APRA CPS 234 attestation support, CPS 230 readiness, and Essential Eight ML2 / ML3 evidence packs that auditors sign off first pass. vCISO capacity for firms that need the accountability but can't justify the head count.
Advisory firms, capital managers, professional bodies, and multi-entity groups. Each engagement has at least one of CPS 234, Essential Eight, or CIS v8 as a delivery driver.
Finance IT is documentation-heavy by design. APRA, the auditor, and the insurer are all reading the same evidence trail. The provider that produces it cleanly is the provider you keep.
APRA-regulated entities can't just say controls are in place. The standard requires documented evidence, material incidents notifiable to APRA, and an auditor who'll test it. Your IT provider has to produce what the auditor will accept on first read.
Effective July 2025, CPS 230 requires identification and monitoring of material service providers. The MSP relationship now sits inside the operational resilience framework, with tested continuity, exit, and notification arrangements. Generic IT contracts no longer pass.
Your external auditor asks for the same forty artefacts every year. We build the evidence pack once, version-control it, refresh it quarterly, and hand it across as a finished artefact. The fortnight of internal scrambling stops being annual.
Board-level information security accountability is the floor APRA is testing against. A vCISO retainer gives you the same accountability, the same documentation, and the same voice in front of auditors, for a fraction of the cost of a hire.
Five frameworks finance customers ask about by name. We implement against each one and produce evidence in the form your auditor will accept. No "we follow industry best practice" hand-waving.
Prudential Standard CPS 234 - Information Security
Documented information security capability proportionate to threat. Material incidents notifiable to APRA within 72 hours. Annual review and audit.
We build and operate the controls, maintain the documentation pack, and provide the incident response capability that meets the 72-hour notification window. The CPS 234 attestation is a deliverable.
Prudential Standard CPS 230 - Operational Risk Management
Identification of material service providers, tested continuity arrangements, incident notification, and a credible exit plan. Effective from 1 July 2025.
Our service agreement now includes the CPS 230 obligations as schedule terms - tested BCP, notification SLAs, and a documented exit / portability plan you can show your regulator.
Privacy Act 1988 - Australian Privacy Principles
Reasonable steps to protect personal information from misuse, loss, and unauthorised access. Notifiable Data Breach scheme since 2018.
Privacy is the floor, not the ceiling. We implement the controls (access management, encryption at rest, breach detection) and prepare the breach response artefacts in advance, not after the fact.
CIS Critical Security Controls v8
A prioritised set of 18 control families covering identity, data, endpoint, network, and incident response. Broader and more operationally useful than Essential Eight alone.
CIS v8 is our primary technical framework. We map your environment against it, prioritise remediation by risk reduction, then re-baseline at the next quarter. Essential Eight maps cleanly into a subset.
ACSC Essential Eight - Maturity Levels 2 and 3
Implementation and ongoing evidence across eight controls (application control, patching, macros, hardening, admin privileges, MFA, backups). ML2 is the typical insurance and contract floor; ML3 for higher-trust environments.
ML2 in 6-12 weeks from a clean baseline. Evidence packaged exactly to the ACSC assessment guide. Annual reattestation managed so maturity doesn't quietly drift between audits.
Most Australian finance SMBs sit in the gap between "needs security accountability" and "can hire a $300k CISO." The vCISO retainer closes that gap with a senior practitioner shared across a small portfolio of customers, each of whom needs the function but not the head count.
Information security risk, control health, incidents, and decisions needed - in the shape your Risk or Audit committee already reads.
Material incident definitions, 72-hour notification process, and the response runbook tested annually. CPS 234-aligned.
We prepare, you sign. The evidence pack underneath the attestation is the same one your independent reviewer will test.
Your auditor, insurer, and (when material) the regulator get a senior practitioner on the call who can answer the question, not escalate it.
vCISO delivery sits with our principals. The person whose name is on the engagement is the person who turns up to your meetings.
Generic IT plus security plus advisory, framed for the obligations a finance firm actually carries. Compliance leads, advisory holds, the operational layers underneath.
Essential Eight ML2 / ML3 uplift, CIS v8 implementation, and the audit-ready evidence pack you hand to your auditor or insurer.
Service detailvCISO retainer for APRA-grade information security governance. Quarterly board reporting, risk register, and the senior voice that talks to your regulator.
Service detail24/7 managed detection and response, email and identity protection, and the incident response playbook your CPS 234 attestation depends on.
Service detailAnnual Essential Eight reassessment, Microsoft 365 tenant audit, and external attack-surface scans - the evidence layer underneath the attestation.
Service detailConnektCloud Azure hosting with documented RPO / RTO, immutable backups, and the disaster recovery test artefacts CPS 230 expects you to hold.
Service detailThe core platforms behind our finance work - identity, detection, compliance automation, and the controls auditors expect to see.
The identity, productivity, and cloud platform we manage for every client - from M365 to Azure to Entra ID.
View partnerManaged detection and response built for SMBs. 24/7 human analysts, no SIEM to run, incidents remediated in hours.
View partnerCompliance automation for SOC 2, ISO 27001, HIPAA, and more - with continuous evidence collection and audit-ready reports.
View partnerEnterprise password manager and secrets vault. Zero-knowledge encryption, granular sharing, SSO integration, BreachWatch dark-web monitoring.
View partnerSecurity-fabric firewalls, SD-WAN, and endpoint protection for network-centric architectures. FortiGate, FortiClient, FortiAnalyzer.
View partnerWe're approving two finance case studies for publication. Until then, the customer list above can speak to long-running engagements - book a discovery call and we'll connect you with the closest reference.
Tell us what your current setup looks like. We’ll send back a quote, a transition plan, and a firm date you’d be onboarded - within 48 hours.
