery, then a decision on what comes next — including whether you want offensive testing to validate the picture.

Book a discovery call Free maturity assessment