Australia — Cyber & Privacy Readiness Platform

Your regulatory exposure,
diagnosed in 12 minutes.

PostureCheck maps your security and privacy posture against Essential Eight, Privacy Act 1988 and the NDB Scheme — and delivers an executive-grade report your board can act on. No consultant. No waiting. No guesswork.

Board-ready report Scored, prioritised, written for leadership — not IT.
Regulatory mapping Every gap tied to the specific law or control it breaches.
Implementation-ready 30/60/90-day roadmap and policy templates included.
33 structured questions ~12 minutes Executive report delivered instantly AUD 99 — one-time, no subscription
Report
Controls
Roadmap
Sample Output
Cyber & Privacy Readiness Report
Australian SMB — Confidential
62% ready
4
Critical gaps
3
High risk
8
Controls assessed
1
Controls ready
Application Control
45%
Patch Management
58%
Privacy Governance
74%
Critical
No application allowlisting across workstations and servers. Unapproved software can execute without detection — Essential Eight ML1 gap.
High
Backup restoration untested. No documented RTO/RPO. Ransomware recovery capability is unverified.
Preview excerpts only. Full report includes regulatory mapping, remediation roadmap and policy templates.
Essential Eight Snapshot
Control maturity mapped to evidence
ML1 baseline view
Multi-factor authentication
Gap
Patch applications
Partial
Application control
Gap
Restrict admin privileges
Ready
Regular backups
Partial
Each row shows whether your organisation can produce evidence — not just awareness — for each control area.
Remediation Roadmap
From findings to action — in three stages.
Priority-sequenced
First 30 days Contain exposure

Enforce MFA on all internet-facing services, remove dormant privileged accounts, verify backup restoration with documented evidence.

Days 31 — 60 Build defensible evidence

Formalise patch cadence, establish incident register, audit vendor access agreements, align privacy notices with actual data collection practices.

Days 61 — 90 Advance maturity

Conduct tabletop breach exercise, harden application control policy, produce board-ready progress reporting against Essential Eight ML1.

The full report assigns owners, timeframes and evidence requirements to each action — plus ready-to-use policy templates.
Frameworks & legislation Essential Eight Privacy Act 1988 NDB Scheme Cyber Security Act 2024 SOCI Act 2018 ISM (ACSC)
No credit card required 33 structured questions — ~12 minutes Mapped to Essential Eight, Privacy Act 1988 & NDB Scheme
What You Get

A report your team can execute long after the session ends.

The product is not a score. The value is the packaged deliverable: board-grade language, prioritised findings with regulatory references, mapped obligations and implementation templates — so your team can take action without starting from scratch.

01

Executive risk summary

Plain-language posture overview for owners, directors and boards — business impact and regulatory exposure front and centre, no technical jargon required.

02

Prioritised findings

Every gap ranked by severity, affected domain and regulatory reference — so your team knows exactly what to fix first and why it matters legally.

03

Regulatory mapping

Each finding tied to the specific Essential Eight control, Privacy Act APP, NDB obligation or Cyber Security Act requirement it implicates.

04

Implementation toolkit

Six ready-to-customise policy templates that help your team produce the evidence, ownership and documentation required to close the gaps.

Doing nothing

Exposure stays invisible

Most Australian SMBs only discover weak controls when a client audit, insurer review or actual incident forces the question.

  • No security or privacy baseline
  • No prioritised remediation path
  • No evidence pack for leadership, insurers or clients
Traditional consulting

Thorough — but weeks away

External engagements can be valuable, but the first step is often expensive, calendar-heavy and scoped well beyond what most SMBs need to start.

  • Higher upfront cost and commitment
  • Weeks of discovery before findings
  • Often over-scoped for teams under 100 people
PostureCheck

Immediate baseline. Tangible deliverable.

A structured self-assessment gives you an authoritative starting point today — then optional advisory can support execution when you're ready.

  • 12-minute guided assessment — no IT team needed
  • Board-ready executive report with regulatory mapping
  • Templates and reassessment included
Pricing

Start with your score. Unlock the report when it matters.

Use the free assessment to see your baseline. Upgrade only when you want the executive report, roadmap, templates or ongoing evidence support.

Free assessment
Instant Score Preview
Free
Answer 33 guided questions — See your score — No card required
  • Instant cyber/privacy readiness score
  • Domain-level strengths and gaps
  • Preview of top risk areas
  • No card required
One-time report
Board-Ready Report
AUD 99
Unlock after assessment — Complete executive report — No subscription
  • Executive report across 8 domains
  • Essential Eight, Privacy Act and NDB mapping
  • Prioritised 30/60/90-day roadmap
  • 6 editable implementation templates
Ongoing readiness
Readiness Plan
AUD 449 / year
Bought separately, the items below total AUD 497. The plan includes them all, plus quarterly reassessment.
  • The full AUD 99 executive report
  • Policy Pack Pro: 20 templates mapped to your gaps (AUD 299 value)
  • Cyber Insurance Readiness Pack (AUD 99 value)
  • Quarterly reassessment and refreshed roadmap
  • Quarterly risk and regulatory update brief
  • Dated reassessment history for internal evidence
Report Executive report with score, domain breakdown, top risks and plain-English business impact.
Roadmap 30/60/90-day remediation plan with priority sequencing and practical effort ratings.
Mapping Essential Eight, Privacy Act 1988, NDB Scheme and ACSC-aligned controls.
Toolkit Editable templates for access, backup, incident response, privacy, retention and vendors.
Optional upgrades

Need more than the report?

These are not separate assessments. They become available after the AUD 99 report and reuse the same answers — no re-assessment required.

Policy Pack Pro AUD 299
Individually prepared — delivered in 24h

20 policies individually prepared from your assessment data — gap-matched, reviewed and delivered to your inbox within 24 hours. Every pack is different because every assessment is different.

No two packs are the same. Prepared by our team based on your specific findings — not a generic template.
See what’s included →
Insurance Readiness Pack AUD 99
Insurer-ready output

Your answers reformatted into insurer language — question map, control status and evidence checklist. Supports AXA, Chubb and QBE cyber policy applications.

Zero extra work. The same 33 answers generate a document your broker can submit directly.
Preview sample pack →
Human Review Session AUD 399
30-minute walkthrough

A live session with a senior advisor to clarify your top risks, confirm priorities and convert the roadmap into first actions your team can start this week.

Available after report delivery. Booked via email — limited availability each month.
Request after report →
How it works
Thirty questions. One board-ready report.
~12 minutes
Why this matters

Your business profile calibrates the report so recommendations reflect your actual risk exposure — not a generic checklist produced for every business category.

Output: assessment profile and benchmark context.
Report output
A deliverable your board can read and your team can execute.
Sample output
62% Readiness

Critical exposure ranked by severity — not framework order.

PostureCheck surfaces what actually needs fixing first, so your leadership team gets a prioritised action view rather than an undifferentiated list of controls.

Application Control45%
Backup Recovery58%
Privacy Governance74%
Each finding is ranked by severity, regulatory reference, business impact and the specific evidence required to remediate — so your team knows exactly what to produce.
Executive summary Plain-English posture narrative for owners, boards and managers.
Risk evidence Priority gaps tied to affected controls and expected artefacts.
Legal mapping References to Essential Eight, Privacy Act and NDB obligations.
Action package Roadmap and editable templates so the team can move next.
What your answers become

Not a checklist. A decision-ready risk workspace.

Every answer is converted into a structured output: what is missing, why it matters to the business, which Australian framework it maps to, and what action should happen next.

Assessment 33 questions Built for non-technical SMB leaders.
Coverage 8 domains Security, privacy and breach readiness.
Roadmap 90 days Prioritised improvement path.
Live report logic preview Auto-mapped
Report finding

Application control gap identified.

The answer becomes an executive finding mapped to Essential Eight control expectations and business exposure.

Framework Essential Eight #1, #3, #4
Priority Critical gap
Evidence App list, macro policy.
Board language

Without allowlisting, the business cannot show that only approved software runs on endpoints.

Essential Eight Snapshot

Control maturity — without reading a 40-page framework.

PostureCheck converts your answers into a structured control view aligned to the ASD Essential Eight. Each row shows whether your organisation has evidence for baseline controls, partial coverage, or a priority gap that belongs in your remediation roadmap.

Control area Status Evidence coverage
Multi-factor authentication
Gap
ML0
Patch applications
Partial
ML1
Patch operating systems
Gap
ML0
Restrict administrative privileges
Ready
ML2
Application control
Gap
ML0
Restrict Microsoft Office macros
Partial
ML1
User application hardening
Gap
ML0
Regular backups
Partial
ML1
Priority gap Partial evidence Evidence ready ML = Maturity Level (ACSC)
Scope of Assessment

Eight domains. Every obligation that matters.

A structured review across the security, privacy and breach-readiness domains Australian businesses are most frequently questioned on — by clients, cyber insurers and regulators alike. Click any domain to see what we check and why.

Application Control
Are only approved applications allowed to run? Is macro execution controlled?
Essential Eight #1 #3 #4
Patching & Hardening
Are critical patches applied within 48 hours? Any end-of-life systems still running?
Essential Eight #2 #6
Access & Privileges
Are admin accounts restricted? Is MFA enforced on all internet-facing services?
Essential Eight #5 #7
—'—
Backup & Recovery
Are backups immutable, tested, and stored offsite? Do you have a tested BCP/DRP?
Essential Eight #8
Privacy & Collection
Do you have an up-to-date Privacy Policy? Are you collecting only what you need?
Privacy Act — APPs 1 — 5
Data Use & Disclosure
Is data used only for its collected purpose? Are overseas transfers compliant?
Privacy Act — APPs 6 — 11
Individual Rights
Can customers access, correct or delete their data? Do you respond within 30 days?
Privacy Act — APPs 12 — 13
Incident & Breach
Do you have a breach response plan? Do you know your NDB notification obligations?
NDB Scheme + APP 11

Why It Matters

What We Check

    Business Impact

    Regulatory Exposure Map

    See which Australian laws apply to your business.

    Most tools check one framework. Set a business profile and watch the obligation map light up before paying for the full executive report.

    Obligations that apply: 0/ 8
    This preview is directional, not legal advice. The full report maps your assessment answers to the relevant controls, evidence and next actions.
    Legal & Regulatory Coverage

    Australia's full regulatory stack. One assessment.

    Most tools check one framework. PostureCheck maps your answers across Australia's complete cybersecurity and privacy legislative stack — so nothing falls through the gaps.

    Cybersecurity Frameworks
    ASD Essential Eight (2023)
    Australia's flagship mitigation framework from the Australian Signals Directorate. Covers 8 strategies across 3 maturity levels (ML1 — ML3). Mandatory baseline for Australian Government entities; strongly recommended for all private sector organisations. Addresses application control, patching, MFA, admin privilege restriction, macro settings, hardening, and backups.
    Australian Cyber Security Act 2024
    Landmark legislation enacted November 2024. Introduces mandatory ransomware payment reporting (within 72 hours), minimum cybersecurity standards for critical infrastructure, and expanded ACSC powers. Establishes the Cyber Incident Review Board (CIRB) for post-incident analysis. Marks the most significant expansion of Australian cybersecurity law in over a decade.
    Security of Critical Infrastructure Act 2018 (SOCI)
    Applies to 11 critical infrastructure sectors: communications, financial services, data storage, defence, education, energy, food, health, space, transport, and water. Requires risk management program, incident reporting within 12 hours (for significant cyber attacks), and government assistance powers in severe cases.
    Australian Government ISM (ACSC)
    The Information Security Manual provides over 900 controls across 26 control areas. Updated monthly by ACSC. While mandatory only for government, it defines the technical baseline that IRAP-assessed organisations are measured against — and sets the standard that courts and regulators reference in negligence cases.
    APRA CPS 234 (Financial Sector)
    APRA Prudential Standard CPS 234 applies to all APRA-regulated entities (banks, insurers, superannuation funds). Requires defined information security capability, policy framework, testing of controls, and notification of material incidents within 72 hours. Non-compliance can result in licence conditions or capital penalties.
    Privacy & Data Protection Laws
    Privacy Act 1988 — 13 Australian Privacy Principles
    Australia's primary privacy legislation. The 13 APPs cover: transparency (APP 1), anonymity (APP 2), collection (APPs 3 — 5), use and disclosure (APPs 6 — 8), data quality (APP 10), security (APP 11), and individual rights of access and correction (APPs 12 — 13). Applies to private sector organisations with annual turnover above AUD 3M, and to all health service providers regardless of size.
    Notifiable Data Breaches (NDB) Scheme — Part IIIC
    Mandatory breach notification scheme for APP entities. Triggered when: (1) unauthorised access or disclosure of personal information occurs, and (2) a reasonable person would conclude the breach is likely to result in serious harm. Assessment window: 30 days. Notification must go to OAIC and affected individuals. Penalties for failure: up to AUD 50M for corporations.
    Privacy Act Reform — 2024 Amendments
    The Privacy and Other Legislation Amendment Act 2024 introduced: a statutory tort for serious invasions of privacy, a children's online privacy code, enhanced OAIC enforcement powers, new requirements for automated decision-making transparency, and removal of the small business exemption under review. The most significant reform since the Act's introduction.
    My Health Records Act 2012
    Governs healthcare providers' obligations regarding the My Health Record system. Strict access controls, mandatory breach notifications, and criminal penalties for unauthorised access or disclosure (up to 2 years imprisonment). Applies to all healthcare providers registered with AHPRA.
    Spam Act 2003 + Do Not Call Register Act 2006
    The Spam Act prohibits sending unsolicited commercial electronic messages without consent. Penalties up to AUD 2.1M per day. The ACMA enforces strict opt-out and sender identification requirements. In 2022, Uber was fined AUD 26M for Spam Act violations — the largest penalty in Australian digital marketing history.
    Regulatory Bodies & Enforcement
    OAIC
    Office of the Australian Information Commissioner. Enforces the Privacy Act and NDB Scheme. Conducts investigations, accepts complaints, and can impose civil penalties up to AUD 50M.
    ACSC / ASD
    Australian Cyber Security Centre. Technical cybersecurity authority. Publishes Essential Eight, ISM, threat intelligence, and operates the ReportCyber incident reporting portal.
    APRA
    Australian Prudential Regulation Authority. Enforces CPS 234 for financial sector. Can impose enforceable undertakings, licence conditions, and capital add-ons for non-compliant entities.
    ACMA
    Australian Communications and Media Authority. Enforces Spam Act and Do Not Call Register. Active enforcement with multi-million dollar penalties for serial non-compliance.

    Common Questions — Answered with Precision

    The legal and technical questions we hear most from Australian businesses — answered with the specificity they deserve.

    Who is legally required to comply with the Privacy Act in Australia?
    The Privacy Act 1988 applies to: (1) private sector organisations with annual turnover exceeding AUD 3 million; (2) all health service providers regardless of turnover; (3) all Australian Government agencies; (4) organisations that opt in voluntarily; and (5) organisations that trade in personal information. Following the 2024 reforms, the small business exemption is under active review and is expected to be removed — meaning all businesses handling personal data should begin compliance now.
    What exactly triggers a mandatory notification under the NDB Scheme?
    An eligible data breach under Part IIIC of the Privacy Act requires three elements: (1) unauthorised access, disclosure, or loss of personal information; (2) that a reasonable person would conclude is likely to result in serious harm to any affected individual; and (3) the entity has not been able to prevent the likelihood of serious harm through remedial action. The organisation has 30 days from becoming aware of a potential breach to complete its assessment. If confirmed, notification must go simultaneously to the OAIC and to affected individuals. Failure to notify carries penalties of up to AUD 50M for corporations.
    What are the Essential Eight Maturity Levels and which one applies to my business?
    The Essential Eight defines three maturity levels. ML1: baseline protection against commodity threats — opportunistic attackers, bulk phishing, ransomware targeting easy victims. ML2: intermediate protection against targeted attacks where the adversary has invested moderate effort. ML3: advanced protection against sophisticated, persistent threats. For most Australian SMBs, ML1 is the minimum acceptable baseline. Businesses handling sensitive personal data (health, finance, legal) should target ML2. ACSC recommends all organisations achieve at least ML2 by default as of the 2023 framework revision.
    Does the Cyber Security Act 2024 affect my business?
    The Cyber Security Act 2024 introduced mandatory ransomware payment reporting for businesses with annual turnover above AUD 3M. If your organisation pays a ransom following a cyber attack, you must report to the Department of Home Affairs within 72 hours — regardless of whether the payment was successful in recovering data. The Act also establishes minimum cybersecurity standards for smart devices sold in Australia and creates a Cyber Incident Review Board (CIRB) empowered to compel cooperation in post-incident investigations.
    How does APRA CPS 234 interact with the Essential Eight?
    CPS 234 applies specifically to APRA-regulated entities (banks, insurers, superannuation funds, and their service providers handling material data). It requires a defined information security capability, documented policy framework, classification of data and systems, and testing of controls commensurate with risk. CPS 234 does not prescribe the Essential Eight directly, but APRA's guidance letters explicitly reference it as an appropriate baseline. In practice, an entity meeting Essential Eight ML2 will satisfy the majority of CPS 234 technical requirements.
    We use US-based cloud services (AWS, Microsoft 365, Salesforce). Does this create a Privacy Act issue?
    Yes — this is one of the most overlooked compliance issues for Australian businesses. APP 8 (Cross-Border Disclosure) requires that before transferring personal information overseas, the disclosing organisation must take reasonable steps to ensure the recipient entity does not breach the APPs. In practice, this means reviewing the vendor's Data Processing Agreement (DPA), confirming subprocessor lists, verifying data residency options, and obtaining contractual commitments equivalent to Australian privacy standards. Relying solely on a vendor's Privacy Shield certification (now invalid) or generic ToS is insufficient. The OAIC can hold the Australian entity accountable for APP breaches by overseas recipients.
    What is IRAP assessment and does PostureCheck replace it?
    IRAP (Information Security Registered Assessors Program) is an ACSC program that qualifies individuals to assess the security posture of systems against the ISM and Essential Eight. An IRAP assessment is typically required for government contracts and cloud services handling government data (e.g., PROTECTED classification). PostureCheck is a self-assessment tool — it does not replace a formal IRAP assessment, but it can serve as effective preparation: organisations that use PostureCheck to close gaps before engaging an IRAP assessor typically reduce assessment time and cost significantly.
    Is the audit confidential? Who sees my answers?
    Your audit responses are processed entirely within your browser session. PostureCheck does not transmit your individual answers to any server. Only your overall score and email address (for report delivery) are stored — encrypted, in compliance with APP 11. Your answers are never shared with third parties, regulators, or used for any purpose other than generating your report. You can verify this by inspecting the page source.
    How often should we re-run the audit?
    ACSC recommends reviewing your security posture after any significant change: new systems deployed, staff changes affecting access, cloud migration, a security incident, or changes in legislation. At minimum, an annual reassessment is considered best practice. PostureCheck includes free reassessment access after 6 months so you can measure the impact of your improvements against a fixed baseline.
    Data handling

    Your answers stay in your browser

    Assessment responses are processed locally. PostureCheck never transmits your individual answers to any server — only your score and email address are stored, encrypted, under APP 11.

    Framework accuracy

    Referenced, not invented

    Every question maps to a named framework control or legislative obligation — Essential Eight, Privacy Act APPs, NDB Scheme, or Cyber Security Act 2024. Nothing vague.

    No lock-in

    Baseline today, advisory when you're ready

    The report stands alone as a useful deliverable. When you need human support to implement, PostureCheck gives you the briefing material your advisor needs to start faster.

    Know exactly where your business stands — in 12 minutes.

    The assessment is free to start. The full executive report, remediation roadmap and policy templates unlock for AUD 99 — one-time, no subscription.

    AUD 99One-time report