Cyber Security Audit · Australia
Know exactly where you stand.
An independent cyber security audit for Australian businesses. We assess your posture against the framework that matters — Essential Eight, ISO 27001, NIST CSF, or SMB1001 — then hand you a board-ready report and a prioritised remediation roadmap your team can action.
- Independent — not a vendor sales tool
- Fixed-price, agreed upfront
- Board-ready report + roadmap
- Insurance & tender evidence pack
Request an audit
Tell us a little about your business. We'll reply within one Australian business day to scope it with you.
Why IronSights
Independent, and Australian.
IronSights is an Australian cyber security firm. Your audit is independent — we're not selling you a product it conveniently recommends — and it's run by the Sydney team that secures Australian organisations every day.
- Essential Eight specialists
- Independent, vendor-neutral
- Fixed-price engagements
- ISO 27001 certified practice
- Board-ready + technical reporting
- Australian assessors
What we assess against
The framework that matters to you.
Not sure which one? We'll help you choose based on what's driving the audit — your insurer, a tender, certification, or your board.
Essential Eight
Australia's baseline. Maturity across all eight ACSC controls, with a level rating and an uplift roadmap.
ISO 27001
An ISO/IEC 27001:2022 baseline — for certification prep or answering client security questionnaires.
NIST CSF
Identify, Protect, Detect, Respond, Recover. Recognised globally and by US-linked organisations.
SMB1001
Purpose-built for Australian small business, across four certification tiers. We assess and support certification.
What you walk away with
A clear answer, and a plan to act on it.
Current-state assessment
A structured review against your chosen framework — no assumptions, no guesswork.
Gap analysis
Every gap rated by risk, so you know which controls to fix first and why.
Remediation roadmap
Prioritised actions sequenced by risk, effort, and business impact.
Executive summary
A board-ready narrative explaining your posture, exposure, and next steps.
Technical guidance
Detailed remediation steps your IT team or MSP can action directly.
Compliance mapping
Findings mapped to your framework's control set for direct compliance reporting.
Insurance evidence pack
Documentation structured for cyber insurance application requirements.
Follow-up validation
Optional re-assessment to confirm remediation and improved maturity.
When an audit makes sense
Usually one of these is the trigger.
- A cyber insurance application or renewal
- A government contract or Defence tender
- Board accountability and director liability
- An enterprise client security questionnaire
- Confirming root cause after an incident
- A baseline before investing in uplift
Common questions
The questions buyers ask first.
- Which framework should we choose?
- We'll help you pick based on what's driving the audit. Essential Eight is the common Australian baseline; ISO 27001 and NIST CSF suit larger or globally-linked organisations; SMB1001 fits small business.
- How long does an audit take?
- Typically 2–3 weeks for a single-framework assessment, scoped at a fixed price with no surprise scope.
- Is this the same as a penetration test?
- No. An audit assesses your controls and posture against a framework; a penetration test actively tries to break in. They answer different questions — we offer both.
- Can you help us after the audit?
- Yes. The roadmap is yours to action with any provider, or we can deliver the uplift through Fortify, our managed security service.
Get started
Replace the guess with an answer.
A fixed-price, independent audit against the framework that matters — with a board-ready report and a plan your team can action. We reply within one Australian business day.
- Independent and vendor-neutral
- Fixed price, no surprise scope
- Board-ready findings in 2–3 weeks