The Privacy Act doesn't fine your company. It can hold you personally accountable.
Essential Eight, ISO 27001, the Privacy Act 1988, CPS 234, IRAP — the obligations are real, and for a director, so is the exposure. We translate the framework into the controls that satisfy it, and the evidence that proves it, in language your board understands.
- Essential EightACSC baseline maturity
- ISO 27001Information-security management
- Privacy Act 1988Notifiable Data Breaches scheme
- CPS 234 / IRAPWhere they apply to your sector
Compliance isn’t a certificate. It’s a duty you carry personally.
Regulators and courts increasingly treat cyber risk as a foreseeable risk directors are expected to manage. 'We meant to get to it' is not a defence your insurer, or the regulator, accepts after a breach. Continuous compliance is the difference between prepared and exposed.
Compliance as a maintained state, not a scramble.
Every framework below is assessed, uplifted, and kept current — not revisited only when a renewal or a regulator forces the question.
- 01
We map the obligations that actually apply to you
Not a generic framework — a plain-English list of what applies to your sector, your data, and your size.
- 02
We close the gap against Essential Eight
Assessed and uplifted to the maturity level your risk profile calls for, tracked over time, not a one-off tick.
- 03
We maintain the evidence, continuously
Policies, logs and control evidence kept current, so an audit or a regulator's request doesn't trigger a scramble.
- 04
We report in the language your board needs
Plain-English compliance reporting your directors can present, not a technical document that needs translating.
6 controls. One accountable partner.
Every line below is deployed, monitored, and maintained by us — not a part-time attention split across your other vendors.
Assessed against AU frameworks onlyCompliance Consulting — Inclusions Ledger
- Compliance gap assessment against applicable frameworksA plain-English read of what actually applies to your business, not a generic checklist.
- Essential Eight maturity uplift roadmapA staged plan to the maturity level your risk profile calls for.
- Privacy Act 1988 / Notifiable Data Breaches readinessA rehearsed process for the notification obligation regulators actually enforce.
- Continuous control evidence & audit-ready documentationEvidence maintained as a state, so an audit never triggers a scramble.
- Board-ready compliance reportingPlain-English reporting your directors can present without a translator.
- Regulator & insurer liaison support, where requiredWe support the conversation your compliance obligation forces, when it's needed.
The obligations that actually apply to your business.
No US frameworks, no generic checklist — the Australian obligations that carry real consequences, and exactly how we prove each one is met.
Requires — Eight mitigation strategies — MFA, patching, backups, application control and more — at a defined maturity level.
At stake — The ACSC baseline regulators and insurers now expect as a minimum, not an aspiration.
We prove it — Maturity assessed against all eight strategies, with a written uplift roadmap.
AssessedRequires — A documented information-security management system, reviewed and improved on a set cycle.
At stake — Increasingly a contractual condition for clients, insurers and government tenders.
We prove it — Policy suite, risk register and control evidence kept audit-ready year-round.
AssessedRequires — Reasonable steps to protect personal information, and notification of an eligible data breach.
At stake — The Notifiable Data Breaches scheme carries real consequences for a mishandled response, not just the breach itself.
We prove it — A rehearsed breach-notification process and the controls that reduce the chance of ever needing it.
AssessedRequires — Information-security capability commensurate with vulnerabilities and threats, for APRA-regulated entities.
At stake — Board-level accountability is written directly into the standard.
We prove it — Control testing and incident-notification processes aligned to CPS 234, where it applies to your business.
AssessedRequires — Independent assessment against the Australian Government Information Security Manual.
At stake — Often a prerequisite to holding government or critical-infrastructure contracts.
We prove it — Controls prepared and documented to withstand an IRAP assessment, where your contracts require it.
AssessedWe don't describe the work. We show it.
A CPS 234 gap closed before the regulator asked.
- An APRA-regulated client's incident-notification process had never been tested.
- Two of the eight Essential Eight strategies sat at maturity level zero.
- No board-level reporting existed to evidence oversight of cyber risk.
A rehearsed notification process, a documented uplift roadmap, and quarterly board reporting were in place within one quarter, before any regulatory review.
Also part of Cybersecurity
Know your obligations before a regulator asks.
A Cyber Risk Assessment shows exactly where you stand, and what it takes to close it. Credited toward your first year of protection.