We're being audited and don't have documentation. Can you help with short notice?

Usually yes, with two caveats: the audit deadline determines how honest we can be, and we won't fabricate evidence. If your controls are genuinely partial, the evidence pack reflects that, and the audit response covers the remediation plan. That's a better answer than a pretend "all green" report that unravels on follow-up. We've done enough short-notice audit support to know what's recoverable in 10 business days and what isn't.

Does the Essential Eight cover AI tools like Microsoft 365 Copilot?

Not directly, but several controls apply. Application control has implications for desktop AI assistants. Macro configuration applies where Copilot is generating Office macros. MFA and privileged access apply to the identity Copilot runs under. Data classification and retention obligations apply to what Copilot can access. The Essential Eight doesn't yet have an AI-specific control, and we'd expect that to change. In the meantime we help clients layer an AI governance policy on top of the Essential Eight baseline.

How does AI show up on our cyber insurance renewal questionnaire?

Most 2026 renewal questionnaires now ask whether you have AI tools in use, an AI acceptable-use policy, and controls around prompt and output data. Some ask whether Copilot or similar is deployed and how data access is governed. Answering "no policy, no controls, not sure" is a flag; answering "yes, here's the policy, here's the access governance" isn't. We help clients get to the second answer.

Who actually audits Essential Eight compliance for a private business?

The ACSC doesn't audit private-sector Essential Eight compliance directly. Your practical auditors are your cyber insurance broker (via the renewal questionnaire), your larger corporate clients (via their vendor-security process), and increasingly your sector regulator (APRA, ASIC, Law Society, ASQA). Each uses their own scoring, but the Essential Eight is the common language underneath all of them.

Essential Eight · insurer questionnaires · audits

The paperwork, done honestly.

Compliance work is mostly writing down what's true, in the language the person asking for it is using. We do the writing. We also make sure what's being written down is actually true, which is the part that usually trips people up.

What we deliver

Essential Eight assessments, cyber-insurance questionnaires, and client-audit evidence.

Essential Eight assessment and uplift

We assess your current maturity against the ACSC's Essential Eight model, control by control. We tell you where you really sit (usually less mature than people think), and we build a staged plan to move you to ML1, then ML2. The eight controls and the maturity journey get their own page: see /essential-eight.

Cyber-insurance questionnaires

The renewal form has become a 40-page technical audit. We've answered enough of them to know what brokers actually want, which answers trigger follow-ups, and where "yes" is a lie that bites later. We fill them in honestly with you, not for you.

Client-driven audits

Larger clients now audit their suppliers. If a prospect or existing customer asks you to produce evidence of your controls, we hold the evidence, we know which frameworks they're mapping to, and we sit on the call if that helps. The work is mostly client-specific security questionnaires and broker/insurer renewal forms; where a formal SOC 2 or ISO 27001 certification is what the prospect wants, we'll say so and point you at a firm that specialises.

Read the Essential Eight in plain English

Frameworks we work with

ACSC Essential Eight, APRA CPS 234, AFSL obligations, Privacy Act and industry-specific standards.

ACSC Essential Eight: The Australian Cyber Security Centre's eight controls. The backbone of most Australian cyber-insurance questionnaires and government-adjacent audits. We run your maturity journey against the official model.
APRA CPS 234: For smaller APRA-regulated entities and the AFSL firms downstream of them: information-security obligations around control environment, incident notification, and third-party oversight. We help clients evidence the controls we actually operate for them; the enterprise-scale end of the prudential framework (big ADIs, major super funds, general insurers) sits outside our sweet spot and we'll say so upfront.
AFSL obligations: The IT and data-handling expectations sitting under AFS licensing. Not a single-line requirement, but a pattern of obligations around client data, record retention, and breach handling.
Privacy Act 1988 + Notifiable Data Breaches: Including the updated obligations around serious data breaches, eligible entities, and the 30-day notification clock. We build the incident-response muscle that makes the 30 days a deadline you can meet.
Industry-specific (Law Society retention, standards for RTOs, aged care, etc.): Industry pages cover the frameworks relevant to each vertical we work in. If the regulator has an IT clause, we know what it says and what evidence satisfies it.

Evidence, not assertions.

An auditor, a broker, a larger client's security team. None of them want to be told you have MFA. They want to see the control in place, the policy that enforces it, and the log that shows exceptions being handled. We collect and maintain that evidence as part of running the environment, not as a special exercise every twelve months.

Most MSPs don't do this because it's easier to tick yes. We do because we'll be the ones sitting on the phone when someone digs in, and "we said yes" is a worse answer than "here's what we do and here's why."

Common questions

Audits, AI, and the questions on the insurer's form.

We're being audited and don't have documentation. Can you help with short notice?: Usually yes, with two caveats: the audit deadline determines how honest we can be, and we won't fabricate evidence. If your controls are genuinely partial, the evidence pack reflects that, and the audit response covers the remediation plan. That's a better answer than a pretend "all green" report that unravels on follow-up. We've done enough short-notice audit support to know what's recoverable in 10 business days and what isn't.
Does the Essential Eight cover AI tools like Microsoft 365 Copilot?: Not directly, but several controls apply. Application control has implications for desktop AI assistants. Macro configuration applies where Copilot is generating Office macros. MFA and privileged access apply to the identity Copilot runs under. Data classification and retention obligations apply to what Copilot can access. The Essential Eight doesn't yet have an AI-specific control, and we'd expect that to change. In the meantime we help clients layer an AI governance policy on top of the Essential Eight baseline.
How does AI show up on our cyber insurance renewal questionnaire?: Most 2026 renewal questionnaires now ask whether you have AI tools in use, an AI acceptable-use policy, and controls around prompt and output data. Some ask whether Copilot or similar is deployed and how data access is governed. Answering "no policy, no controls, not sure" is a flag; answering "yes, here's the policy, here's the access governance" isn't. We help clients get to the second answer.
Who actually audits Essential Eight compliance for a private business?: The ACSC doesn't audit private-sector Essential Eight compliance directly. Your practical auditors are your cyber insurance broker (via the renewal questionnaire), your larger corporate clients (via their vendor-security process), and increasingly your sector regulator (APRA, ASIC, Law Society, ASQA). Each uses their own scoring, but the Essential Eight is the common language underneath all of them.

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.