CIS Critical Controls
Implementation of the CIS Controls v8 - our primary framework. Mapped to your business context, not applied as a checklist.
Compliance
Compliance
Most compliance programmes fail quietly - a PDF on a shared drive, slowly diverging from reality. We build the underlying controls first, then the evidence, then the attestation. In that order.
Next step
Ready to scope Compliance for your business?
What’s included
Scope that’s actually defined.
Every inclusion below is documented, delivered, and renewable under our standard agreement. No surprise scope. No silent exclusions.
Essential Eight ML1–ML3
ASD Essential Eight maturity uplift to your target level, with evidence structured to match the ACSC assessment framework.
Evidence management
An ongoing evidence pack - screenshots, configuration exports, policy docs - refreshed quarterly and ready for audit.
Annual reattestation
We manage the annual reassessment so your maturity level doesn't quietly drift downward between audits.
Frequently asked
The questions we get most.
Why CIS before Essential Eight?
CIS is broader and more operationally useful - Essential Eight is a subset of good practice rather than a complete programme. We prioritise CIS as the foundation, then map to Essential Eight for the Australian-specific attestation.
What maturity level should we target?
It depends on regulatory context and contractual pressure. Most of our SMB customers land at Essential Eight ML1 as a baseline; firms with enterprise or government contracts typically need ML2. ML3 is rarely required for mid-market.
How long until we're certified?
ML1 is achievable in 4–6 weeks for most customers. ML2 is typically 6–12 weeks depending on the starting posture. ML3 is a 3–6 month programme and warrants a dedicated project scope.
Related services
All servicesUsually bundled with compliance
Security Assessments
Vulnerability scans, Microsoft 365 audits, security posture reviews, and dark web exposure checks. Know where you stand before an attacker does - with a remediation plan you can actually act on.
Learn moreCyber Security
Managed MDR, email and endpoint security, security awareness training, and incident response - delivered through vetted partner platforms. Built for SMBs who can't afford an incident.
Learn moreStrategic Advisory
IT roadmap, budgeting, and board-level reporting. Security strategy and technology governance - vCIO and vCISO capability without the head count.
Learn moreReady when you are
Leave the MSP that doesn’t pick up.
Tell us what your current setup looks like. We’ll send back a quote, a transition plan, and a firm date you’d be onboarded - within 48 hours.
- Response
- Within 48 hours
- Format
- Written quote
- Discovery call
- Not required
- Contracts
- No lock-in terms