Most AU and NZ businesses follow one of five paths. Find yours.

See what your insurer sees from the outside. An A–F scorecard of your internet-facing exposure with a clear fix list. Run quarterly or pre-renewal.

Maps your controls against insurer requirements. Produces the evidence pack your broker needs and identifies the gaps that affect your premium or coverage.

Insurers consistently ask for written policies. Cyber, acceptable use, BYOD, and incident response policies drafted for your context.

Staff training is a standard insurer ask. Phishing simulations and a measurable awareness programme give you evidence of ongoing training.

Run annually (or quarterly) to support your renewal conversation and demonstrate ongoing security vigilance.

Handle the immediate questionnaire or vendor audit. Fast turnaround — typically 2–3 weeks from engagement to completed response.

Understand your broader security posture before the next questionnaire arrives. Identifies the gaps that will come up again.

The framework enterprise clients and government agencies expect. Demonstrates systematic maturity, not ad-hoc controls.

If the client or tender requires formal certification, ISO 27001 is the destination. Builds on everything from Step 3.

A low-cost, non-intrusive starting point. See what's exposed before committing to a larger programme. Gives you an honest picture of your external risk.

Build the baseline documentation and close the priority gaps. Sets the agenda for everything that follows — no wasted spend on the wrong things.

The achievable first certification for Australian businesses. Demonstrates commitment, gives you something tangible, and sets the foundation for Essential Eight or ISO 27001 later.

Add layers progressively: policies, incident response planning, awareness training, risk assessments. Build a mature programme without trying to do everything at once.

Understand where you stand before starting the DISP process. DISP assessors will ask about your existing controls — the snapshot gives you honest answers.

DISP and government work requires a secure Microsoft 365 environment. Configuration review and ongoing drift monitoring — hands deliverables directly to your MSP.

The gateway to defence work. CyberCraft guides the full accreditation process — policy development, control evidence, DISP assessment preparation.

Required for higher-level defence contracts and ASD panels. Builds directly on the DISP work already completed.

For businesses with ongoing defence obligations, a vCISO provides the security leadership function without the cost of a full-time hire.

Fixed-scope sprint to get compliant before 1 July 2026. Covers the key obligations — data mapping, privacy notices, consent mechanisms, and breach response procedures.

Update your privacy policy and internal handling procedures. The Act requires documented processes — not just good intentions.

Build the ongoing programme: privacy by design, vendor assessments, breach response rehearsal, and staff training. Compliance is not a one-time event.