Security assurance · Audit
Know exactly where you stand.
Independent security assessments for Australian businesses. Essential Eight maturity, ISO 27001 baseline, NIST CSF, and SMB1001 certification support.
We assess your posture against the frameworks that matter, then give you a board-ready report and a prioritised remediation roadmap your team can action.
Four frameworks. One team.
Assessed against the standard you need.
We don't push one framework over another. We recommend the right one for your business context.
We can assess against multiple frameworks simultaneously where your obligations require it.
Essential Eight
Australia's baseline cyber security standard. We assess your maturity across all eight controls and give you a clear level rating and uplift roadmap.
ISO 27001
Structured baseline against ISO/IEC 27001:2022 controls. For organisations preparing for certification or responding to client security questionnaires.
NIST CSF
Maps your posture across five functions: Identify, Protect, Detect, Respond, Recover. Recognised globally and by US-linked organisations.
SMB1001
Purpose-built for Australian small businesses. Four certification tiers. We assess your current tier and support you through certification.
Scope
What's included
in every audit.
Eight deliverables included as standard across all framework assessments. Fixed price, no surprise scope.
Current-state assessment
A structured review of your environment against your chosen framework. No assumptions, no guesswork.
Gap analysis
Every gap rated by risk. You know which controls to fix first and why — not just a list of what's missing.
Remediation roadmap
Prioritised actions your team can follow. Sequenced by risk, effort, and business impact.
Executive summary
Board-ready narrative explaining your posture, your exposure, and what you need to do next.
Technical guidance
Detailed remediation steps for your IT team or managed service provider.
Compliance mapping
Findings mapped to your chosen framework's control set for direct compliance reporting.
Insurance evidence pack
Documentation structured to meet the evidence requirements of cyber insurance applications.
Follow-up validation
Optional re-assessment engagement to validate remediation and confirm improved maturity level.
A report your board can use
We produce two parallel documents from every audit: a board-ready executive narrative and a technical remediation guide for your IT team. No jargon for executives, no hand-waving for engineers. Both delivered within ten business days.
- Plain-English executive narrative
- Technical remediation per control
- Risk rating and priority sequencing
- Suitable for board packs and insurer submissions
Why organisations get audited
- Cyber insurance application or renewal
- Government contract or Defence tender requirement
- Board accountability and director liability
- Enterprise client security questionnaire
- Post-incident root cause confirmation
- Establishing a baseline before investing in uplift
What good looks like
Honest baseline,
clear path forward.
An audit is only useful if you can act on the findings.
Every IronSights audit delivers four things that most assessment reports don't: independence, prioritisation, stakeholder-ready evidence, and documentation you own.
Your real posture
Not a vendor's sales tool or a checklist you filled in yourself. An independent assessment of where your controls actually sit, scored against the standard you nominated.
Prioritised roadmap
The most common audit failure is a report that lists everything wrong with no guidance on sequencing. Our roadmaps tell you what to fix first, with an effort estimate for each action.
Evidence for stakeholders
Board, insurer, government client, or enterprise partner — the report is structured to answer the questions each audience asks, without producing four separate documents.
Reusable documentation
Every audit deliverable is yours. The gap analysis, framework mapping, and remediation roadmap can be used for insurance, procurement responses, and ongoing governance without paying for it again.
Common questions
Asked by buyers like you.
Not in this list? Email hello@ironsights.com.au or book a 30-minute consultation. No obligation.
Which framework should we choose?
It depends on your business context. If you're seeking cyber insurance or operate in government supply chains, Essential Eight is the right starting point. If your clients are enterprise or international, ISO 27001 or NIST CSF carries more weight. SMB1001 is ideal for smaller businesses wanting formal certification. We recommend the right framework at scoping — at no charge.
How long does an audit take?
Most single-framework assessments are completed within two to three weeks from engagement. Larger environments or multi-framework assessments take longer. We provide a clear timeline at scoping.
Is this the same as a penetration test?
No. An audit is a controls-based assessment: we review your policies, configurations, and processes against a framework. A penetration test actively attempts to exploit vulnerabilities. Many organisations benefit from both. We offer them as separate engagements or as a combined programme.
How do we prepare for an audit?
Minimal preparation is required. We'll ask for access to your Microsoft 365 tenant, any existing policies or procedures, and an hour with your IT lead. We gather most of what we need ourselves.
Can you help us after the audit?
Yes. Many audit clients proceed to Fortify managed security or targeted remediation work following their initial assessment. The audit findings become the foundation for a structured uplift programme.
First step
Start with the right framework.
Tell us about your business context. We'll recommend the right framework, scope the engagement, and deliver a fixed-price proposal within a week.