Cyber Security Compliance, Explained
Plain English guides to IRAP, the Essential Eight, ISO 27001 and 42001, SOC 2 and virtual CISO. Written from real assessment work.
Browse by Framework
Filter the guides below by framework.
Start Here: The Framework Guides
The cornerstone guide for each framework, the best place to begin.
IRAP Assessment: The Complete Australian Guide
Read the guide Essential EightEssential Eight: The Complete Australian Guide
Read the guide ISO 27001ISO 27001: The Complete Australian Guide
Read the guide ISO 42001ISO 42001: The Complete Guide to AI Management Systems
Read the guide SOC 2SOC 2: The Complete Guide for Australian Technology Companies
Read the guide SMB1001SMB1001: The Complete Guide for Australian Small Business
Read the guide Virtual CISOVirtual CISO: The Complete Australian Guide
Read the guideAll Guides
SMB1001: The Complete Guide for Australian Small Business
SMB1001 is a five level cyber security certification for SMBs from Dynamic Standards International. The levels, what each proves, what it costs, how it is certified, and where to be careful.
22 June 2026 SMB1001SMB1001 vs the Essential Eight: What Australian SMBs Should Know
How SMB1001 and the ACSC Essential Eight differ, where they overlap, and which one your customers, insurer or regulator actually want to see.
22 June 2026 SMB1001What Is SMB1001? An Australian Guide
SMB1001 is a five level cyber security certification for small and medium businesses from Dynamic Standards International. What it is, who certifies it, and what it proves.
22 June 2026 ISO 42001AI Risk Assessment Under ISO 42001: What It Requires
ISO 42001 asks for two linked exercises: an AI risk assessment of risks to your objectives, and an AI system impact assessment of the consequences for people. Here is what each covers and how they dri
21 June 2026 IRAPEntity Assessor vs IRAP Assessor: What’s the Difference?
Not every ISM assessment needs an IRAP assessor. When your own assessors can do the work, when an independent IRAP assessor is required, and why.
21 June 2026 Essential EightEssential Eight Assessment Cost in Australia
What an Essential Eight assessment costs in Australia, what drives the price, and why reaching Maturity Level Two is the larger spend.
21 June 2026 Essential EightEssential Eight Changes in 2026: What Is Actually Changing
The Essential Eight maturity levels are not changing on 1 July 2026. The bigger change is broader. ASD is evolving the Essential Eight into a new Essentials series, starting with a first chapter calle
21 June 2026 Essential EightEssential Eight for Commonwealth Entities: The Maturity Level Two Expectation
Since 1 July 2022 the PSPF has required non corporate Commonwealth entities to reach Essential Eight Maturity Level Two across all eight strategies. What the mandate covers, how it is measured, and wh
21 June 2026 Essential EightEssential Eight Compliance Checklist
What to verify for each of the eight mitigation strategies, which maturity level you need to reach, and how Essential Eight compliance is actually measured.
21 June 2026 Essential EightEssential Eight: The Complete Australian Guide
What the Essential Eight is, the maturity model, who needs it, how an assessment works, what it costs, and how it relates to the ISM and ISO 27001.
21 June 2026 Essential EightEssential Eight Maturity Levels (ML0 to ML3) Explained
ASD’s Essential Eight maturity model has four levels. What ML0 to ML3 mean, why your weakest strategy sets the score, and which level you actually need.
21 June 2026 IRAPEssential Eight vs ISM vs IRAP: How the Three Fit Together
The Essential Eight, the ISM and IRAP are not rival choices. They are three layers of one ASD system, and which you need depends on the buyer and the data.
21 June 2026 Essential EightEssential Eight vs ISO 27001: Which Does Your Organisation Need?
The Essential Eight and ISO 27001 solve different problems. Which your organisation needs depends on whether you sell to government or commercial buyers, and plenty need both.
21 June 2026 Essential EightEssential Eight vs the ISM: How They Fit Together
The Essential Eight is a subset of the ISM, not an alternative to it. What each covers, which applies to you, and whether reaching Maturity Level Two leaves you ISM aligned.
21 June 2026 IRAPWhat Classification Does Your Government Cloud Need?
The classification of a government cloud is set by the owning agency, not the provider. What OFFICIAL: Sensitive, PROTECTED and SECRET mean for an IRAP assessment.
21 June 2026 IRAPAustralian Government Information Classifications: OFFICIAL to SECRET
Australian Government information classifications run from OFFICIAL to SECRET. Who sets the level, what each means, and what changes in an IRAP assessment.
21 June 2026 IRAPHow Long Does an IRAP Assessment Take?
ASD sets no fixed length for an IRAP assessment. A moderately complex system runs about 12 to 16 weeks once readiness is done, with classification, scope and remediation driving the rest.
21 June 2026 Essential EightHow Long Does an Essential Eight Assessment Take?
How long an Essential Eight assessment takes in Australia, the two phases involved, and what makes it faster or slower.
21 June 2026 ISO 27001How Long Does ISO 27001 Certification Take in Australia?
How long ISO 27001 certification takes in Australia, the stages and what they involve, why the management system must run before the Stage 2 audit, and what stretches or shortens the timeline.
21 June 2026 SOC 2How Long Does SOC 2 Take?
SOC 2 has no single duration. A Type I can follow a few weeks of readiness; a Type II adds an observation period of three to twelve months, which sets the timeline.
21 June 2026 IRAPHow Often Do You Need an IRAP Assessment? The 24 Month Rule Explained
There is no annual IRAP cycle. The working rule is the 24 month limit in PSPF requirement 0109, with a material change or a new agency able to force a reassessment sooner.
21 June 2026 IRAPHow to Become an IRAP Assessor in Australia
What it takes to become an ASD endorsed IRAP assessor in Australia: citizenship, five years of experience, Category A and B qualifications, the course and exam, and a minimum NV1 clearance.
21 June 2026 IRAPIRAP and the Hosting Certification Framework: How They Fit Together
The Hosting Certification Framework certifies the provider; IRAP assesses the system against the ISM. What each covers, the three HCF levels, and why a PROTECTED cloud workload needs both.
21 June 2026 IRAPHow Much Does an IRAP Assessment Cost in Australia?
What an IRAP assessment costs in Australia, the price drivers by classification, and the internal costs most budgets miss.
21 June 2026 IRAPIRAP Assessment: The Complete Australian Guide
A complete guide to IRAP assessment in Australia: whether you need it, what it is, cost, timeline, the process, the report, and maintaining posture. By an ASD endorsed assessor.
21 June 2026 IRAPThe IRAP Documents You Need: What to Prepare Before an Assessment
The documents an IRAP assessment runs on, from the System Security Plan annex to the SRMP, monitoring and incident response plans, and who owns each.
21 June 2026 IRAPIRAP for Defence: Do You Need It for DISP and Defence Contracts?
IRAP is not a DISP requirement. DISP sets an Essential Eight Maturity Level 2 ICT baseline; IRAP assesses a specific system against the ISM. When you need each, and when you need both.
21 June 2026 IRAPIRAP for SaaS and Cloud Providers: What You Need to Know
IRAP for SaaS and cloud providers explained: what the assessment covers, how the shared responsibility model works, which classification to choose, and the 24 month reassessment rule.
21 June 2026 IRAPIRAP Readiness Checklist: How to Prepare for an IRAP Assessment
A practical IRAP readiness checklist: the classification and scope decisions, the documents, the control evidence, and the timeline to prepare before an ASD endorsed assessment.
21 June 2026 IRAPIRAP vs FedRAMP: What’s the Difference and Which Do You Need?
IRAP and FedRAMP are the cloud security regimes of two different governments. What each assesses against, who runs it, which you need, and whether evidence transfers.
21 June 2026 IRAPIRAP vs ISO 27001: Which Does Your Business Need?
ISO 27001 certifies your management system; IRAP assesses one system against the ISM for Australian Government use. What each is, where they overlap, and which you need.
21 June 2026 IRAPIs IRAP a Certification?
IRAP is an assessment, not a certification. There is no certificate and no pass mark. What an IRAP assessor produces, and who actually approves the system.
21 June 2026 IRAPISM June 2026 Changes: The New AI Controls Explained
The ISM June 2026 update adds four AI controls and broadens a cryptography rule. What changed, who it applies to, and whether an ISM update affects your IRAP assessment.
21 June 2026 ISO 27001ISO 27001 Annex A Controls Explained
The 93 Annex A controls in ISO 27001:2022, grouped into four themes, what changed in 2022, and why you select from them through the Statement of Applicability rather than implementing all 93.
21 June 2026 ISO 27001ISO 27001 Certification Cost in Australia: What Drives the Price
ISO 27001 certification has no list price. What drives the cost, why audit fees scale with the number of people in scope, and the spend most budgets miss.
21 June 2026 ISO 27001ISO 27001 for SaaS: What Australian Software Companies Need to Know
ISO 27001 for SaaS companies: what the certificate covers, the cloud and secure development controls that matter most, how to scope a platform, and whether you also need SOC 2.
21 June 2026 ISO 27001ISO 27001: The Complete Australian Guide
ISO 27001:2022 is the international standard for an information security management system. What it requires, what certification costs and takes, and how it compares with SOC 2, IRAP and the Essential
21 June 2026 ISO 27001ISO 27001 Readiness Checklist for Australian Organisations
What to have in place before a certification body arrives: the clauses 4 to 10 management system, the Statement of Applicability, the Annex A controls you select, and evidence the ISMS has actually ru
21 June 2026 ISO 27001ISO 27001 Stage 1 vs Stage 2 Audit Explained
ISO 27001 certification is a two stage audit. Stage 1 reviews your ISMS documentation and readiness; Stage 2 tests whether it actually operates. What each stage examines, the gap between them, and how
21 June 2026 ISO 27001The ISO 27001 Statement of Applicability Explained
The Statement of Applicability is the ISO 27001 document that maps every Annex A control to your risk treatment, with a reason for each inclusion and exclusion. What it must contain, and the mistakes
21 June 2026 ISO 27001ISO 27001 vs SOC 2: Which Does Your Organisation Need?
ISO 27001 certifies a management system; SOC 2 is a CPA firm’s report against the AICPA criteria. Which you need depends on who is asking, and you can reuse the work across both.
21 June 2026 ISO 42001ISO 42001 Certification Cost in Australia: What Drives the Price
ISO 42001 certification has no set price. The cost tracks your AI footprint, splitting across building the management system, audit fees over a three year cycle, and upkeep.
21 June 2026 ISO 42001ISO 42001 for AI Product Companies: What You Need to Know
What ISO 42001 means for companies that build and sell AI: what it certifies, where the scope widens for a provider, and how it fits ISO 27001 and the EU AI Act.
21 June 2026 ISO 42001ISO 42001: The Complete Guide to AI Management Systems
ISO 42001, published as ISO/IEC 42001:2023, is the first international standard for an AI management system. It sets out how to govern the AI you build or buy, through clauses 4 to 10 and 38 Annex A c
21 June 2026 ISO 42001ISO 42001 Readiness Checklist for Australian Organisations
A clause by clause ISO 42001 readiness checklist for Australian organisations: the management system, the Annex A controls, the documents to prepare, and the AI system impact assessment that catches t
21 June 2026 ISO 42001ISO 42001 vs the EU AI Act: Which Governs Your AI?
ISO 42001 is a voluntary AI management standard; the EU AI Act is binding law. Where they overlap, where they do not, and what Australian organisations actually need.
21 June 2026 SOC 2SOC 2 Cost in Australia: What Drives the Price
What a SOC 2 report costs in Australia, broken into readiness, the licensed CPA firm audit fee, tooling and the observation period, and why Type II costs more than Type I.
21 June 2026 SOC 2SOC 2 for Australian SaaS Selling into the US: What You Need to Know
Why US customers ask Australian SaaS companies for SOC 2, how it differs from ISO 27001, whether you need a Type I or Type II report, and how to scope it.
21 June 2026 SOC 2SOC 2: The Complete Guide for Australian Technology Companies
SOC 2 is an attestation report against the AICPA Trust Services Criteria, not a certification. What Australian technology companies need to know before a US customer asks.
21 June 2026 SOC 2SOC 2 Readiness Checklist for Australian Companies
What to prepare before a SOC 2 audit: scope the Trust Services Criteria, stand up the controls, and collect the evidence a licensed CPA firm will sample.
21 June 2026 SOC 2The SOC 2 Trust Services Criteria Explained
The five SOC 2 Trust Services Criteria explained: Security, Availability, Processing Integrity, Confidentiality and Privacy, and which ones you actually need.
21 June 2026 SOC 2SOC 2 Type I vs Type II: Which Report Do You Need?
A Type I tests control design on a single day; a Type II tests whether controls operated over a period. Which one customers accept, how long the window runs, and when to use each.
21 June 2026 Virtual CISOVirtual CISO for Startups and Scaleups: Do You Need One?
Whether a startup or scaleup needs a virtual CISO, the real trigger, and when to move to a full time hire.
21 June 2026 Virtual CISOvCISO Pricing Models: How Virtual CISO Services Are Priced
How virtual CISO services are priced: the common retainer, tiered and day rate models, what drives the fee, and how Cybernion scopes a vCISO retainer.
21 June 2026 Virtual CISOvCISO vs a Full Time CISO: Which Does Your Business Need?
A vCISO and a full time CISO are the same role at different capacity. When a part time retainer is enough, and when the security workload justifies a full time hire.
21 June 2026 Virtual CISOvCISO vs an MSSP: What’s the Difference and Which Do You Need?
A vCISO and an MSSP solve different problems. A virtual CISO owns your security strategy, risk decisions and board reporting. A Managed Security Service Provider runs the tools, the monitoring and the
21 June 2026 Virtual CISOVirtual CISO: The Complete Australian Guide
What a virtual CISO is, when you need one, what they do, how pricing works, and how a vCISO leads your Essential Eight, ISO 27001, SOC 2 and IRAP work.
21 June 2026 Virtual CISOWhat Does a Virtual CISO Do? The Scope of the Role
A virtual CISO owns the direction and accountability of your security programme, not the hands on build. Here is exactly what the role covers, and what sits outside it.
21 June 2026 Virtual CISOWhat Is a Virtual CISO? An Australian Guide
A virtual CISO is the CISO role engaged part time on a retainer. It carries full accountability for security strategy, risk and board reporting, without the cost of a full time hire.
21 June 2026 ISO 27001What Is ISO 27001:2022? A Plain Guide for Australian Organisations
ISO 27001:2022 is the international standard for an information security management system. What it certifies, what Annex A requires, and whether you need it in Australia.
21 June 2026 ISO 42001What Is ISO 42001?
ISO 42001 is the world’s first certifiable AI management system standard. What it requires, who needs it, the AI impact assessment, and how it fits with ISO 27001 and the EU AI Act.
21 June 2026 SOC 2What Is SOC 2? An Australian Guide
SOC 2 is an attestation report, not a certification. What it covers, Type I versus Type II, and how it compares with ISO 27001 for Australian companies.
21 June 2026 Essential EightWhat Is the Essential Eight?
The Essential Eight is ASD’s set of eight mitigation strategies. What each one does, the four maturity levels, who must comply, and how an assessment works.
21 June 2026 IRAPWhat Is the ISM? The Australian Government Information Security Manual Explained
The Information Security Manual (ISM) is the ASD catalogue of cyber security controls that Australian government systems, and IRAP assessments, are measured against. What it is and how it works.
21 June 2026 Virtual CISOWhen Do You Need a Virtual CISO?
A virtual CISO is the right move when cyber security needs an accountable owner at management level and a full time CISO is not yet justified. Here are the signals that mean it is time.
21 June 2026 ISO 42001Why AI Governance Matters Now
AI governance moved from optional to expected. Why it matters now in Australia, what the EU AI Act and ISO 42001 change, and where to start.
21 June 2026 SecurityMaintaining IRAP Posture between Assessments
An IRAP assessment is point in time; the authorisation that follows is not. The ISM updates quarterly, systems change, and cloud providers must be reassessed within 24 months under PSPF requirement 01
6 June 2026 SecurityDo You Need IRAP to Sell to the Australian Government?
Short answer: If your cloud or SaaS product stores, processes or transmits Australian Government information at OFFICIAL: Sensitive, PROTECTED or above, you almost certainly need an IRAP assessment be
5 June 2026 SecurityHow the IRAP Assessment Process Works
An IRAP assessment follows four stages from the IRAP Common Assessment Framework: plan and prepare, define the assessment boundary, assess the controls against the ISM, and produce the report and cont
5 June 2026 SecurityHow to Choose an IRAP Assessor
Choosing an IRAP assessor starts with the ASD register of endorsed assessors, but the register is a starting point, not a selection criterion. All registered assessors meet ASD’s minimum bar. What var
5 June 2026 SecurityHow to define an IRAP Assessment Boundary
The IRAP assessment boundary is the set of system components, people, processes and technologies that will be assessed. The IRAP assessor defines it and agrees it with the assessed entity before subst
5 June 2026 SecurityHow to Prepare for an IRAP Assessment
Preparation is the work you do before the assessor arrives: current documentation, gathered evidence, available people, and access logistics. Organisations that arrive without this groundwork extend t
5 June 2026 SecurityWhat does information classification mean for IRAP?
The classification of the information your system handles is set by the government agency that owns it, not by you as the provider, and it must be confirmed before scoping. The ISM control set is the
5 June 2026 SecurityIRAP Authorisation Package
The authorisation package is the set of documents an authorising officer uses to decide whether to approve a system to operate. The IRAP assessment report is central, not the whole package. The office
5 June 2026 SecurityIRAP POAM and Risk Management
A plan of action and milestones converts assessment findings into managed work. It records what was found, what you have decided to do about each item, who owns it, and by when. A credible POAM, maint
5 June 2026 SecurityUnderstanding IRAP Report and Cloud Controls Matrix
An IRAP assessment produces two documents: the assessment report and the control matrix, a derivative of the System Security Plan annex. Together they give an authorising officer the system’s strength
5 June 2026 SecurityWhat an IRAP assessment is, and what it is not
An IRAP assessment is an independent, point in time assessment of a specific system against the Information Security Manual, performed by an ASD endorsed assessor. It produces a report and a control m
5 June 2026 SecurityIRAP Assessment FAQs
IRAP is the Infosec Registered Assessors Program, run by the Australian Signals Directorate. An IRAP assessor independently assesses a system against the Information Security Manual and reports its st
26 Mar 2026 SecurityCompromised by Design – The Hidden Risks of Wearable Tech
Some choices shape our future in ways we can’t immediately see. Wearable smart devices fall into that category. At first glance, they are insightful, motivational, convenient — and, in some cases, lif
15 Aug 2025 SecurityCyber Security in Space – Securing the Stars, and Our Future
As the world becomes increasingly reliant on satellite technology for communication, navigation, and national security, the importance of space cybersecurity is also growing. The potential impact of a
26 Mar 2024 SecurityIdentify and Implement The Right Cybersecurity Framework
The field of cybersecurity is constantly evolving, and the increasing number of frameworks and standards can be overwhelming for organisations seeking to secure their information assets. This article
25 Feb 2024