Skip to content
Compliance Consulting

The Privacy Act doesn't fine your company. It can hold you personally accountable.

Essential Eight, ISO 27001, the Privacy Act 1988, CPS 234, IRAP — the obligations are real, and for a director, so is the exposure. We translate the framework into the controls that satisfy it, and the evidence that proves it, in language your board understands.

Engagement snapshotGMAN IT
Essential EightACSC baseline maturity
ISO 27001Information-security management
Privacy Act 1988Notifiable Data Breaches scheme
CPS 234 / IRAPWhere they apply to your sector
The part no one tells a director

Compliance isn’t a certificate. It’s a duty you carry personally.

Regulators and courts increasingly treat cyber risk as a foreseeable risk directors are expected to manage. 'We meant to get to it' is not a defence your insurer, or the regulator, accepts after a breach. Continuous compliance is the difference between prepared and exposed.

How GMAN protects

Compliance as a maintained state, not a scramble.

Every framework below is assessed, uplifted, and kept current — not revisited only when a renewal or a regulator forces the question.

  1. 01

    We map the obligations that actually apply to you

    Not a generic framework — a plain-English list of what applies to your sector, your data, and your size.

  2. 02

    We close the gap against Essential Eight

    Assessed and uplifted to the maturity level your risk profile calls for, tracked over time, not a one-off tick.

  3. 03

    We maintain the evidence, continuously

    Policies, logs and control evidence kept current, so an audit or a regulator's request doesn't trigger a scramble.

  4. 04

    We report in the language your board needs

    Plain-English compliance reporting your directors can present, not a technical document that needs translating.

What’s deployed

6 controls. One accountable partner.

Every line below is deployed, monitored, and maintained by us — not a part-time attention split across your other vendors.

Assessed against AU frameworks only

Compliance Consulting — Inclusions Ledger

  1. Compliance gap assessment against applicable frameworksA plain-English read of what actually applies to your business, not a generic checklist.
  2. Essential Eight maturity uplift roadmapA staged plan to the maturity level your risk profile calls for.
  3. Privacy Act 1988 / Notifiable Data Breaches readinessA rehearsed process for the notification obligation regulators actually enforce.
  4. Continuous control evidence & audit-ready documentationEvidence maintained as a state, so an audit never triggers a scramble.
  5. Board-ready compliance reportingPlain-English reporting your directors can present without a translator.
  6. Regulator & insurer liaison support, where requiredWe support the conversation your compliance obligation forces, when it's needed.
Framework ledger
The signature peak

The obligations that actually apply to your business.

No US frameworks, no generic checklist — the Australian obligations that carry real consequences, and exactly how we prove each one is met.

Essential Eight

Requires — Eight mitigation strategies — MFA, patching, backups, application control and more — at a defined maturity level.

At stake — The ACSC baseline regulators and insurers now expect as a minimum, not an aspiration.

We prove it — Maturity assessed against all eight strategies, with a written uplift roadmap.

Assessed
ISO 27001

Requires — A documented information-security management system, reviewed and improved on a set cycle.

At stake — Increasingly a contractual condition for clients, insurers and government tenders.

We prove it — Policy suite, risk register and control evidence kept audit-ready year-round.

Assessed
Privacy Act 1988 / APPs

Requires — Reasonable steps to protect personal information, and notification of an eligible data breach.

At stake — The Notifiable Data Breaches scheme carries real consequences for a mishandled response, not just the breach itself.

We prove it — A rehearsed breach-notification process and the controls that reduce the chance of ever needing it.

Assessed
APRA CPS 234

Requires — Information-security capability commensurate with vulnerabilities and threats, for APRA-regulated entities.

At stake — Board-level accountability is written directly into the standard.

We prove it — Control testing and incident-notification processes aligned to CPS 234, where it applies to your business.

Assessed
IRAP

Requires — Independent assessment against the Australian Government Information Security Manual.

At stake — Often a prerequisite to holding government or critical-infrastructure contracts.

We prove it — Controls prepared and documented to withstand an IRAP assessment, where your contracts require it.

Assessed
Operational security excellence

We don't describe the work. We show it.

Case file · Professional Services · Melbourne · redacted

A CPS 234 gap closed before the regulator asked.

  • An APRA-regulated client's incident-notification process had never been tested.
  • Two of the eight Essential Eight strategies sat at maturity level zero.
  • No board-level reporting existed to evidence oversight of cyber risk.

A rehearsed notification process, a documented uplift roadmap, and quarterly board reporting were in place within one quarter, before any regulatory review.

Read the full file

The complete teardown — every gap found and closed — sent to your inbox. No call required.

One email, the file, nothing else. We don't sell lists — discretion is the work.

Know your obligations before a regulator asks.

A Cyber Risk Assessment shows exactly where you stand, and what it takes to close it. Credited toward your first year of protection.