Your cart is currently empty.
Blogs and Resources
Expert and objective analysis, insights on the industry trends, and unbiased views of our proficient experts. Uncover thought-provoking content authored by our team of seasoned specialists dedicated to keeping you informed and empowered
21/06/2026
The IRAP Documents You Need: What to Prepare Before an Assessment
An IRAP assessment runs on the documents you bring to it. The assessor works from your System Security Plan annex, the control matrix where one already exists, and your logical system diagrams to identify which Information Security Manual controls apply, then tests the evidence behind each one. Thin documents make...
21/06/2026
IRAP for Defence: Do You Need It for DISP and Defence Contracts?
IRAP is not a condition of DISP membership. To join the Defence supply chain the ICT baseline is the Essential Eight at Maturity Level 2 on your corporate systems. IRAP applies at the system level, when a specific cloud or SaaS system stores or processes classified Defence information against the...
21/06/2026
How Long Does an IRAP Assessment Take?
How long does an IRAP assessment take? There is no fixed length set by ASD. A moderately complex system usually runs 12 to 16 weeks once the readiness work is done, and longer where the boundary is wide or the controls need remediation. Classification, scope, documentation maturity and the state...
21/06/2026
vCISO Pricing Models: How Virtual CISO Services Are Priced
Virtual CISO services are usually priced as a fixed monthly retainer, set by the hours and seniority you need rather than an hourly rate. Cybernion's vCISO runs on a monthly retainer, commonly 8 to 16 hours a month by tier, billed monthly in advance and scoped to the organisation, not...
21/06/2026
What Does a Virtual CISO Do? The Scope of the Role
A virtual CISO owns the direction and accountability of your security programme: strategy, the risk register, board reporting, vendor reviews and policy. It does not run the tools. Building, monitoring, patching and incident response execution sit with your team, an MSSP or a separate retainer. The vCISO makes the risk...
21/06/2026
Virtual CISO for Startups and Scaleups: Do You Need One?
A virtual CISO gives a startup or scaleup senior security accountability without a full time hire. For most early companies the trigger is not the funding stage but the first enterprise or government deal that arrives with a security questionnaire. You buy the role part time, on a retainer, until...
21/06/2026
vCISO vs an MSSP: What’s the Difference and Which Do You Need?
A vCISO and an MSSP solve different problems. A virtual CISO owns your security strategy, risk decisions and board reporting. A Managed Security Service Provider runs the tools, the monitoring and the alerts. One sets direction and carries accountability. The other operates controls. Most growing organisations end up needing both....
21/06/2026
What Is a Virtual CISO? An Australian Guide
A virtual CISO is your Chief Information Security Officer engaged part time on a retainer, rather than hired full time. The person carries the same accountability for security strategy, risk decisions and board reporting as a permanent CISO. It is a leadership role, not a monitoring service and not a...
21/06/2026
When Do You Need a Virtual CISO?
You need a virtual CISO when cyber security has to be owned at the management level and a full time CISO is not yet justified. The usual triggers are a customer or tender asking for ISO 27001, SOC 2 or IRAP, a board asking who owns cyber risk, or growth...
21/06/2026
vCISO vs a Full Time CISO: Which Does Your Business Need?
A vCISO and a full time CISO are the same role at different capacity. A vCISO gives you senior accountability for strategy, risk and board reporting part time on a retainer, commonly 8 to 16 hours a month. A full time CISO makes sense once the security workload fills a...
21/06/2026
SOC 2 Readiness Checklist for Australian Companies
A SOC 2 readiness checklist is the work you do before the audit: scope the Trust Services Criteria, stand up and run the controls, and gather the evidence a licensed CPA firm will sample. Security is mandatory; the other four categories are in scope only where you make commitments. Readiness...
21/06/2026
The SOC 2 Trust Services Criteria Explained
The Trust Services Criteria are the control criteria the AICPA sets, and the yardstick every SOC 2 report is measured against. There are five categories: Security, Availability, Processing Integrity, Confidentiality and Privacy. Security, the common criteria, sits in every SOC 2. The other four are included only where you make...
21/06/2026
SOC 2 for Australian SaaS Selling into the US: What You Need to Know
US customers buying software from Australian SaaS companies often ask for a SOC 2 report before they sign. SOC 2 is an AICPA attestation report written by an independent licensed CPA firm against the Trust Services Criteria, not a certification. For most US deals the ask is a Type II,...
21/06/2026
Virtual CISO: The Complete Australian Guide
A virtual CISO is a senior security leader engaged part time, on a retainer, to own an organisation's security direction without a full time executive hire. They set strategy, run risk and compliance, and report to the board. It is leadership, not managed services, and not hands on implementation. What...
21/06/2026
What Is SOC 2? An Australian Guide
SOC 2 is an independent attestation report on how a service organisation manages customer data, written by a licensed CPA firm against the AICPA Trust Services Criteria. It is not a certification and there is no pass mark. What you receive is the auditor's report and opinion, not a certificate....
21/06/2026
SOC 2 Type I vs Type II: Which Report Do You Need?
SOC 2 comes in two report types. A Type I reports whether your controls are suitably designed at a single point in time. A Type II reports whether they operated effectively over a period, commonly three to twelve months. Type II is the one most customers actually ask for. A...
21/06/2026
SOC 2 Cost in Australia: What Drives the Price
SOC 2 cost has no single list price. It sits in four places: getting your controls ready, the licensed CPA firm's examination fee, any compliance tooling, and the internal effort to run controls through the observation period. A Type II costs more than a Type I, and each added Trust...
21/06/2026
How Long Does SOC 2 Take?
SOC 2 has no single duration. A Type I reports whether your controls are suitably designed at a point in time and can follow a few weeks of readiness work. A Type II adds an observation period, commonly three to twelve months, during which the controls must operate. The observation...
21/06/2026
ISO 42001 Certification Cost in Australia: What Drives the Price
ISO 42001 certification has no set price. The standard fixes no fee, and Cybernion does not publish one, because cost tracks the size and risk of your AI footprint. Budget for three things: building and running the AI management system, the certification body's audit fees across a three year cycle,...
21/06/2026
ISO 42001 for AI Product Companies: What You Need to Know
ISO 42001 for AI product companies certifies the management system behind your AI, not the model or its outputs. It pulls hardest on the controls a builder owns: the AI system life cycle, data governance, and the impact assessment. Buyers and procurement teams now ask for it, and certification is...
21/06/2026
SOC 2: The Complete Guide for Australian Technology Companies
SOC 2 is an attestation report on a service organisation’s controls, written by an independent licensed CPA firm against the AICPA Trust Services Criteria. It is not a certification and carries no pass mark. Australian technology companies are usually asked for it when they sell to United States customers. There...
21/06/2026
How Much Does an IRAP Assessment Cost in Australia?
An IRAP assessment cost is driven by the data classification, the assessment boundary and the number of in scope ISM controls, your documentation maturity, system complexity, and the remediation you need before you are ready. The assessor fee is rarely the largest line. Readiness and remediation usually cost more. The...
21/06/2026
IRAP vs ISO 27001: Which Does Your Business Need?
Short answer: ISO 27001 certifies your information security management system against an international standard. IRAP assesses one specific system against the Australian Government's Information Security Manual. One ends in a certificate, the other in a report with no pass mark. If you sell cloud or SaaS to government, ISO 27001...
21/06/2026
How to Become an IRAP Assessor in Australia
Becoming an IRAP assessor is an ASD endorsement, not a certification you buy. You need Australian citizenship, at least five years of technical ICT experience including two years in information security against the ISM, one qualification each from ASD's Category A and Category B, the IRAP new starter course and...
21/06/2026
Entity Assessor vs IRAP Assessor: What’s the Difference?
An entity assessor is an organisation's own assessor checking its internal systems against the Information Security Manual. An IRAP assessor is independently endorsed by ASD and is required for outsourced IT and cloud services that hold Australian Government data. The ISM permits own assessors up to SECRET; outsourced services need...
21/06/2026
IRAP and the Hosting Certification Framework: How They Fit Together
The Hosting Certification Framework and IRAP answer different questions. The Hosting Certification Framework, run by the Department of Home Affairs, certifies a hosting provider's ownership, control and supply chain. IRAP independently assesses a specific system against the Information Security Manual. A PROTECTED government workload in commercial cloud usually needs both.Is...
21/06/2026
How Often Do You Need an IRAP Assessment? The 24 Month Rule Explained
There is no annual IRAP requirement. Under PSPF requirement 0109, a cloud service provider’s IRAP assessment must be no more than 24 months old for an agency to rely on it. A material change to the system, or a new consuming agency, can force a reassessment sooner, and the next...
21/06/2026
IRAP vs FedRAMP: What’s the Difference and Which Do You Need?
IRAP and FedRAMP are the cloud security regimes of two different governments. IRAP assesses a system against the Australian Information Security Manual for Australian government use. FedRAMP authorises cloud services against NIST 800-53 for United States federal use. Neither replaces the other. Sell to both governments and you need both....
21/06/2026
ISM June 2026 Changes: The New AI Controls Explained
The ISM June 2026 changes add four controls aimed squarely at artificial intelligence, the first time the manual treats AI applications as their own attack surface. If your system holds OFFICIAL: Sensitive data or above and runs an AI feature, an IRAP assessor will now test against them. The control...
21/06/2026
What Classification Does Your Government Cloud Need?
A government cloud's classification is set by the agency that owns the data, based on its business impact level. The provider does not choose it. The system is assessed against the Information Security Manual at the highest classification it will hold: OFFICIAL: Sensitive, PROTECTED or SECRET. Confirm what the agency...
21/06/2026
IRAP for SaaS and Cloud Providers: What You Need to Know
IRAP for SaaS and cloud providers is an independent assessment of a cloud service against the Information Security Manual, run by an ASD endorsed assessor. It checks the controls the provider owns under the shared responsibility model, not the hyperscaler infrastructure beneath it. It is an assessment, not a certification,...
21/06/2026
Australian Government Information Classifications: OFFICIAL to SECRET
Australian Government information classifications run from OFFICIAL through OFFICIAL: Sensitive, PROTECTED and SECRET to TOP SECRET, set by the damage a compromise would cause. The owning agency sets the level, not the provider. For IRAP, the ISM control set is the same at OFFICIAL: Sensitive and PROTECTED; SECRET adds physical,...
21/06/2026
Essential Eight vs ISM vs IRAP: How the Three Fit Together
The Essential Eight, the ISM and IRAP are not three choices to weigh against each other. They are three layers of one ASD system. The ISM is the full control catalogue. The Essential Eight is its most effective subset, a baseline. IRAP is the independent assessment of a system against...
21/06/2026
What Is the ISM? The Australian Government Information Security Manual Explained
The Information Security Manual (ISM) is the Australian Signals Directorate's cyber security framework for government and other systems that need a credible baseline. It sets out the cyber security principles and the controls a system is built and assessed against. An IRAP assessment measures a system against the ISM. It...
21/06/2026
Essential Eight Maturity Levels (ML0 to ML3) Explained
The Essential Eight maturity model runs from Maturity Level Zero to Maturity Level Three. ML0 means real gaps remain. ML1 to ML3 meet progressively more capable attackers. ASD expects the same level across all eight strategies, and your weakest one sets the score. It is a point in time measure,...
21/06/2026
Essential Eight Assessment Cost in Australia
An Essential Eight assessment has no list price, so its cost is set by scope. For most organisations the assessment itself is a contained engagement of a few weeks. The larger spend sits after it, in the remediation needed to reach your target maturity level and the work to hold...
21/06/2026
IRAP Readiness Checklist: How to Prepare for an IRAP Assessment
IRAP readiness is the work you do before the assessor arrives, and this checklist covers it: confirm the classification and boundary, write the system documentation, and map evidence to each applicable ISM control. There is no pass mark to chase. Readiness exists to close the gaps an assessor would otherwise...
21/06/2026
Essential Eight: The Complete Australian Guide
The Essential Eight is a set of eight prioritised mitigation strategies from the Australian Cyber Security Centre. Implemented together to a target maturity level, they defend against the most common cyber threats. An Essential Eight assessment measures your current maturity and gives you a prioritised roadmap to the level you...
21/06/2026
What Is the Essential Eight?
The Essential Eight is a set of eight mitigation strategies from the Australian Signals Directorate, built to protect internet connected IT networks against the most common cyber attacks. You implement all eight together to a target maturity level, from Maturity Level Zero to Three. It is a baseline, measured by...
21/06/2026
Is IRAP a Certification?
No. There is no such thing as an IRAP certification. IRAP is an assessment, not a certification. An ASD endorsed IRAP assessor reviews a system against the Information Security Manual and reports its strengths, weaknesses and residual risks. There is no pass mark and no certificate. The consuming agency's authorising...
21/06/2026
ISO 42001 Readiness Checklist for Australian Organisations
ISO 42001 readiness is the work of building an AI management system an accredited auditor can certify: an AI policy, an inventory of every AI system you run, an AI risk and impact assessment, the Annex A controls you select in a Statement of Applicability, and the records that prove...
21/06/2026
AI Risk Assessment Under ISO 42001: What It Requires
ISO 42001 asks for two linked exercises, not one. An AI risk assessment weighs risks to your objectives from building or using AI. An AI system impact assessment weighs the consequences for individuals, groups and society. Together they decide which Annex A controls you record in the Statement of Applicability....
21/06/2026
Why AI Governance Matters Now
AI governance is the set of policies, roles and controls that keep an organisation's use of AI accountable, safe and explainable. It matters now because buyers, boards and regulators have started asking for evidence, not intent. In Australia that shift is already visible in procurement, the Voluntary AI Safety Standard...
21/06/2026
ISO 42001 vs the EU AI Act: Which Governs Your AI?
ISO 42001 is a voluntary, certifiable AI management system standard. The EU AI Act is binding law. They are not interchangeable: certification does not make you legally compliant, and the Act does not require it. An ISO 42001 management system is a strong foundation for meeting the Act, not a...
21/06/2026
ISO 27001 for SaaS: What Australian Software Companies Need to Know
ISO 27001 is the certificate most SaaS buyers ask for. For a software company it certifies the management system behind the platform, not just the code: clauses 4 to 10 plus the 93 Annex A controls, with the cloud and secure development controls carrying the most weight. It is commercial,...
21/06/2026
ISO 42001: The Complete Guide to AI Management Systems
ISO 42001, published as ISO/IEC 42001:2023, is the first international standard for an AI management system. It sets out how to govern the AI you build or buy, through clauses 4 to 10 and 38 Annex A controls, with an AI system impact assessment at its core. It is certifiable,...
21/06/2026
What Is ISO 42001?
ISO/IEC 42001:2023 is the world's first certifiable standard for an AI management system. It sets out how an organisation governs the AI it builds, supplies or uses: leadership, policies, an AI risk and impact assessment, human oversight and monitoring. Certifiable on a three year cycle, not legally mandatory in Australia....
21/06/2026
ISO 27001 vs SOC 2: Which Does Your Organisation Need?
ISO 27001 and SOC 2 answer the same buyer question, can we trust you with our data, in two different languages. ISO 27001 is an international standard you certify against, with a certificate from an accredited body. SOC 2 is a report a licensed CPA firm writes against the AICPA...
21/06/2026
ISO 27001 Annex A Controls Explained
Annex A of ISO/IEC 27001:2022 is a reference set of 93 information security controls, grouped into four themes: organisational, people, physical and technological. You do not implement all 93. You select the controls your risk assessment justifies and record each decision, included or excluded, in the Statement of Applicability. What...
21/06/2026
The ISO 27001 Statement of Applicability Explained
The Statement of Applicability is the ISO 27001 document that lists every Annex A control, states whether it applies, and gives a reason for each inclusion and exclusion. Clause 6.1.3 makes it mandatory. It connects your risk treatment to the controls, and it is the master checklist your certification auditor...
21/06/2026
ISO 27001 Stage 1 vs Stage 2 Audit Explained
ISO 27001 certification runs as a two stage initial audit by an accredited certification body. Stage 1 reviews whether your ISMS documentation and management system are in place; Stage 2 tests whether the system actually operates the way the documents claim. Both are required, and Stage 2 only proceeds once...
21/06/2026
What Is ISO 27001:2022? A Plain Guide for Australian Organisations
ISO 27001 is the international standard for an information security management system, published by ISO and IEC. The current version is ISO/IEC 27001:2022. It sets out how an organisation governs, runs and improves information security, and it can be independently certified by an accredited body. It is a management system,...
21/06/2026
ISO 27001 Certification Cost in Australia: What Drives the Price
ISO 27001 certification has no fixed price. The cost splits three ways: building and running the management system, the accredited certification body's audit fees across a three year cycle, and ongoing maintenance. Audit time scales with the number of people in scope, not your revenue, so a small team pays...
21/06/2026
How Long Does ISO 27001 Certification Take in Australia?
For most Australian organisations, ISO 27001 certification takes six to twelve months from a standing start to the certificate. A small, mature team can move faster; a large or multi site scope takes longer. The pace is set by how long the management system has to run before the Stage...
21/06/2026
ISO 27001 Readiness Checklist for Australian Organisations
An ISO 27001 readiness checklist is the work you finish before a certification body arrives. It covers the management system in clauses 4 to 10, the risk assessment and treatment, the Statement of Applicability against the 93 Annex A controls, and proof the system has actually run. Readiness is preparation,...
21/06/2026
Essential Eight Compliance Checklist
Essential Eight compliance is not a certificate. It means implementing all eight mitigation strategies to a chosen maturity level, confirmed by a point in time assessment against ASD's maturity model. Your weakest strategy sets your level, so the checklist is really eight checklists that have to move together. What does...
21/06/2026
Essential Eight vs ISO 27001: Which Does Your Organisation Need?
The Essential Eight and ISO 27001 answer different questions. The Essential Eight is eight technical controls the Australian Signals Directorate sets for hardening Windows networks, measured by maturity level. ISO 27001 is an international, certifiable management system covering governance, people and risk. Government suppliers usually need the first; commercial sellers...
21/06/2026
ISO 27001: The Complete Australian Guide
ISO/IEC 27001:2022 is the international standard for an information security management system. An accredited body certifies the management system, not a product or a one off scan. It covers management clauses 4 to 10 and 93 Annex A controls, runs on a three year cycle, and in Australia is driven...
21/06/2026
How Long Does an Essential Eight Assessment Take?
Most Essential Eight assessments run three to six weeks for a single environment, from the first working session to the final report. The work splits into documentation and configuration review, then reporting. What moves the timeline is the size of your environment, how many of the eight strategies are already...
21/06/2026
Essential Eight vs the ISM: How They Fit Together
The Essential Eight is not an alternative to the ISM. It is a small, prioritised subset of it. The eight are baseline technical mitigations; the Information Security Manual is ASD's full control catalogue, covering governance, personnel, physical and technical security. You can reach Maturity Level Two and still sit a...
21/06/2026
Essential Eight for Commonwealth Entities: The Maturity Level Two Expectation
The Essential Eight for Commonwealth entities is not optional. Since 1 July 2022 the Protective Security Policy Framework has required every non corporate Commonwealth entity to reach Maturity Level Two across all eight strategies. Maturity Level Three is a risk based judgement, not a default. It is a point in...
21/06/2026
Essential Eight Changes in 2026: What Is Actually Changing
The Essential Eight maturity levels are not changing on 1 July 2026. The bigger change is broader. ASD is evolving the Essential Eight into a new Essentials series, starting with a first chapter called Essentials for enterprise IT. Consultation runs until 12 July 2026, so nothing new is mandatory yet...
21/06/2026
IRAP Assessment: The Complete Australian Guide
IRAP, the Infosec Registered Assessors Program, is run by the Australian Signals Directorate. An IRAP assessor independently assesses a specific system against the Information Security Manual and reports its strengths, weaknesses and residual risks. It is an assessment, not a certification, and the agency that consumes the system makes the...
06/06/2026
Maintaining IRAP Posture between Assessments
An IRAP assessment is point in time; the authorisation that follows is not. The ISM updates quarterly, systems change, and cloud providers must be reassessed within 24 months under PSPF requirement 0109. Maintaining posture between assessments means treating that period as continuous work, not a pause. The organisations that struggle...
05/06/2026
IRAP Authorisation Package
The authorisation package is the set of documents an authorising officer uses to decide whether to approve a system to operate. The IRAP assessment report is central, not the whole package. The officer weighs the residual risks against the organisation's risk appetite before authorising, and a completed assessment does not...
05/06/2026
IRAP POAM and Risk Management
A plan of action and milestones converts assessment findings into managed work. It records what was found, what you have decided to do about each item, who owns it, and by when. A credible POAM, maintained through the life of the system, is what turns an assessment into improvement. The...
05/06/2026
Understanding IRAP Report and Cloud Controls Matrix
An IRAP assessment produces two documents: the assessment report and the control matrix, a derivative of the System Security Plan annex. Together they give an authorising officer the system's strengths and weaknesses, the implementation status of each applicable ISM control, and the residual risks needed to make a decision. What...
05/06/2026
How the IRAP Assessment Process Works
An IRAP assessment follows four stages from the IRAP Common Assessment Framework: plan and prepare, define the assessment boundary, assess the controls against the ISM, and produce the report and control matrix. The assessor leads each stage; your role is access, documentation, evidence and people. The assessor leads every stage....
05/06/2026
How to Prepare for an IRAP Assessment
Preparation is the work you do before the assessor arrives: current documentation, gathered evidence, available people, and access logistics. Organisations that arrive without this groundwork extend the timeline and create evidence gaps the assessor must record as constraints. Preparation is the cheapest money you spend on IRAP. Preparing for an...
05/06/2026
How to define an IRAP Assessment Boundary
The IRAP assessment boundary is the set of system components, people, processes and technologies that will be assessed. The IRAP assessor defines it and agrees it with the assessed entity before substantive work begins. A tight, well defined boundary keeps the control count and the cost down. A broad one...
05/06/2026
How to Choose an IRAP Assessor
Choosing an IRAP assessor starts with the ASD register of endorsed assessors, but the register is a starting point, not a selection criterion. All registered assessors meet ASD’s minimum bar. What varies is technical depth, familiarity with your environment, independence from your system, and availability. Selecting the wrong assessor can...
05/06/2026
What does information classification mean for IRAP?
The classification of the information your system handles is set by the government agency that owns it, not by you as the provider, and it must be confirmed before scoping. The ISM control set is the same at OFFICIAL: Sensitive and PROTECTED. What changes are the physical, personnel and network...
05/06/2026
What an IRAP assessment is, and what it is not
An IRAP assessment is an independent, point in time assessment of a specific system against the Information Security Manual, performed by an ASD endorsed assessor. It produces a report and a control matrix. It is not a certification, an accreditation, or an authorisation to operate, and there is no pass...
05/06/2026
Do You Need IRAP to Sell to the Australian Government?
Short answer: If your cloud or SaaS product stores, processes or transmits Australian Government information at OFFICIAL: Sensitive, PROTECTED or above, you almost certainly need an IRAP assessment before an agency can use it. The trigger is who you sell to and what data you handle, not the size of...
26/03/2026
IRAP Assessment FAQs
IRAP is the Infosec Registered Assessors Program, run by the Australian Signals Directorate. An IRAP assessor independently assesses a system against the Information Security Manual and reports its strengths and weaknesses. It is an assessment, not a certification, and the agency makes the final decision to authorise the system. What...
15/08/2025
Compromised by Design – The Hidden Risks of Wearable Tech
Some choices shape our future in ways we can’t immediately see. Wearable smart devices fall into that category. At first glance, they are insightful, motivational, convenient — and, in some cases, life-saving. Yet they are far more than gadgets strapped to our wrists or clipped to our clothes. They are...
26/03/2024
Cyber Security in Space – Securing the Stars, and Our Future
As the world becomes increasingly reliant on satellite technology for communication, navigation, and national security, the importance of space cybersecurity is also growing. The potential impact of a successful cyber-attack on these systems is vast, ranging from the disruption of communication networks to physical damage. This article explores the challenges...
25/02/2024
Identify and Implement The Right Cybersecurity Framework
The field of cybersecurity is constantly evolving, and the increasing number of frameworks and standards can be overwhelming for organisations seeking to secure their information assets. This article explores the similarities, uniqueness, applicability, implementation and maintenance process of various cybersecurity frameworks, including ISO 27001, ISO 27017, ISO 27018, SOC2, ISM,...