A structured, independent review of your security program that keeps your defences current and your compliance evidence fresh.
Annual Review
You've achieved a maturity level or certification, but your documentation hasn't been validated in months. You're unsure what's still current and what needs updating.
Changes to your environment, processes, or team knowledge have gone unreviewed. You don't know if your security controls are still effective or if new vulnerabilities have emerged.
An auditor or DISP assessment is months away, but you're not sure whether your controls will pass scrutiny. You lack an independent perspective on what's missing.
Your internal team knows the system but might miss gaps. You need external validation that your controls are truly effective and that you're not missing emerging threats.
Assessment of your security policies, procedures, and controls documentation against current frameworks and best practice.
Independent verification that your security controls are operating as intended and achieving their stated objectives.
Identification of gaps against your applicable frameworks (Essential Eight, DISP, ISM, PSPF) and assessment of remediation priorities.
Clear, board-ready summary of findings, compliance status, and strategic recommendations for board and executive stakeholders.
Prioritised action plan with effort estimates and timelines for addressing identified gaps and maintaining compliance momentum.
Documented evidence supporting control effectiveness suitable for audits, assessments, and compliance reporting activities.
You're in the DISP program and need to demonstrate ongoing compliance with Essential Eight and ISM requirements year after year.
You have an upcoming audit, assessment, or contract review and need independent validation that your controls are audit-ready.
Federal agency
Evaluated a multi-year Essential Eight uplift program, stress-tested its sustainability, and delivered a transition-to-business-as-usual plan with defined ownership, cadence, and evidence requirements — so compliance held after the consultants left the building.
Federal department
Led the department's Essential Eight maturity review using ACSC verification methodology, then ran continuous-assurance activities through annual PSPF reporting and ASD cyber survey submissions — keeping E8 posture live between formal reviews.
Federal agency
Delivered executive and board-ready cyber governance papers, stood up a Foreign Ownership Control and Influence process, and supported system accreditation activities across a shared-services environment — so the agency walked into its next review with defensible answers.
The name is aspirational but your review cycle depends on your environment and obligations. DISP-registered organisations typically benefit from annual reviews to prepare for annual CSQ submissions. Organisations in fast-changing environments or with critical control gaps may want reviews every 6 months. We recommend discussing cadence based on your specific situation.
A typical review takes 2-4 weeks from kick-off to final report, depending on environment complexity and how readily your team can provide documentation. We'll confirm timeline during the scoping phase. The assessment itself is usually completed in 1-2 weeks; reporting and recommendations take an additional 1-2 weeks.
An annual review is a health check conducted by a trusted adviser — focused on identifying where you stand and what needs attention before an audit happens. An audit is a formal, independent assessment usually required for certification or compliance registration. A review helps you prepare for an audit; an audit is the formal assessment itself. Think of a review as a practice run.
Yes. We can support implementation of remediation activities through our Uplift service, or provide ongoing advisory through our vCISO offering. Many organisations book a review annually and work with us throughout the year on remediation — it's a natural complement to ongoing assurance.
Start with our free health check. We'll give you an indicative view of your security posture and readiness, and recommendations on whether a full assessment or review makes sense right now. If you're early in your compliance journey, you might benefit from our Essential Eight Assessment first.
Most annual reviews run 2-4 weeks end-to-end. We schedule them against your reporting cycle so evidence lands exactly when you need it for board or Defence submissions.
Annual reviews are scoped by environment complexity. We'll provide a firm price after an initial conversation so you can plan the investment ahead of your review window.
MSP reports tell you about tool output. An annual review validates your controls against the frameworks you're accountable to (E8, PSPF, DISP) and delivers board-ready evidence — not a tool summary.