PostureCheck Australia Sample Report · Confidential
Cyber & Privacy Readiness Report

Where your business
stands today

A board-ready self-assessment mapped to the ASD Essential Eight, Privacy Act 1988, and the Notifiable Data Breaches Scheme.

Client
Sample Company Pty Ltd
Industry
Healthcare Services
Employees
24
Report date
10 June 2026
Inside this report
1Executive summary
2Score by area
3Top risks
4Priority recommendations
530/60/90 day roadmap
6Legal & framework mapping
7Included templates
8More templates
62%readiness
Overall posture
Developing
4 critical domains
7 priority actions
Domain readiness
Application Control45%
Incident Response52%
Patch Management58%
Backup & Recovery61%
Data Management63%
Privacy Compliance74%
Access & Identity50%
Individual Rights78%
Biggest exposure
Application Control
45% — critical band
Fastest win
MFA on all services
Cuts account-takeover risk
90-day target
85% readiness
+23 points if actioned
ASD Essential Eight Privacy Act 1988 NDB Scheme Cyber Security Act 2024
This is a sample preview of the "Full Report + Templates" package (AUD 99). Results are based on self-reported answers and do not constitute legal advice, formal certification, IRAP assessment, penetration testing, or an external audit.
PostureCheck AustraliaCyber & Privacy Readiness Report — Sample
1

Executive summary

What the numbers mean for the business, and the single decision to make.

Sample Company Pty Ltd shows a developing cyber and privacy readiness posture at 62%, with four critical weaknesses that should be closed within the next 30 to 90 days.

The strongest areas are individual rights handling and privacy notice coverage. The most material weaknesses relate to application control, privileged access governance, backup restoration testing, and incident response readiness. Together these gaps increase exposure to ransomware, account compromise, business interruption, and regulatory scrutiny under the Privacy Act 1988.

62%
Overall readiness score
4
Critical-risk domains
7
High-priority actions
90
Day action roadmap
Recommended business decision: approve a 90-day remediation program prioritising MFA coverage, backup recovery testing, incident response readiness, application control, and vendor data controls.
2

Score by area

Eight domains, weighted into the overall score. Four are in the critical band (<55%).

DomainScoreStatusBusiness meaning
Application Control & Hardening
45%CriticalUnapproved software and scripts may execute, increasing malware and ransomware exposure.
Patch Management
58%HighPatch timelines are inconsistent, especially for third-party applications and internet-facing systems.
Access Control & Privileges
50%CriticalPrivileged accounts and MFA controls need stronger enforcement to reduce account takeover risk.
Backup, Recovery & Resilience
61%HighBackups exist, but restoration evidence and recovery objectives are not mature enough.
Privacy Governance
74%ModeratePrivacy policy is present, but data inventory and collection notice controls need improvement.
Data Use, Disclosure & Retention
63%HighRetention, overseas disclosure, and vendor controls require better documentation.
Individual Rights
78%DevelopingAccess and correction processes exist, but evidence and ownership should be formalised.
Incident Response & Breach
52%CriticalThe organisation may not be able to assess, contain, notify, and document a breach under pressure.
6 more domain insights unlocked in the complete report
PostureCheck · Full Report + Templates — SamplePage 2
PostureCheck AustraliaCyber & Privacy Readiness Report — Sample
3

Top risks

Ranked by business impact. Critical items first.

PriorityFindingImpactRecommended action
CriticalNo formal application allowlisting across workstations and servers.Malware, unapproved scripts, and ransomware can execute with limited prevention.Implement Microsoft Defender Application Control, AppLocker, or equivalent for high-risk endpoints first.
CriticalMFA is not enforced consistently across all internet-facing services.Stolen credentials can lead to email compromise, data theft, and fraudulent payment instructions.Require MFA for Microsoft 365, VPN, remote access, admin portals, and privileged actions within 30 days.
HighBackup restoration is not tested quarterly with documented RTO/RPO metrics.Backups may fail during ransomware recovery, extending downtime and financial loss.Run a partial restore test, record recovery time, document evidence, and schedule quarterly testing.
HighNo board-approved data breach response plan aligned with the NDB Scheme.The organisation may miss assessment, notification, and customer communication obligations after a breach.Adopt the Incident Response Plan template in Appendix C and run a tabletop exercise within 60 days.
HighVendor data processing agreements are incomplete or not centrally tracked.Third-party handling of personal information may create APP 8 and APP 11 exposure.Create a vendor register and require DPAs for providers with access to personal information.
4 more risk findings + remediation detail unlocked in the complete report
4

Priority recommendations

Turning the score into owned, sequenced action.

Fix first · Identity & access

Credential compromise is the fastest path from email to full business compromise.

  • Enforce MFA on all internet-facing systems.
  • Separate admin accounts from daily-use accounts.
  • Review privileged access monthly.
  • Disable accounts within 24h of termination.

Fix first · Backup recovery

Backups only reduce risk if the organisation can prove that restoration works under realistic conditions.

  • Test a restore from backup this month.
  • Document RTO and RPO targets.
  • Use immutable or offline backup storage.
  • Restrict backup admin credentials.

Fix next · Privacy evidence

Privacy maturity depends on evidence. The business should be able to show what it collects, where, and who receives it.

  • Create a data inventory.
  • Map overseas vendors.
  • Define retention periods.
  • Update collection notices.

Fix next · Incident readiness

An incident plan reduces confusion when time pressure is highest and evidences reasonable preparation.

  • Assign incident roles.
  • Document OAIC notification steps.
  • Create customer communication drafts.
  • Run a tabletop exercise.
Full priority plan unlocked with the paid report
PostureCheck · Full Report + Templates — SamplePage 3
PostureCheck AustraliaCyber & Privacy Readiness Report — Sample
5

30 / 60 / 90 day roadmap

Sequenced actions with owners and the evidence to keep for your board or insurer.

TimingObjectiveActionsOwnerEvidence to keep
Days 1–30Close the most exposed attack paths.Enforce MFA; remove dormant accounts; identify end-of-life systems; test one backup restore; disable internet macros.IT Manager / MSPMFA policy, account review log, backup restore record, patch inventory.
Days 31–60Build operational proof and privacy evidence.Create data inventory; update Privacy Policy and collection notices; document vendor list; adopt incident response plan.Operations / Privacy LeadData inventory, policy version history, vendor register, approved incident plan.
Days 61–90Validate resilience; prepare for scrutiny.Run incident tabletop; complete vendor DPA review; implement allowlisting pilot; document quarterly review process.Leadership / IT / LegalTabletop minutes, signed DPAs, pilot report, review calendar.
Days 31–90 execution plan and evidence checklist unlocked in the complete report
6

Legal & framework mapping

Why each area matters, and the obligation it supports — to justify the program internally.

AreaRelevant frameworkWhy it matters
Application control, macros, hardeningASD Essential Eight Strategies 1, 3, 4Prevents unapproved software, malicious documents, and drive-by compromise.
Patch managementASD Essential Eight Strategies 2, 6Reduces exploitation of known vulnerabilities in apps and operating systems.
Access and MFAASD Essential Eight Strategies 5, 7; APP 11Supports reasonable steps to protect systems and personal information.
Backup and recoveryASD Essential Eight Strategy 8; APP 11Reduces ransomware impact and supports business continuity.
Privacy governancePrivacy Act 1988 APPs 1–5Requires transparent management, collection notices, and lawful collection.
Data use, overseas disclosure, vendorsPrivacy Act 1988 APPs 6–11Controls use, disclosure, retention, security, and overseas transfer of data.
Access and correction rightsPrivacy Act 1988 APPs 12–13Requires processes for individual access to and correction of their data.
Breach responseNDB Scheme; Cyber Security Act 2024; SOCIDefines assessment, notification, reporting, and incident-record expectations.
Complete legal mapping across all report findings unlocked after purchase
PostureCheck · Full Report + Templates — SamplePage 4
PostureCheck AustraliaCyber & Privacy Readiness Report — Sample
7

Included templates

Editable policies you can adapt to your business — the practical takeaway.

Template A — Password & MFA Policy
OwnerIT Manager / MSPReview cycleEvery 12 months or after a material incidentApplies toAll employees, contractors, admins, and service accounts
Policy statement

All users must use unique credentials and approved MFA for business systems. Privileged accounts must use phishing-resistant MFA where available and must not be used for email, browsing, or routine business activity.

Minimum controls
  • MFA required for email, VPN, remote access, cloud administration, and finance systems.
  • Shared accounts prohibited unless technically unavoidable and approved.
  • Password manager recommended for all staff.
  • Admin access reviewed monthly.
Full template text and editable policy controls unlocked in the complete report
Template B — Backup & Recovery Policy
OwnerIT Manager / OperationsReview cycleQuarterlyApplies toBusiness-critical data, systems, databases, and cloud repositories
Policy statement

Business-critical data must be backed up at least daily and stored in a format that cannot be modified or deleted using ordinary production credentials.

Minimum controls
  • Daily backups for critical systems.
  • Immutable or offline backup storage.
  • Quarterly restoration tests with documented results.
  • Defined RTO and RPO for each critical system.
Template C — Data Breach Response Plan
OwnerManaging Director / Privacy LeadReview cycleEvery 12 months and after incidentsApplies toAll suspected cyber, privacy, and data security incidents
Incident steps
  1. Identify and contain the incident.
  2. Preserve evidence and start the incident register entry.
  3. Assess whether personal information was accessed, disclosed, or lost.
  4. Assess serious harm and NDB notification obligations.
  5. Notify OAIC and affected individuals where required.
  6. Complete post-incident review and remediation.
PostureCheck · Full Report + Templates — SamplePage 5
PostureCheck AustraliaCyber & Privacy Readiness Report — Sample
8

More templates

Privacy notice, retention schedule, and vendor checklist.

Template D — Privacy Notice

Purpose: give individuals a clear notice at or before collection of personal information (APP 5).

Sample clause

We collect your personal information to provide services, manage appointments, communicate with you, process payments, and meet legal obligations. If you do not provide required information, we may be unable to deliver the requested service.

Must include
  • Who is collecting the information and how to contact them.
  • Purpose of collection and whether it is required by law or voluntary.
  • Likely disclosures, including overseas recipients if applicable.
  • How to access the Privacy Policy, request access/correction, and complain.
Complete template library included with Full Report + Templates
Template E — Data Retention Schedule
Data categoryRetention periodDisposal methodOwner
Customer recordsPer legal/business need (e.g. 7 yrs post-relationship)Secure deletion or de-identificationOperations
Financial recordsAlign to ATO/tax obligationsSecure archive, then deletionFinance
Employee recordsAlign to employment record obligationsSecure deletion after retention endsHR
Marketing leadsUntil consent withdrawn or no longer neededCRM deletion or suppression listMarketing
Template F — Vendor Security Checklist
  • Does the vendor access personal information?
  • Where is data hosted and processed (onshore/offshore)?
  • Is there a written DPA or equivalent contract?
  • Does the vendor notify incidents within 24–72 hours?
  • Is data encrypted in transit and at rest?
  • Can data be returned or deleted at termination?
  • Are subprocessors disclosed and controlled?
9

Next step

Next step: use the complete report to confirm priorities, assign owners, and begin the first 30 days of remediation.
Final next-step guidance included in the complete report
PostureCheck is an educational readiness tool — not legal advice, an audit, IRAP, ISO, or penetration testing.Page 6