Cyber Security Compliance, Explained
Plain English guides to IRAP, the Essential Eight, ISO 27001 and 42001, SOC 2, SMB1001 and virtual CISO. Written from real assessment work.
Start Here: The Framework Guides
The cornerstone guide for each framework, the best place to begin.
IRAP Assessment: The Complete Australian Guide
Read the guide Essential EightEssential Eight: The Complete Australian Guide
Read the guide ISO 27001ISO 27001: The Complete Australian Guide
Read the guide ISO 42001ISO 42001: The Complete Guide to AI Management Systems
Read the guide SOC 2SOC 2: The Complete Guide for Australian Technology Companies
Read the guide SMB1001SMB1001: The Complete Guide for Australian Small Business
Read the guide Virtual CISOVirtual CISO: The Complete Australian Guide
Read the guideBrowse the Guides
Search, or filter by framework.
SMB1001: The Complete Guide for Australian Small Business
SMB1001 is a five level cyber security certification for SMBs from Dynamic Standards International.
22 June 2026 SMB1001SMB1001 vs the Essential Eight: What Australian SMBs Should Know
How SMB1001 and the ACSC Essential Eight differ, where they overlap, and which one your customers, insurer or regulator.
22 June 2026 SMB1001What Is SMB1001? An Australian Guide
SMB1001 is a five level cyber security certification for small and medium businesses from Dynamic Standards International.
22 June 2026 ISO 42001AI Risk Assessment Under ISO 42001: What It Requires
ISO 42001 asks for two linked exercises: an AI risk assessment of risks to your objectives, and an AI system impact.
21 June 2026 IRAPEntity Assessor vs IRAP Assessor: What’s the Difference?
Not every ISM assessment needs an IRAP assessor.
21 June 2026 Essential EightEssential Eight Assessment Cost in Australia
What an Essential Eight assessment costs in Australia, what drives the price, and why reaching Maturity Level Two is the.
21 June 2026 Essential EightEssential Eight Changes in 2026: What Is Actually Changing
The Essential Eight maturity levels are not changing on 1 July 2026. The bigger change is broader.
21 June 2026 Essential EightEssential Eight for Commonwealth Entities: The Maturity Level Two Expectation
Since 1 July 2022 the PSPF has required non corporate Commonwealth entities to reach Essential Eight Maturity Level Two.
21 June 2026 Essential EightEssential Eight Compliance Checklist
What to verify for each of the eight mitigation strategies, which maturity level you need to reach, and how Essential Eight.
21 June 2026 Essential EightEssential Eight: The Complete Australian Guide
What the Essential Eight is, the maturity model, who needs it, how an assessment works, what it costs, and how it relates.
21 June 2026 Essential EightEssential Eight Maturity Levels (ML0 to ML3) Explained
ASD’s Essential Eight maturity model has four levels.
21 June 2026 IRAPEssential Eight vs ISM vs IRAP: How the Three Fit Together
The Essential Eight, the ISM and IRAP are not rival choices.
21 June 2026 Essential EightEssential Eight vs ISO 27001: Which Does Your Organisation Need?
The Essential Eight and ISO 27001 solve different problems.
21 June 2026 Essential EightEssential Eight vs the ISM: How They Fit Together
The Essential Eight is a subset of the ISM, not an alternative to it.
21 June 2026 IRAPWhat Classification Does Your Government Cloud Need?
The classification of a government cloud is set by the owning agency, not the provider.
21 June 2026 IRAPAustralian Government Information Classifications: OFFICIAL to SECRET
Australian Government information classifications run from OFFICIAL to SECRET.
21 June 2026 IRAPHow Long Does an IRAP Assessment Take?
ASD sets no fixed length for an IRAP assessment.
21 June 2026 Essential EightHow Long Does an Essential Eight Assessment Take?
How long an Essential Eight assessment takes in Australia, the two phases involved, and what makes it faster or slower.
21 June 2026 ISO 27001How Long Does ISO 27001 Certification Take in Australia?
How long ISO 27001 certification takes in Australia, the stages and what they involve, why the management system must run.
21 June 2026 SOC 2How Long Does SOC 2 Take?
SOC 2 has no single duration.
21 June 2026 IRAPHow Often Do You Need an IRAP Assessment? The 24 Month Rule Explained
There is no annual IRAP cycle.
21 June 2026 IRAPHow to Become an IRAP Assessor in Australia
What it takes to become an ASD endorsed IRAP assessor in Australia: citizenship, five years of experience, Category A and B.
21 June 2026 IRAPIRAP and the Hosting Certification Framework: How They Fit Together
The Hosting Certification Framework certifies the provider; IRAP assesses the system against the ISM.
21 June 2026 IRAPHow Much Does an IRAP Assessment Cost in Australia?
What an IRAP assessment costs in Australia, the price drivers by classification, and the internal costs most budgets miss.
21 June 2026 IRAPIRAP Assessment: The Complete Australian Guide
A complete guide to IRAP assessment in Australia: whether you need it, what it is, cost, timeline, the process, the report,.
21 June 2026 IRAPThe IRAP Documents You Need: What to Prepare Before an Assessment
The documents an IRAP assessment runs on, from the System Security Plan annex to the SRMP, monitoring and incident response.
21 June 2026 IRAPIRAP for Defence: Do You Need It for DISP and Defence Contracts?
IRAP is not a DISP requirement.
21 June 2026 IRAPIRAP for SaaS and Cloud Providers: What You Need to Know
IRAP for SaaS and cloud providers explained: what the assessment covers, how the shared responsibility model works, which.
21 June 2026 IRAPIRAP Readiness Checklist: How to Prepare for an IRAP Assessment
A practical IRAP readiness checklist: the classification and scope decisions, the documents, the control evidence, and the.
21 June 2026 IRAPIRAP vs FedRAMP: What’s the Difference and Which Do You Need?
IRAP and FedRAMP are the cloud security regimes of two different governments.
21 June 2026 IRAPIRAP vs ISO 27001: Which Does Your Business Need?
ISO 27001 certifies your management system; IRAP assesses one system against the ISM for Australian Government use.
21 June 2026 IRAPIs IRAP a Certification?
IRAP is an assessment, not a certification. There is no certificate and no pass mark.
21 June 2026 IRAPISM June 2026 Changes: The New AI Controls Explained
The ISM June 2026 update adds four AI controls and broadens a cryptography rule.
21 June 2026 ISO 27001ISO 27001 Annex A Controls Explained
The 93 Annex A controls in ISO 27001:2022, grouped into four themes, what changed in 2022, and why you select from them.
21 June 2026 ISO 27001ISO 27001 Certification Cost in Australia: What Drives the Price
ISO 27001 certification has no list price.
21 June 2026 ISO 27001ISO 27001 for SaaS: What Australian Software Companies Need to Know
ISO 27001 for SaaS companies: what the certificate covers, the cloud and secure development controls that matter most, how.
21 June 2026 ISO 27001ISO 27001: The Complete Australian Guide
ISO 27001:2022 is the international standard for an information security management system.
21 June 2026 ISO 27001ISO 27001 Readiness Checklist for Australian Organisations
What to have in place before a certification body arrives: the clauses 4 to 10 management system, the Statement of.
21 June 2026 ISO 27001ISO 27001 Stage 1 vs Stage 2 Audit Explained
ISO 27001 certification is a two stage audit.
21 June 2026 ISO 27001The ISO 27001 Statement of Applicability Explained
The Statement of Applicability is the ISO 27001 document that maps every Annex A control to your risk treatment, with a.
21 June 2026 ISO 27001ISO 27001 vs SOC 2: Which Does Your Organisation Need?
ISO 27001 certifies a management system; SOC 2 is a CPA firm’s report against the AICPA criteria.
21 June 2026 ISO 42001ISO 42001 Certification Cost in Australia: What Drives the Price
ISO 42001 certification has no set price.
21 June 2026 ISO 42001ISO 42001 for AI Product Companies: What You Need to Know
What ISO 42001 means for companies that build and sell AI: what it certifies, where the scope widens for a provider, and.
21 June 2026 ISO 42001ISO 42001: The Complete Guide to AI Management Systems
ISO 42001, published as ISO/IEC 42001:2023, is the first international standard for an AI management system.
21 June 2026 ISO 42001ISO 42001 Readiness Checklist for Australian Organisations
A clause by clause ISO 42001 readiness checklist for Australian organisations: the management system, the Annex A controls,.
21 June 2026 ISO 42001ISO 42001 vs the EU AI Act: Which Governs Your AI?
ISO 42001 is a voluntary AI management standard; the EU AI Act is binding law.
21 June 2026 SOC 2SOC 2 Cost in Australia: What Drives the Price
What a SOC 2 report costs in Australia, broken into readiness, the licensed CPA firm audit fee, tooling and the observation.
21 June 2026 SOC 2SOC 2 for Australian SaaS Selling into the US: What You Need to Know
Why US customers ask Australian SaaS companies for SOC 2, how it differs from ISO 27001, whether you need a Type I or Type.
21 June 2026 SOC 2SOC 2: The Complete Guide for Australian Technology Companies
SOC 2 is an attestation report against the AICPA Trust Services Criteria, not a certification.
21 June 2026 SOC 2SOC 2 Readiness Checklist for Australian Companies
What to prepare before a SOC 2 audit: scope the Trust Services Criteria, stand up the controls, and collect the evidence a.
21 June 2026 SOC 2The SOC 2 Trust Services Criteria Explained
The five SOC 2 Trust Services Criteria explained: Security, Availability, Processing Integrity, Confidentiality and.
21 June 2026 SOC 2SOC 2 Type I vs Type II: Which Report Do You Need?
A Type I tests control design on a single day; a Type II tests whether controls operated over a period.
21 June 2026 Virtual CISOVirtual CISO for Startups and Scaleups: Do You Need One?
Whether a startup or scaleup needs a virtual CISO, the real trigger, and when to move to a full time hire.
21 June 2026 Virtual CISOvCISO Pricing Models: How Virtual CISO Services Are Priced
How virtual CISO services are priced: the common retainer, tiered and day rate models, what drives the fee, and how.
21 June 2026 Virtual CISOvCISO vs a Full Time CISO: Which Does Your Business Need?
A vCISO and a full time CISO are the same role at different capacity.
21 June 2026 Virtual CISOvCISO vs an MSSP: What’s the Difference and Which Do You Need?
A vCISO and an MSSP solve different problems.
21 June 2026 Virtual CISOVirtual CISO: The Complete Australian Guide
What a virtual CISO is, when you need one, what they do, how pricing works, and how a vCISO leads your Essential Eight, ISO.
21 June 2026 Virtual CISOWhat Does a Virtual CISO Do? The Scope of the Role
A virtual CISO owns the direction and accountability of your security programme, not the hands on build.
21 June 2026 Virtual CISOWhat Is a Virtual CISO? An Australian Guide
A virtual CISO is the CISO role engaged part time on a retainer.
21 June 2026 ISO 27001What Is ISO 27001:2022? A Plain Guide for Australian Organisations
ISO 27001:2022 is the international standard for an information security management system.
21 June 2026 ISO 42001What Is ISO 42001?
ISO 42001 is the world’s first certifiable AI management system standard.
21 June 2026 SOC 2What Is SOC 2? An Australian Guide
SOC 2 is an attestation report, not a certification.
21 June 2026 Essential EightWhat Is the Essential Eight?
The Essential Eight is ASD’s set of eight mitigation strategies.
21 June 2026 IRAPWhat Is the ISM? The Australian Government Information Security Manual Explained
The Information Security Manual (ISM) is the ASD catalogue of cyber security controls that Australian government systems,.
21 June 2026 Virtual CISOWhen Do You Need a Virtual CISO?
A virtual CISO is the right move when cyber security needs an accountable owner at management level and a full time CISO is.
21 June 2026 ISO 42001Why AI Governance Matters Now
AI governance moved from optional to expected.
21 June 2026 SecurityMaintaining IRAP Posture between Assessments
An IRAP assessment is point in time; the authorisation that follows is not.
6 June 2026 SecurityDo You Need IRAP to Sell to the Australian Government?
Short answer: If your cloud or SaaS product stores, processes or transmits Australian Government information at OFFICIAL:.
5 June 2026 SecurityHow the IRAP Assessment Process Works
An IRAP assessment follows four stages from the IRAP Common Assessment Framework: plan and prepare, define the assessment.
5 June 2026 SecurityHow to Choose an IRAP Assessor
Choosing an IRAP assessor starts with the ASD register of endorsed assessors, but the register is a starting point, not a.
5 June 2026 SecurityHow to define an IRAP Assessment Boundary
The IRAP assessment boundary is the set of system components, people, processes and technologies that will be assessed.
5 June 2026 SecurityHow to Prepare for an IRAP Assessment
Preparation is the work you do before the assessor arrives: current documentation, gathered evidence, available people, and.
5 June 2026 SecurityWhat does information classification mean for IRAP?
The classification of the information your system handles is set by the government agency that owns it, not by you as the.
5 June 2026 SecurityIRAP Authorisation Package
The authorisation package is the set of documents an authorising officer uses to decide whether to approve a system to.
5 June 2026 SecurityIRAP POAM and Risk Management
A plan of action and milestones converts assessment findings into managed work.
5 June 2026 SecurityUnderstanding IRAP Report and Cloud Controls Matrix
An IRAP assessment produces two documents: the assessment report and the control matrix, a derivative of the System.
5 June 2026 SecurityWhat an IRAP assessment is, and what it is not
An IRAP assessment is an independent, point in time assessment of a specific system against the Information Security.
5 June 2026 SecurityIRAP Assessment FAQs
IRAP is the Infosec Registered Assessors Program, run by the Australian Signals Directorate.
26 Mar 2026 SecurityCompromised by Design – The Hidden Risks of Wearable Tech
Some choices shape our future in ways we can’t immediately see. Wearable smart devices fall into that category.
15 Aug 2025 SecurityCyber Security in Space – Securing the Stars, and Our Future
As the world becomes increasingly reliant on satellite technology for communication, navigation, and national security, the.
26 Mar 2024 SecurityIdentify and Implement The Right Cybersecurity Framework
The field of cybersecurity is constantly evolving, and the increasing number of frameworks and standards can be.
25 Feb 2024