Cyber Risk & Maturity Assessment

• Service description

  
  A structured review of your current security posture against ACSC Essential Eight, ISO‑style controls and Australian privacy expectations, tailored for SMBs in sectors like manufacturing, online retail and legal services.

  Organisation sizing for the service

  Tier	Staff Size	Revenue Range	Example Organisations
  Lite	5-29	$500k-$3M	Boutique legal firms, small online stores, micro-manufacturers
  Standard	30-99	$3M-$15M	Regional manufacturers, mid-size retailers, 5-partner legal firms
  Premium	100-249	$15M-$40M	Multi-site manufacturers, national online retailers, 20+ partner firms

  Key deliverables

  • Executive summary (2–4 pages) with top 10 risks, likelihood/impact ratings, and a simple red‑amber‑green heatmap.
  • Detailed technical findings report mapped to Essential Eight and other relevant control frameworks.
  • 90‑day tactical roadmap and 12‑month strategic roadmap with effort/cost/impact estimates.
  • Risk register (spreadsheet or GRC‑ready format) that can be updated and reused internally.
  • One workshop (online or in‑person for Canberra region) to walk management and IT through findings and priorities.

  Unique features

  • One‑page risk heatmap in plain English, with impact framed in revenue, downtime and legal exposure, not just technical scores.
  • Sector‑specific lenses for manufacturers, online retailers and legal firms (e.g. supply‑chain disruption, e‑commerce fraud, legal privilege and confidentiality).

  Service tiers & value

  • Lite

    • Scope: Single environment (e.g., M365 + core servers), high‑level review.
    • Deliverables: Short exec summary, top 10 risks, 90‑day quick‑wins list.
    • Value: Fast, affordable baseline for micro/early‑stage businesses.
    • Warranty: “90-day action plan will address 80%+ of identified high/medium risks”
    • SLA: Full deliverables within 4 weeks of kick-off
    • Competitors: Quick “IT health checks” that are mostly inventories and generic recommendations.
    • Differentiation: Essential Eight‑aligned snapshot with a clear, prioritised 90‑day plan and board‑friendly summary, not just a technical checklist.

   

  • Standard

    • Scope: Multiple environments (cloud, on‑prem, key SaaS); maps to Essential Eight and privacy expectations.
    • Deliverables: Full risk register, 90‑day and 12‑month roadmap, workshop.
    • Value: Comparable structure to mid‑market firms but more focused on ACSC guidance and SMB practicality.
    • Warranty: “Risk register accurate to within 10% of follow-up validation” (if client re-tests within 90 days)
    • SLA: 2-week turnaround from data collection to final workshop
    • Competitors: Broader audits often aimed at ISO‑style maturity and large‑org templates.
    • Differentiation: Tailored to SMBs in manufacturing/retail/legal, with pragmatic actions mapped to existing tools and local regulatory expectations.

   

  • Premium

    • Scope: Multi‑site, includes third‑party and process reviews (e.g., HR, finance workflows).
    • Deliverables: Everything in Standard plus board pack and follow‑up check‑in in 3–6 months.
    • Value: Nearly “mini‑CISO programme” level at project pricing well below big‑4 style engagements.
    • Warranty: “Follow-up check-in confirms 70%+ roadmap progress or we provide 20% credit”
    • SLA: Board pack delivered 5 business days before scheduled leadership meeting.
    • Competitors: Big‑4 style risk reviews heavy on documentation and light on execution support.
    • Differentiation: Board packs plus follow‑up check‑ins specifically focused on execution and measurable risk reduction, not just “maturity scores”.

Fractional vCISO (Virtual CISO) Service Advisory

• Service description

• 
  Ongoing, part‑time security leadership for SMBs that cannot justify a full‑time CISO, that owns the cyber strategy, governance and oversight function, without adding a full‑time executive to payroll.

  Organisation sizing for the service

  Tier	Staff Size	Revenue Range	Example Organisations
  Lite	10-49	$1M-$8M	Growing online stores, small factories, 3-7 partner legal practices
  Standard	50-149	$8M-$30M	Regional manufacturers, chain retailers, mid-tier law firms
  Premium	150-399	$30M-$80M	Multi-factory ops, national retail chains, top-50 regional law firms

  Key deliverables (per year, scaled to package)

  • Security strategy document aligned to business goals, budget and risk appetite.
  • Rolling 12‑month cyber roadmap with quarterly updates and reprioritisation.
  • Pack materials for board/leadership meetings: risk dashboard, KPI metrics, and decision options.
  • Policy oversight: review and sign‑off of security and privacy policies at least annually.
  • Vendor/security architecture reviews and written recommendations for major IT/security purchases.
  • Incident‑support on demand: decision logs and post‑incident review documents.

  Unique features

  • Focus on business outcomes, not tools: KPIs tied to reduced incidents, downtime and compliance risks.
  • Includes “CISO on‑call” for board or regulator meetings (e.g. OAIC privacy investigations, insurance renewals).

  Service tiers & value

  • Lite

    • ~0.5 day/month, focus on governance and roadmap only.
    • Value: A named security lead for small firms who just need direction and external accountability.
    • SLA: Response to ad-hoc queries within 24 business hours; monthly roadmap update on schedule
    • Warranty: “Single named advisor maintains continuity throughout engagement”
    • Competitors: MSP “vCIO/vCISO” add‑on, usually pushing their own stack.
    • Differentiation: Explicit separation from implementation vendors and a clearly documented risk register and roadmap.
    •  

  • Standard

    • 1–2 days/month; owns risk register, policy cadence, board reporting and vendor oversight.
    • Value: Equivalent to having a part‑time senior security leader at mid‑market vCISO pricing, but explicitly product‑agnostic.
    • SLA: 4 hours/month guaranteed consulting time; priority response (4 business hours)
    • Warranty: “Risk register updated quarterly with demonstrable risk reduction metrics”
    • Competitors: National consultancies rotating multiple consultants across clients.
    • Differentiation: Continuity with a named senior advisor who also understands cyber law and forensics, ideal for incident and regulator interactions.
    •  

  • Premium

    • 3+ days/month; embeds into leadership team, attends exec/board meetings, and guides major programmes (Essential Eight, MDR, DR).
    • Value: CISO‑level influence at a fraction of full‑time cost, comparable to large‑firm virtual CISO but with continuity of a single principal.
    • SLA: 12 hours/month guaranteed; same-day response for critical issues; board meeting attendance
    • Warranty: “Annual risk posture improvement or 15% credit toward next 6 months”
    • Competitors: High‑cost vCISO programmes geared to upper mid‑market/enterprise.​
    • Differentiation: C‑suite‑level participation at SMB pricing, with integrated oversight of Essential Eight, MDR, IR, and supplier risk, not siloed projects.

Essential Eight “Fast‑Track” Implementation

• Service description

• 
  Hands‑on help to reach a pragmatic and realistic, risk‑based Essential Eight maturity for Windows, Microsoft 365, servers, endpoints, cloud and SaaS environments, tuned to the business risk and budget.

  Organisation sizing for the service

  Tier	Staff Size	Revenue Range	Example Organisations
  Lite	5-39	$500k-$5M	Single-site manufacturers, small e-com, solo+ legal practices
  Standard	40-129	$5M-$25M	Multi-line manufacturers, regional retail, 10-partner firms
  Premium	130-299	$25M-$60M	Multi-site factories, national online retail, mid-tier nationals

  Key deliverables

  • Gap analysis report per Essential Eight control (current vs. target maturity).
  • Implementation blueprint (who does what, when, and with which existing tools).
  • Configuration guides and checklists tuned to your environment (e.g., M365, AD, endpoint platform).
  • Verification report showing evidence of control implementation and residual gaps.
  • Updated runbooks for IT/helpdesk so changes are operationalised (e.g., patching cadence, application control process).

  Unique features

  • Outcome‑based: narrow focus on the specific Essential Eight controls that most reduce ransomware and account‑compromise risk for SMBs.
  • “No rip‑and‑replace” principle: optimises what the client already owns before recommending new spend.

  Service tiers & value

  • Lite

    • Focus on a subset of controls (e.g., MFA, patching, backups) for smallest environments.
    • Value: Quick uplift on the highest‑impact controls with minimal disruption.
    • Warranty: “Target controls reach maturity level 1 or we extend guidance at no extra cost”
    • SLA: Verification report within 2 weeks of implementation completion
    • Competitors: “Essential Eight compliant” MSP packages that are essentially product bundles.
    • Differentiation: Focused uplift of the most impactful controls using what the client already owns, avoiding forced migrations.
    •  

  • Standard

    • Full Essential Eight gap analysis and roadmap; phased rollout using existing tools where possible.
    • Value: Same language and mapping as ACSC, without forcing a specific product stack.
    • Warranty: “Full Essential Eight roadmap delivered; controls verified to target maturity”
    • SLA: Monthly progress report; final verification within 10 business days of phase completion
    • Competitors: Larger firms that treat Essential Eight uplift as a one‑time project with heavy documentation.
    • Differentiation: Stepwise, risk‑based roadmap plus operational runbooks so internal IT can sustain the controls.
    •  

  • Premium

    • Includes hands‑on implementation guidance, verification, staff training, and integration with MDR/IR services.
    • Value: End‑to‑end uplift and operationalisation similar to large consultancies, but right‑sized for SMB budgets.
    • Warranty: “Independent verification confirms target maturity across all 8 controls”
    • SLA: Hands-on support during business hours; 48-hour response for implementation blockers
    • Competitors: Full transformation programmes that often exceed SMB budgets.
    • Differentiation: End‑to‑end uplift plus verification and training, integrated with MDR and IR, without imposing enterprise‑grade tooling or cost.

Incident Response Retainer & Digital Forensics

• Service description

• 
  A standing agreement that guarantees a pre‑agreed incident response plan, on‑call retainer, rapid access to experienced incident responders and forensic specialists, plus structured post‑incident investigations and reporting.

  Organisation sizing for the service

  Tier	Staff Size	Revenue Range	Example Organisations
  Lite	15-69	$1.5M-$12M	Small manufacturers, regional retailers, boutique legal
  Standard	70-199	$12M-$45M	Mid-size factories, chain stores, mid-tier law firms
  Premium	200-399	$45M-$90M	Multi-site ops, national retail, top regional practices

  Key deliverables

  • Incident response plan tailored to your business (roles, decision trees, notification triggers).
  • Contact and escalation sheet for business, legal, insurance and third‑party support.
  • During an incident: situation reports, containment checklist, and communication templates for staff/clients.
  • Forensic evidence collection plan and chain‑of‑custody documentation.
  • Final incident report with root‑cause analysis, timeline, impact assessment and recommendations.
  • Optional regulator/insurer pack to support OAIC notifications or insurance claims.

  Unique features

  • Playbooks tailored to SMB realities (e.g., small IT team, cloud‑first, outsourced helpdesk) with pre‑approved legal, communications and insurer contact trees.
  • Evidence handling and timelines structured to support potential legal or regulatory action (e.g., OAIC notifications, contractual disputes).

  Service tiers & value

  • Lite

    • On‑call availability at a defined SLA, basic IR playbook, discounted hourly rates.
    • Value: Insurance‑friendly, gives SMBs a named team to call without large fixed cost.
    • SLA: Initial response within 4 hours of notification; discounted rates ($200/hr vs $350 market)
    • Warranty: “Pre-agreed playbooks cover 90% of scoped scenarios”
    • Competitors: “Call‑us‑when‑it‑burns” arrangements without prior planning.
    • Differentiation: Pre‑defined playbooks and contact trees so first 24 hours are organised, even on the smallest retainer.
    •  

  • Standard

    • Full IR plan, annual tabletop, preferential scheduling, and structured reporting for regulators/insurers.
    • Value: Similar to what larger firms provide but translated to SMB scale and local Canberra responsiveness.
    • SLA: 2-hour response for ransomware/containment; structured reporting within 72 hours
    • Warranty: “Forensic evidence chain-of-custody guaranteed admissible in Australian courts”
    • Competitors: Insurer‑aligned IR firms focused primarily on technical triage and containment.
    • Differentiation: Forensics and evidence handling built in, with outputs tailored for OAIC, insurers and legal proceedings.
    •  

  • Premium

    • Includes embedded monitoring/MDR integration, proactive compromise assessments, and legal/communications coordination.
    • Value: Almost full “breach readiness programme” for a fraction of big‑brand retainers.
    • SLA: 1-hour response; on-site Canberra response within 4 hours if required
    • Warranty: “Full incident report within 15 business days post-containment or 25% credit”
    • Competitors: Global IR retainers aimed at large enterprises with high annual minimums.
    • Differentiation: Integrated readiness (tabletops, MDR, DR) and regulator/communications support, sized for SMB budgets and Canberra‑region availability.