SQEP-led, independent cyber resilience for Singapore CII and enterprise across APAC
ACSC-aligned cyber resilience baseline. Independent maturity assessment by GRC advisors with SQEP service inside ISO 27001 certified scope — the people who design and assess controls, not the ones who only test them afterwards. Built for ML2/ML3 expectations from boards, regulators, insurers, and Defence primes.
The Essential Eight is the Australian Cyber Security Centre (ACSC) baseline for protecting internet-connected IT networks against common cyber threats.
It defines eight prioritised mitigation strategies measured against four maturity levels (ML0 through ML3). Implementing and assessing those controls is governance, risk, and compliance (GRC) work — the discipline of designing, scoping, evidencing, and validating controls so they hold up in front of boards, regulators, insurers, and Defence primes. It is not penetration testing. A pentest can validate that a control works once it exists, but it cannot tell you which controls to design, how to scope them, or how to evidence them for an audit.
Infracom delivers ACSC-aligned Essential Eight assessment and uplift to Australian organisations as GRC advisory by Suitably Qualified and Experienced Personnel (SQEP) — consultants whose competence is not just claimed but audited annually inside our ISO 27001 certified scope. The result is a maturity statement whose evidence chain stands up to the people who will read it.
Eight controls developed by the Australian Signals Directorate from real-world cyber incident response, penetration testing, and threat intelligence. Together they form the most effective baseline against the cyber threats Australian organisations actually face.
Only approved applications are allowed to execute. Prevents unapproved binaries, scripts, installers, and dynamic-link libraries from running — the highest-impact control against malware and ransomware.
Infracom delivery: Allowlist scoping, ruleset assessment, exception governance, monitoring uplift.
Internet-facing applications and productivity software are patched within risk-based windows after vulnerability disclosure. Critical patches at ML2/ML3 require deployment within 48 hours where exploits exist.
Infracom delivery: Patch SLA review, vulnerability scan reconciliation, exception register audit.
Macros from the internet blocked. Macros only allowed where there is a demonstrated business requirement, with antivirus scanning and admin approval workflows. A primary phishing-payload vector.
Infracom delivery: GPO/Intune policy review, macro source-of-truth inventory, exception lifecycle.
Web browsers and PDF readers are configured to block Flash, ads, Java, and unnecessary features that adversaries exploit. ML2/ML3 extends to PowerShell logging and .NET hardening.
Infracom delivery: Browser baseline review, ASR rule mapping, PowerShell Constrained Language Mode validation.
Privileged accounts are validated, time-bounded, separated from standard accounts, and used only on hardened administrative workstations. ML3 requires no internet, email, or web services access from privileged accounts.
Infracom delivery: Privileged-access lifecycle audit, jump-host review, PAM tooling alignment.
Operating systems on internet-facing servers, workstations, and network devices are patched within ACSC-defined windows. Unsupported OS versions retired. Vulnerability scanners run on automated cadence.
Infracom delivery: OS patch posture assessment, EOL inventory, scanner output reconciliation.
MFA is enforced for users of internet-facing services, third-party services holding sensitive data, and privileged accounts. ML2/ML3 increasingly favour phishing-resistant methods — passkeys, FIDO2/WebAuthn, hardware tokens.
Infracom delivery: MFA coverage gap analysis, phishing-resistance posture review, conditional-access policy validation.
Backups of important data, software, and configuration settings are performed, retained, and tested for restoration. Retention aligned to business continuity needs. Restoration drills executed and evidenced.
Infracom delivery: Backup coverage assessment, restoration drill execution, immutability and air-gap validation.
Source: Australian Cyber Security Centre — Essential Eight (cyber.gov.au), November 2023 publication, the current standing version.
Four maturity levels measure how effectively each of the eight controls is implemented. The levels reflect increasing adversary sophistication — from opportunistic attacks at ML1 to highly targeted, well-resourced threat actors at ML3.
Controls are missing, partially implemented, or ineffective. An organisation at ML0 has known exploitable weaknesses. This is not a defensible posture for any organisation handling regulated data or supplying Defence and critical infrastructure ecosystems.
Defends against: Nothing reliably.
Defends against adversaries content with publicly available tradecraft. Basic application control, patching within defined windows, MFA on internet-facing services, and tested backups. The minimum credible baseline for any organisation with internet exposure.
Defends against: Commodity malware, mass phishing, opportunistic credential stuffing.
Defends against adversaries willing to invest time and tooling to compromise a specific target. Tighter patch SLAs, broader MFA coverage, centralised event logging, and incident response planning. The expected standard for most Australian businesses handling sensitive data, Commonwealth contracts, or third-party trust obligations.
Defends against: Targeted phishing, credential harvesting campaigns, commodity ransomware operators.
Defends against well-resourced, capable adversaries — including state-sponsored actors. Phishing-resistant MFA, application allowlisting validated under audit, isolation of privileged accounts from internet and email, and comprehensive event log correlation. Expected for Defence primes, critical infrastructure, and high-value targets.
Defends against: Advanced persistent threats, supply-chain compromise attempts, hands-on-keyboard targeted intrusions.
By 2026, regulators, cyber insurers, and supply chain partners increasingly expect ML2 or ML3 from organisations operating in Defence, government procurement, healthcare, financial services, and critical infrastructure ecosystems. ML0 and ML1 are no longer treated as acceptable for these sectors.
Three ways Infracom can engage on Essential Eight — chosen by what your board, your regulator, or your customer is actually asking for. All three are delivered as GRC advisory by SQEP within ISO 27001 certified scope. None of the three is a penetration test.
Whichever path you choose, the delivery model is the same: GRC advisory by Suitably Qualified and Experienced Personnel, with SQEP services explicitly within our ISO 27001 certified scope and audited annually. Penetration testing is not part of these paths; if technical control validation is needed, it is scoped and procured separately.
When an Australian board reads an Essential Eight maturity statement, the first thing they want to know — before the methodology, before the scores — is who signed it. They want a name and a credential stack their auditors recognise, their insurer accepts, and their procurement team can defend.
Infracom's signature carries that weight because of what stands behind it:
GRC advisory delivered by Suitably Qualified and Experienced Personnel (SQEP) — the discipline standard for the people who design, scope, and assess security controls. SQEP applies to advisory work; pentesting validates controls after they exist but does not design them.
SQEP service inside our ISO 27001 certified scope — competence audited annually, not just claimed in a marketing line.
Operating since 2008, trusted by Singapore Government, MAS-regulated banks, and CII operators — assurance bars higher than most Essential Eight engagements demand.
Independent maturity assessment, gap analysis, and ML2 or ML3 uplift delivered remotely from Singapore — no onsite footprint required for the advisory work.
Start with the form below. We'll come back with a scoping conversation, not a sales pitch.
A repeatable four-phase model. Each phase has defined inputs, activities, and outputs. Scope and timing flex with your environment size; the phases do not.
Scope confirmation, environment baseline, stakeholder identification. We agree what is in scope (workstations, servers, internet-facing services, third-party systems), what evidence sources are available, and which business stakeholders need to be involved. Outputs: scope statement, evidence checklist, assessment plan.
Control-by-control evaluation against the maturity model. Each of the eight strategies is examined for evidence of implementation, operating effectiveness, and coverage. Interviews, technical validation, configuration review, and sampling. Outputs: working papers, control maturity scoring, exception register.
Findings, maturity rating, and prioritised uplift roadmap. A board-ready report with the uniform maturity rating, a per-strategy breakdown showing where the organisation sits on each control, gap analysis, and a prioritised remediation roadmap. Findings are evidenced — no opinion-only ratings. Outputs: assessment report, executive summary, remediation roadmap.
Targeted remediation, control validation, ongoing maturity tracking. Working alongside your team to close the gaps identified in Phase 3 — policy updates, configuration changes, evidence collection cadences, control re-validation. Optional quarterly check-ins to track maturity trajectory between annual reassessments. Outputs: remediation evidence, re-tested control validation, uplift report.
This engagement model is a regional adaptation of the broader Infracom Methodology applied to Australian Essential Eight contexts.
What Australian organisations commonly ask before engaging on Essential Eight — covering the relationship to penetration testing, the SQEP discipline, delivery from Singapore, timing, alignment with APRA CPS 234 and SOCI, and what day one of an engagement looks like.
Tell us about your Essential Eight maturity needs — our consultants will respond within 1 business day with a tailored proposal.