Technology domain assessments, PSPF reporting support, and governance advisory for Commonwealth entities and organisations delivering services to government.
PSPF Maturity
4 Core Policies
Aligned
Annual Report
Ready
For submission
PSPF reporting requirements are demanding. Preparing your annual security report and demonstrating maturity improvement across all domains requires structured effort.
The PSPF spans governance, information security, personnel security, and physical security. Understanding what's required across each — and your maturity level — is complex.
You're expected to demonstrate year-on-year improvement in your PSPF maturity. Without a structured plan, it's difficult to show measurable progress.
Assessment of your current maturity against PSPF core and supporting requirements across all applicable domains.
Focused assessment of your information security posture against PSPF technology requirements.
Preparation of your annual PSPF security report with clear maturity ratings and improvement plans.
Identification of maturity gaps with a prioritised roadmap for year-on-year improvement.
Support for developing and maintaining security policies that align with PSPF requirements.
You have direct PSPF reporting obligations and need structured support to assess, improve, and report on your security maturity.
Your Commonwealth clients expect PSPF-aligned security practices. We help you demonstrate alignment and meet contractual security requirements.
PSPF and ISM work together. If you're already managing ISM compliance, we help you extend that effort to cover PSPF governance and reporting.
Federal department
Led the department's Essential Eight maturity review using ACSC verification methodology, then ran continuous-assurance activities through annual PSPF reporting and ASD cyber survey submissions — keeping E8 posture live between formal reviews.
Federal agency
Delivered executive and board-ready cyber governance papers, stood up a Foreign Ownership Control and Influence process, and supported system accreditation activities across a shared-services environment — so the agency walked into its next review with defensible answers.
Federal agency
Scoped, assessed, and reported on three high-priority SRAs in a single calendar year — an enterprise integration platform, a supplier-security uplift, and a public-facing online services portal with paired penetration testing — all delivered inside the agency's assessment window.
The PSPF is the overarching protective security framework for Commonwealth entities, covering governance, personnel, physical, and information security. The ISM provides the detailed technical controls for information security. They work together — PSPF sets the policy, ISM provides the implementation detail.
It depends on your entity type and risk profile. Commonwealth entities have direct obligations. Service providers may need to demonstrate alignment with specific domains depending on their contracts. We help you determine exactly what applies.
Yes. We support the full annual reporting process — from maturity assessment through to report preparation. We help you present an accurate picture of your posture and a credible improvement plan.
For an annual PSPF report we typically need 4-8 weeks of preparation. A full PSPF maturity uplift runs longer and is scoped alongside your existing cyber program to avoid duplicate effort.
PSPF work is scoped and priced per entity. We'll give you a firm range after an initial conversation so the investment is predictable and aligned to your reporting cycle.
Internal teams often know their environment but not the specific evidence formats PSPF reviewers look for. We've written and reviewed PSPF board papers for federal agencies — we know what lands and what gets rejected.