Question 1

What compliance frameworks does your audit cover?

Accepted Answer

We assess against ASD Essential Eight (all eight controls at maturity levels 0-3), APRA CPS 234 (all obligations), ISO 27001 (Annex A controls), PCI DSS (all 12 requirements), SOC 2 Trust Services Criteria, and the Australian Privacy Act / Privacy Principles. Our assessment can cover one or multiple frameworks simultaneously — findings are cross-mapped so you address a gap once rather than separately for each framework.

Question 2

How much does a compliance security audit cost?

Accepted Answer

A single-framework compliance assessment starts at $800 AUD — this includes technical testing, control assessment, framework-mapped reporting, and remediation guidance. Multi-framework assessments are more cost-effective per framework: two frameworks from $1,400, three or more from $1,800. These prices reflect the efficiency of testing once and mapping to multiple frameworks. Contact us for a specific quote based on your scope and framework requirements.

Question 3

How is this different from a regular security audit?

Accepted Answer

A regular security audit identifies technical vulnerabilities. A compliance audit goes further — mapping those vulnerabilities (and policy/process gaps) to specific compliance framework controls with ratings, maturity scores, and remediation actions traceable to regulatory requirements. You receive a compliance-ready report that your risk, compliance, or audit team can use directly — not a generic vulnerability list that needs translation into compliance language.

Question 4

Can you help us prepare for an upcoming ISO 27001 certification audit?

Accepted Answer

Yes — this is one of our most common engagements. Our ISO 27001 gap analysis identifies nonconformities that would block certification, observations that the auditor will note, and opportunities for improvement. We prioritise findings by certification impact and provide specific remediation guidance for each gap. Clients who complete our gap analysis and remediation cycle before the certification audit have a near-100% first-time pass rate — avoiding the cost and delay of remediation cycles during the formal audit.

Question 5

We are a supplier to APRA-regulated entities — does CPS 234 apply to us?

Accepted Answer

Likely yes. CPS 234 extends to material service providers of APRA-regulated entities. If you provide technology services, data processing, cloud hosting, or outsourced operations to a bank, insurer, or super fund, they are obligated to ensure you manage information security risks commensurate with the services you provide. Your APRA-regulated clients will increasingly request evidence of CPS 234 compliance. Our assessment provides that evidence and identifies gaps to address.

Question 6

Do you provide the compliance evidence or just identify gaps?

Accepted Answer

Both. Our assessment identifies gaps, but the testing process itself generates compliance evidence — penetration test reports, vulnerability scan results, control effectiveness assessments, and maturity ratings. For frameworks like Essential Eight and CPS 234, our output includes the specific evidence artefacts that auditors and regulators expect to see. We also provide templates for policies and procedures that your assessment revealed were missing or inadequate.

Question 7

How often should a compliance assessment be conducted?

Accepted Answer

We recommend annually as a baseline, with additional assessments triggered by material changes (new systems, organisational restructure, regulatory updates). APRA CPS 234 requires control testing to be performed at least annually and after material changes. ISO 27001 requires annual surveillance audits with a full recertification every three years. PCI DSS requires annual validation. Our quarterly monitoring service ($200/quarter) provides continuous technical compliance between formal assessments.

Question 8

Can one assessment cover multiple compliance frameworks?

Accepted Answer

Yes — this is one of our core advantages. Many security controls satisfy requirements across multiple frameworks. For example, multi-factor authentication is required by Essential Eight (ML2+), CPS 234, ISO 27001 (A.8.5), and PCI DSS (Req. 8). We test the control once and map it to every applicable framework, highlighting where a single fix closes gaps in multiple compliance areas. This is significantly more efficient than running separate assessments for each framework.

Question 9

What if we have no existing compliance documentation?

Accepted Answer

Many of our clients, particularly SMBs, start with minimal or no formal compliance documentation — that is a finding, not a barrier. Our assessment evaluates both your technical controls and your documentation maturity. Where policies are missing, we provide templates and guidance for creating them. The assessment report itself serves as initial compliance evidence and provides a foundation for building your compliance programme incrementally.

Question 10

Do you offer ongoing compliance support or just a point-in-time assessment?

Accepted Answer

We offer both. The point-in-time assessment provides your current compliance posture. Our quarterly monitoring service ($200/quarter) provides continuous technical compliance monitoring between assessments. For organisations building compliance programmes from scratch, we offer advisory engagements to support policy development, control implementation, and audit preparation over 3-12 months. Contact us to discuss the right level of ongoing support for your compliance maturity.

Question 11

How do you handle multi-location or cloud-based organisations?

Accepted Answer

Our testing methodology is designed for modern distributed organisations. Cloud infrastructure (AWS, Azure, GCP) is assessed through external scanning and cloud-specific configuration review. Multi-location organisations receive consistent testing across all locations with findings aggregated into a single compliance view. Remote access infrastructure is specifically tested because it often connects compliance-critical systems. We assess the technical controls regardless of where they are hosted.

Question 12

Can the compliance report be shared with our clients or regulators?

Accepted Answer

Yes. Our reports are designed to be shared as compliance evidence with regulators (APRA, OAIC), certification bodies (ISO 27001 registrars), clients conducting vendor due diligence, and cyber insurance providers. We issue a formal Certificate of Compliance Assessment upon completion, and the report format follows industry standards for audit evidence. Many clients use our Essential Eight maturity scorecard directly in government tender responses.

Security Compliance Audit

Why Compliance-Aligned Security Matters

Framework Mapping

Audit Failures

Frameworks Supported

Proactive Compliance

Compliance Frameworks We Cover

ASD Essential Eight Maturity Assessment

APRA CPS 234 Compliance Testing

ISO 27001 Gap Analysis

PCI DSS Compliance Assessment

Privacy Act & NDB Compliance Assessment

SOC 2 Type I/II Readiness Assessment

See How AI Can Transform Your Operations

Compliance Audit Process

Framework Selection & Scoping

Technical & Control Assessment

Compliance Reporting & Roadmap

Security Compliance Audit FAQs

Pass Your Next Compliance Audit the First Time