CIS Critical Controls
Implementation of the CIS Controls v8 - our primary framework. Mapped to your business context, not applied as a checklist.
CCompliance pillar of ARC
Compliance Foundation ProgrammeCompliance
Compliance
Most compliance programmes fail quietly - a PDF on a shared drive, slowly diverging from reality. We build the underlying controls first, then the evidence, then the attestation. In that order.
Next step
Ready to scope Compliance for your business?
What’s included
Scope that’s actually defined.
Every inclusion below is documented, delivered, and renewable under our standard agreement. No surprise scope. No silent exclusions.
Essential Eight ML1-ML3
ASD Essential Eight maturity uplift to your target level, with evidence structured to match the ACSC assessment framework.
Evidence management
An ongoing evidence pack - screenshots, configuration exports, policy docs - refreshed quarterly and ready for audit.
Annual reattestation
We manage the annual reassessment so your maturity level doesn't quietly drift downward between audits.
What’s not included
The boundaries, stated up front.
Knowing where a service stops matters as much as knowing what it covers. Here’s what sits outside this engagement - so there are no awkward surprises later.
The formal audit or legal sign-off
We implement controls and assemble evidence to the standard an assessor expects. The formal audit opinion or legal attestation comes from your auditor or assessor, not from us.
Frameworks outside our depth
Our specialism is Essential Eight and CIS Controls v8. ISO 27001 certification, SOC 2, and PCI-DSS we'll scope and partner on, rather than overclaim end-to-end.
A one-off tick-the-box project
Compliance is a posture you maintain, not a certificate you frame. We deliver it as an ongoing programme with reattestation - not a single drive-by audit.
How we deliver
A sequence you can hold us to.
Every engagement runs the same four steps. You always know which one we’re in and what comes next.
- 01
Scope
We map your current state and agree exactly what's in and out, in writing, before any work or invoice. No surprise scope, no silent exclusions.
- 02
Plan
A documented plan with milestones, owners, and success criteria you can hold us to - so you know what good looks like before we start.
- 03
Implement
We do the work with change control and your sign-off at each gate. You see progress against the plan, not a black box.
- 04
Operate
Ongoing management, published performance, and a quarterly review that keeps the work honest and the roadmap current.
Frequently asked
The questions we get most.
Why CIS before Essential Eight?
CIS is broader and more operationally useful - Essential Eight is a subset of good practice rather than a complete programme. We prioritise CIS as the foundation, then map to Essential Eight for the Australian-specific attestation.
What maturity level should we target?
It depends on regulatory context and contractual pressure. Most of our SMB customers land at Essential Eight ML1 as a baseline; firms with enterprise or government contracts typically need ML2. ML3 is rarely required for mid-market.
How long until we're certified?
ML1 is achievable in 4-6 weeks for most customers. ML2 is typically 6-12 weeks depending on the starting posture. ML3 is a 3-6 month programme and warrants a dedicated project scope.
Tools we use
What we run for compliance
The platforms we standardise on for this service. Picked for fit, not for kickbacks.
Compliance
Drata
Compliance automation for SOC 2, ISO 27001, HIPAA, and more - with continuous evidence collection and audit-ready reports.
View partnerCompliance
Vanta
Security and compliance automation - SOC 2, ISO 27001, HIPAA, GDPR. Continuous monitoring, streamlined audits.
View partnerBackup
AvePoint
Microsoft 365 backup, governance, and migration tooling at enterprise scale. Full tenant recovery, not just mailboxes.
View partnerRelated reading
All articlesGo deeper on compliance
Compliance · 9 min read
Asked for CIS Controls and the Essential Eight? Here's how they actually map.
Auditors and insurers increasingly want both CIS Controls v8 and the Essential Eight. They overlap, but they aren't the same shape. Here's the control-by-control mapping we use - and the four CIS controls the Essential Eight quietly leaves you exposed on.
Read articleCompliance · 6 min readML1 is enough. Most SMBs still overshoot.
The Essential Eight has three maturity levels. Most SMBs reach for ML2 or ML3 because the number looks better. Here's why ML1, done honestly, beats ML2 done badly - and what the gap actually costs.
Read articleRelated services
All servicesUsually bundled with compliance
Security Assessments
Vulnerability scans, Microsoft 365 audits, security posture reviews, and dark web exposure checks. Know where you stand before an attacker does - with a remediation plan you can actually act on.
Learn moreEssential 8 Gap Analysis
Your maturity against all eight ACSC mitigation strategies, scored to your target level, with a roadmap to close the gaps. The Australian baseline that primes, contracts, and cyber insurers increasingly ask you to prove.
Learn moreCIS Gap Analysis
Where you stand against the CIS Critical Security Controls v8.1 - all 18 controls, scored to your target Implementation Group - with a prioritised roadmap to close the gaps. The broad, internationally-recognised baseline that maps to NIST and ISO.
Learn moreCyber Security
Managed MDR, email and endpoint security, security awareness training, and incident response - delivered through vetted partner platforms. Built for SMBs who can't afford an incident.
Learn moreReady when you are
Leave the MSP that doesn’t pick up.
Tell us what your current setup looks like. We’ll send back a quote, a transition plan, and a firm date you’d be onboarded - within 48 hours.
- Response
- Within 48 hours
- Format
- Written quote
- Discovery call
- Not required
- Contracts
- No lock-in terms