Annual security review
A structured, independent review of your security program that keeps your defences current and your compliance evidence fresh.
Annual Review
Review Timeline
The compliance challenges keeping you up at night
Compliance evidence going stale
You've achieved a maturity level or certification, but your documentation hasn't been validated in months. You're unsure what's still current and what needs updating.
Security posture drift
Changes to your environment, processes, or team knowledge have gone unreviewed. You don't know if your security controls are still effective or if new vulnerabilities have emerged.
Audit readiness gaps
An auditor or DISP assessment is months away, but you're not sure whether your controls will pass scrutiny. You lack an independent perspective on what's missing.
Lack of independent perspective
Your internal team knows the system but might miss gaps. You need external validation that your controls are truly effective and that you're not missing emerging threats.
What's included in the Annual Security Review
Comprehensive policy review
Assessment of your security policies, procedures, and controls documentation against current frameworks and best practice.
Control effectiveness assessment
Independent verification that your security controls are operating as intended and achieving their stated objectives.
Compliance gap analysis
Identification of gaps against your applicable frameworks (Essential Eight, DISP, ISM, PSPF) and assessment of remediation priorities.
Executive summary report
Clear, board-ready summary of findings, compliance status, and strategic recommendations for board and executive stakeholders.
Remediation roadmap
Prioritised action plan with effort estimates and timelines for addressing identified gaps and maintaining compliance momentum.
Audit evidence package
Documented evidence supporting control effectiveness suitable for audits, assessments, and compliance reporting activities.
Case study to be inserted here
Who this service is for
DISP-Registered Organisations
You're in the DISP program and need to demonstrate ongoing compliance with Essential Eight and ISM requirements year after year.
Organisations Under Audit
You have an upcoming audit, assessment, or contract review and need independent validation that your controls are audit-ready.
Frequently asked questions
How often should we do an annual review?
The name is aspirational but your review cycle depends on your environment and obligations. DISP-registered organisations typically benefit from annual reviews to prepare for annual CSQ submissions. Organisations in fast-changing environments or with critical control gaps may want reviews every 6 months. We recommend discussing cadence based on your specific situation.
How long does the review take?
A typical review takes 2-4 weeks from kick-off to final report, depending on environment complexity and how readily your team can provide documentation. We'll confirm timeline during the scoping phase. The assessment itself is usually completed in 1-2 weeks; reporting and recommendations take an additional 1-2 weeks.
What's the difference between an annual review and an audit?
An annual review is a health check conducted by a trusted adviser — focused on identifying where you stand and what needs attention before an audit happens. An audit is a formal, independent assessment usually required for certification or compliance registration. A review helps you prepare for an audit; an audit is the formal assessment itself. Think of a review as a practice run.
Can you help us act on the recommendations?
Yes. We can support implementation of remediation activities through our Uplift service, or provide ongoing advisory through our vCISO offering. Many organisations book a review annually and work with us throughout the year on remediation — it's a natural complement to ongoing assurance.
What if we're not ready for a full review yet?
Start with our free health check. We'll give you an indicative view of your security posture and readiness, and recommendations on whether a full assessment or review makes sense right now. If you're early in your compliance journey, you might benefit from our Essential Eight Assessment first.