Compliance-as-a-Service
ISO 27001 & ASD Essential Eight Compliance — Melbourne
Structured compliance management without the enterprise consulting price tag.
The Problem
Compliance is now table stakes for many Australian SMBs
ISO 27001 and Essential Eight compliance is mandatory for government suppliers, increasingly required for cyber insurance eligibility, and becoming a standard expectation in enterprise procurement. Most SMBs don't have the internal expertise to know where to start, what to prioritise, or how to maintain evidence for ongoing audits.
Without a structured approach, organisations spend money on isolated controls with no visibility into their overall compliance posture, and no documentation to show auditors, insurers, or customers.
What You Get
A complete compliance program, not a one-time report
From initial gap assessment through to ongoing evidence collection and reporting.
Gap Assessment
A structured gap assessment mapping your current controls against ISO 27001 or ASD Essential Eight. Delivered as a control register with rated gaps, a risk register, and a prioritised remediation plan.
GRC Platform Access
Access to our own hosted GRC platform. A self-service compliance dashboard where you can view your control status, track remediation tasks, store evidence, and monitor your overall posture in real time.
Monthly Compliance Status Reports
A clear, board-ready compliance status report every month delivered as a PDF. Know exactly where you stand against your chosen framework, what has improved, and what still needs attention.
12 Core Policy Templates
All 12 core information security policies your organisation needs — information security policy, acceptable use, access control, incident response, and more — provided as editable templates and configured for your environment.
Evidence Folder Setup
A structured evidence folder pre-organised so auditors can navigate it without hand-holding. Mapped directly to your framework's control domains. We set it up and show your team how to maintain it.
Quarterly Review Calls
A scheduled call every quarter to review your compliance posture, discuss upcoming changes, plan the next period's evidence collection activities, and address any questions your team has.
The Process
How we get you to compliant
Three clear phases. No ambiguity about what happens when.
Phase 1 — Week 1–2
Discovery
We map your current controls against the target framework (ISO 27001 or Essential Eight). This produces a control register, a gap list, an initial risk register, and a scoped remediation plan. You come away with a clear picture of your starting position.
Phase 2 — Week 3–4
Gap Closure
We work with your team to implement the missing controls identified in Phase 1. This includes configuring policies, establishing processes, setting up the evidence folder structure, and loading your GRC platform with your organisation's data.
Phase 3 — Ongoing
Maintain
Monthly evidence collection, status reporting, and advisory access. Your compliance posture stays current, your evidence folder stays populated, and your team has someone to call when questions come up. We handle the compliance program so you can focus on the business.
Industries
Compliance requirements vary by sector
Different industries face different compliance drivers. Government suppliers need Essential Eight. Healthcare organisations have privacy obligations stacked on top of information security requirements. Legal firms and financial services providers face both client-driven requirements and regulatory obligations.
We've worked across healthcare, professional services, government suppliers, legal firms, and financial services. The framework and controls differ. The process is the same.
Healthcare
Privacy Act obligations, My Health Record system requirements, and increasing pressure from health insurers and hospital networks to demonstrate security posture.
Professional Services
Client-driven security requirements, enterprise supplier assessments, and the reputational risk of handling sensitive client data without a documented security program.
Government Suppliers
ASD Essential Eight is a condition of supply for many federal and state government contracts. We scope and implement to the maturity level specified in your contract.
Legal Firms
Client privilege, sensitive matter data, and regulatory obligations from law society bodies. Legal firms face significant reputational and regulatory consequences from security incidents.
Financial Services
ASIC and APRA regulatory obligations, client data protection requirements, and insurance underwriter requirements create layered compliance obligations for financial services firms of all sizes.
Pricing
Three ways to engage
Start with a standalone gap assessment, move into an ongoing compliance program, or go all the way to ISO 27001 certification.
One-time
Gap Assessment
$3,500
A comprehensive gap assessment against ISO 27001 or ASD Essential Eight. Delivered as a structured report with your control posture, identified gaps, a risk register, a remediation roadmap, and GRC platform setup.
Monthly
Compliance-as-a-Service
from $800/month
Ongoing compliance management program covering ISO 27001 lite or Essential Eight. Includes everything in the gap assessment plus monthly reporting, evidence collection, policy templates, and advisory access. Minimum 3-month commitment.
Monthly
Full ISO 27001 Certification Program
from $2,200/month
A full ISO 27001 certification program taking you from gap assessment through to certification readiness. Includes all deliverables from the Compliance-as-a-Service tier plus Statement of Applicability (SoA), full ISMS documentation, internal audit preparation, and certification body liaison.
FAQ
Common questions
Answers to the questions we hear most before scoping calls.
How long does ISO 27001 certification take?
Typically 6 to 18 months depending on the size and complexity of your organisation, the maturity of your existing controls, and how quickly your team can implement changes. Smaller organisations with fewer systems and a focused scope can reach certification readiness in 6 months. Larger, more complex environments generally take 12 to 18 months. We'll give you a realistic timeline estimate during the scoping call based on your actual situation.
Do we need ISO 27001 or Essential Eight?
It depends on your industry and your clients. If you supply to Australian federal or state government, Essential Eight is almost certainly what you need — it's baked into most government procurement requirements. If you're selling to enterprise clients, pursuing cyber insurance, or operating in a regulated sector like healthcare, legal, or financial services, ISO 27001 is typically the more relevant framework. Some organisations implement both. We'll help you work out which is right in the scoping call — there's no obligation.
What's included in the gap assessment?
The gap assessment includes: a full control mapping exercise against your chosen framework (ISO 27001 or Essential Eight), a control register showing your current status against each required control, an initial risk register identifying the gaps that carry the most risk, and a prioritised remediation plan — not a generic checklist but a plan specific to your environment and constraints. GRC platform access configured for your organisation is also included. The output is structured so you can use it to drive the remediation work, whether you do that with us or internally.
Can you help with Essential Eight Level 2 maturity?
Yes. We scope and implement to the maturity level your contract or requirement specifies. Level 2 requires more evidence of process consistency and broader coverage across the eight strategies — specifically around user application hardening, restriction of administrative privileges, and patch management cadence. We'll map your current state against Level 2 requirements, identify the gaps, and work with you to close them in a structured way.
Get Started
Not sure where to start?
A scoping call takes 30 minutes. We'll confirm which framework is relevant to your situation, scope the engagement to your actual needs, and give you a clear picture of what to expect before you commit to anything.