ISM, PSPF and Essential Eight aligned security services — protecting citizen data, critical public services and your compliance posture.
Australian government entities at every level — federal departments, state agencies and local councils — face relentless, sophisticated cyber threats. The ASD's Annual Cyber Threat Report 2024–25 confirms the picture is worsening: ASD's ACSC responded to more than 1,200 cyber security incidents in FY2024–25, an 11 per cent increase year-on-year, and notified entities more than 1,700 times of potentially malicious cyber activity — an 83 per cent increase (ASD, 2025). Government entities collectively accounted for 8 per cent of all incidents reported to ASD's ACSC, with state and local government representation rising to 14 per cent of that cohort (ASD, 2025).
Understanding the threat profile helps focus investment where it matters most. The following vectors are consistently prominent in ASD reporting and in Australian public-sector incidents.
Nation-state cyber actors — particularly those linked to China and Russia — actively target Australian government networks for espionage, intellectual property theft and pre-positioning for potential disruption of critical services. The ASD's 2024–25 report identifies state-sponsored activity as a serious and growing threat to networks operated by Australian governments and critical infrastructure (ASD, 2025).
Local councils are disproportionately targeted by ransomware groups. Recent examples include the December 2024 SafePay ransomware attack on Muswellbrook Shire Council (175 GB of data published), and the April 2024 LockBit/OracleCMS incident that exposed sensitive resident data across multiple councils. Under-resourced ICT teams, flat networks and limited backup maturity make councils high-probability targets.
BEC targeting government procurement, finance and payroll functions continues to generate significant financial losses. Threat actors compromise or impersonate supplier email accounts to redirect payments. Adequate identity controls, MFA enforcement and staff awareness are essential countermeasures aligned to Essential Eight Strategy 6 (Restrict Administrative Privileges) and Strategy 7 (Patch Operating Systems).
Shared platforms, managed service providers and software vendors used across government present a single point of compromise that can affect dozens of agencies simultaneously. The SOCI Act now mandates that critical infrastructure operators assess supply-chain hazards as part of their Critical Infrastructure Risk Management Programme (CIRMP), recognising the systemic risk this vector creates.
Phishing remains the leading initial access vector against government staff. Credential harvesting provides actors with legitimate access that can evade perimeter controls entirely. Phishing-resistant MFA (Essential Eight Strategy 5), user awareness training and advanced email filtering are proven mitigations that every agency and council should have in place.
Both malicious insiders and well-intentioned staff making configuration errors cause significant data exposure in the public sector. Cloud misconfigurations, overly permissive access and inadequate audit logging are recurring findings in ASD assessments. Least-privilege access, privileged access workstations and continuous logging satisfy ISM controls and reduce this risk materially.
Australian government entities operate under a layered and evolving set of mandatory security frameworks. Non-compliance carries audit risk, ministerial scrutiny and — increasingly — personal accountability for senior officials. Cryptiq maps its services directly to each layer.
Cryptiq Cybersecurity partners with Australian government entities and local councils to assess, uplift and evidence security controls across the full compliance stack — so you can face audits, ministerial reporting and PSPF self-assessments with confidence.
Cryptiq is ISM, PSPF and Essential Eight aligned. We help you evidence compliance and reduce risk.
Good security hygiene in the public sector is not about ticking boxes — it is about building genuine resilience that allows services to keep running when an incident occurs. Here is what a mature posture looks like in practice.
All eight strategies implemented and evidenced: application control, patch applications (within 48 hours for internet-facing systems), configure Microsoft Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication and regular backups. Evidence is maintained, tested and produced on request for PSPF reporting.
A Security Operations Centre with SIEM integration collects and correlates logs from endpoints, identity systems, email, network and cloud environments. Analysts investigate and contain threats in real time, and all logging meets ISM requirements for retention period, integrity and access control.
A documented and tested Cyber Security Incident Response Plan (CSIRP) aligned to ASD guidance, with defined roles, communication trees, escalation paths and obligations under SOCI (where applicable) and the Notifiable Data Breaches scheme. Tabletop exercises conducted at least annually.
Citizen data classified in accordance with the Australian Government Information Security Classification System (OFFICIAL, OFFICIAL: Sensitive, PROTECTED) and hosted on HCF-certified infrastructure within Australian borders. Data at rest and in transit encrypted in line with ISM cryptographic controls.
A formal vendor security assessment process — covering cloud providers, managed service providers and software vendors — with contractual security requirements, periodic reviews and due diligence aligned to the SOCI CIRMP supply-chain hazard vector.
A designated security lead (CISO or equivalent), documented risk register, annual security strategy review, and board or executive committee visibility of the cyber risk posture. For smaller councils without a full-time CISO, a virtual CISO (vCISO) engagement provides this governance layer affordably.
Senior security leadership on a flexible engagement — covering ISM and PSPF compliance programmes, risk management frameworks, CIRMP development, PSPF annual self-assessment support and executive reporting. Ideal for agencies and councils without a full-time CISO.
Learn more →24/7 threat detection and response with a Security Operations Centre. Log ingestion from endpoints, cloud, email and network layers, with retention and integrity controls aligned to ISM monitoring requirements. Real-time alerting and containment — not just reporting.
Learn more →A structured, evidence-based programme to assess your current maturity across all eight strategies, identify gaps and implement remediations in priority order. Delivers the documented evidence required for PSPF Policy 10 annual reporting and prepares you for independent assessment.
Learn more →Configuration of Microsoft 365 tenants — Exchange Online, Teams, SharePoint and Entra ID — aligned to ACSC hardening guidance and the Essential Eight. Includes conditional access policies, MFA enforcement, phishing-resistant authentication, DLP and sensitivity labelling for citizen data.
Learn more →Proactive managed services covering endpoint management, patching cadences aligned to Essential Eight timelines, software asset management and network monitoring. A single accountable partner for IT and security, reducing vendor sprawl and simplifying governance.
Learn more →Penetration testing, vulnerability assessments and ISM-aligned security reviews that produce findings in a format suitable for IRAP-preparation, internal audit committees and senior leadership briefings. We help you understand your real risk — not just your theoretical one.
Learn more →No. Cryptiq Cybersecurity is not an IRAP assessor and does not conduct formal IRAP assessments. We are ISM, PSPF and Essential Eight aligned, and we help your organisation prepare its environment, evidence and documentation so that an engagement with an accredited IRAP assessor proceeds smoothly. We can recommend accredited IRAP assessors appropriate to your system classification.
The PSPF and Essential Eight mandatory requirements apply specifically to non-corporate Commonwealth entities under the PGPA Act. Local councils are governed by state and territory legislation, not the PSPF directly. However, many state governments have adopted the Essential Eight as a baseline standard for all public-sector bodies under their jurisdiction, and the framework represents Australian best practice regardless of formal mandate. We recommend councils adopt Essential Eight Maturity Level 2 as a minimum benchmark, and we help them do exactly that.
Yes. If your organisation operates a critical infrastructure asset under one of the eleven SOCI sectors, we assist with developing your Critical Infrastructure Risk Management Programme (CIRMP), assessing cyber security hazards, establishing incident detection and reporting workflows to ASD's ACSC, and documenting the evidence required under the annual reporting obligation. All SOCI CIRMP grace periods have expired — these are live, enforceable obligations.
We advise on, and operate within, Australian data sovereignty requirements. Where cloud services are used, we guide clients through the Hosting Certification Framework tiers and recommend certified providers whose Australian regions hold relevant IRAP assessments. We do not route government client data offshore without explicit client authorisation and appropriate classification-level justification under the ISM.
Timelines vary with your current maturity, the size of your environment and available resourcing. In our experience, moving from an ad hoc or developing baseline to Maturity Level 2 across all eight strategies typically takes between four and twelve months for a mid-sized agency or council. We begin with a rapid gap assessment to give you a realistic roadmap and prioritise the controls that deliver the greatest risk reduction first.
Yes. Producing audit-ready evidence is a core part of how we deliver. We document control implementations, produce configuration screenshots, maintain version-controlled policies and generate summary reports formatted to support the PSPF annual self-assessment process and any subsequent review by the Department of Home Affairs or your internal audit function.
Book a no-obligation Essential Eight gap assessment and compliance review with Cryptiq's government-sector specialists. We will give you a clear picture of where you stand against ISM, PSPF and Essential Eight obligations, and a practical roadmap to close the gaps.
Book your assessment