Continuous Compliance &Assurance Platform

Automated Compliance Monitoring

AI continuously tracks Essential Eight controls, generates compliance evidence, and alerts to maturity level changes in real-time.

Executive Risk Dashboards

Transform technical security data into board-ready risk visualizations with quantified financial impact and trend analysis.

Regulatory Change Intelligence

Machine learning tracks regulatory updates and automatically assesses impact on your compliance posture and control frameworks.

Essential Eight

The Essential Eight is a prioritised set of mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to protect organisations against various cyber threats. The framework defines three maturity levels (ML1-ML3) across eight critical controls:

• • Application Control
• • Patch Applications
• • Configure Microsoft Office Macro Settings
• • User Application Hardening
• • Restrict Administrative Privileges
• • Patch Operating Systems
• • Multi-Factor Authentication
• • Regular Backups

APRA (Australian Prudential Regulation Authority)

APRA regulates banks, insurance companies, and superannuation funds in Australia. APRA's Prudential Standard CPS 234 specifically addresses information security, requiring regulated entities to maintain information security capabilities commensurate with information security vulnerabilities and threats, and report material information security incidents.

Key Requirements: Information security capability, incident reporting, testing of controls, and board oversight of information security.

ASIC (Australian Securities and Investments Commission)

ASIC regulates Australian companies, financial markets, and financial services organisations. ASIC's regulatory guidance (RG 255) requires cybersecurity resilience from financial services licensees, including effective cyber risk management frameworks, incident response capabilities, and cyber resilience testing.

Key Focus Areas: Cyber risk governance, operational resilience, third-party risk management, and cyber incident response.

Privacy Act 1988

Australia's Privacy Act 1988 regulates the handling of personal information by Australian government agencies and organisations with annual turnover of $3 million or more. The Act includes 13 Australian Privacy Principles (APPs) covering collection, use, disclosure, and security of personal information, as well as mandatory data breach notification requirements under the Notifiable Data Breaches (NDB) scheme.

Key Obligations: Transparent privacy practices, data security safeguards, breach notification within 30 days, and cross-border disclosure restrictions.

ISO/IEC 27001:2022

ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive information, ensuring confidentiality, integrity, and availability through risk management processes and comprehensive security controls across 93 control objectives in Annex A.

Key Benefits: Third-party certification demonstrates security maturity, competitive advantage in tenders, systematic risk management, and compliance alignment with other frameworks (Essential Eight, NIST, SOC 2).

NIST Cybersecurity Framework (CSF)

The NIST CSF 2.0 is a voluntary framework developed by the US National Institute of Standards and Technology that provides guidance for managing cybersecurity risk. Widely adopted globally, it organises cybersecurity activities into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.

Key Features: Risk-based approach, flexible implementation, industry-agnostic guidance, alignment with global standards, and outcome-focused security posture measurement.

SOC 2 (Service Organisation Control 2)

SOC 2 is an auditing framework developed by the American Institute of CPAs (AICPA) that defines criteria for managing customer data based on five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type II reports provide independent assurance of security controls over a specified period, critical for SaaS providers and cloud service organisations.

Key Benefits: Third-party attestation for enterprise buyers, competitive differentiation in procurement, demonstrates operational maturity, and enables compliance with customer security requirements.

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS is a comprehensive information security standard for organisations that handle credit card data from major card brands (Visa, MasterCard, American Express, Discover, JCB). The standard mandates strict security controls across 12 requirements covering network security, access control, monitoring, and vulnerability management to protect cardholder data and reduce fraud.

Compliance Levels: Based on transaction volume (Level 1-4), requires annual assessments, quarterly network scans, and continuous compliance validation. Non-compliance can result in fines up to $100,000 per month and loss of card processing privileges.

GDPR (General Data Protection Regulation)

The EU's General Data Protection Regulation (GDPR) is the world's strongest data protection law, applying to any organisation processing personal data of EU residents. GDPR establishes comprehensive rights for data subjects including access, rectification, erasure, and portability, while imposing strict obligations on data controllers and processors.

Key Requirements: Lawful basis for processing, privacy by design, data breach notification within 72 hours, Data Protection Impact Assessments (DPIAs), and appointment of Data Protection Officers (DPOs). Fines up to €20 million or 4% of global annual turnover.

NIS2 Directive (Network and Information Security)

The NIS2 Directive is the EU's updated cybersecurity law that mandates security measures and incident reporting for essential and important entities across critical sectors including energy, transport, banking, health, digital infrastructure, and public administration. NIS2 significantly expands the scope of the original NIS Directive with stricter requirements and harmonised enforcement.

Key Obligations: Cybersecurity risk management measures, supply chain security, incident reporting within 24 hours, business continuity planning, and personal liability for management. Member state implementation deadline: October 2024.

DORA (Digital Operational Resilience Act)

DORA is an EU regulation establishing comprehensive operational resilience requirements for the financial sector. It mandates ICT risk management, incident reporting, operational resilience testing, third-party risk management, and information sharing arrangements. DORA applies to over 22,000 financial entities including banks, insurance companies, investment firms, and critical ICT service providers.

Scope: Comprehensive ICT risk framework, mandatory threat-led penetration testing (TLPT), stringent third-party oversight, incident classification and reporting within strict timelines. Effective from January 17, 2025.