top of page


Governance, Risk and Compliance (GRC) is about ensuring your organisation is hitting its cyber security targets as defined in regulation or policy, with clear accountabilities and pragmatic management of risk.  


The benefits of effective GRC are:  

  • Clearer, more actionable security programs supported by the definition, documentation, and communication of effective governance structures and responsibilities.   

  • Increased Return on Investment (ROI) from the cybersecurity budget by defining and prioritising control selection and implementation through pragmatic cyber security risk assessment.  

  • Picking the right tool for the right job by understanding your organisation’s underlying business drivers and external dependencies and translating this into the selection and implementation of leading security standards. 


Our Approach 

We believe choosing the right security standard for the right objective is critical to success. Whether you're defining top-level management intent through your ISO27001-aligned ISMS, improving control selection via the NIST-CSF, or building a System Security Plan for a PROTECTED system, we're here to help.  


Our Experience 

We have experience helping organisations around the world define and achieve their compliance goals and manage cyber risk. We appreciate that not all compliance programs are created equal. Working with your key stakeholders to ensure you are achieving compliance or risk objectives with minimal impact to your core business is our passion - seriously. 


Key Services 

Our most utilised GRC services are: 

  • Threat and Risk Assessments, ISO31000:2018-aligned cyber security risk assessments in which threat modelling is built into determining cyber risk exposure for more informed decision-making.  

  • ISO27001 Compliance, including audit by certified ISO27001 Lead Auditors and Information Security Management System (ISMS) documentation development. 

  • IRAP Assessments, by ASD endorsed cyber security professionals to provide assurance of the security of systems storing or processing Australian Government data.

  • Information Security Manual (ISM) or Essential Eight assessments, for organisations responsible for the storage or processing of Australian Government information. 

  • SOC 2 Reporting, in which Trust Services Principles are used to assess and report on the confidentiality, availability integrity, of a service organisation’s systems and processes. 

  • NIST-CSF Maturity Assessments, a method of benchmarking an organisation’s cyber security capabilities according to five ‘Functions’ which broadly map controls to the chronology of a cyber incident: Identify, Protect, Detect, Respond, Recover. 

  • PCI-DSS Assessments and Reporting, including self assessment questionnaires (SAQ) and reports on compliance (ROC) for merchants of any size that accept credit cards who need to report on the policies, technologies and processes that protect their payment systems. 

  • State Government Attestations, such as Mandatory 25 assessments in New South Wales, VPDSS reporting in Victoria or meeting IS18 requirements in Queensland. 


Get in touch today to learn how to devise the most cost-effective approach to achieving your governance, risk and compliance goals. 

Governance, Risk and Compliance: Projects
bottom of page