• Your shield in Cyber Security

Author: editor

News

  1. Home
  2. News
  3. Building a Defensible Security Roadmap with the Ionize GRC Maturity Model – by Ionize GRC
Uncategorized
30 Jan 2026

Building a Defensible Security Roadmap with the Ionize GRC Maturity Model – by Ionize GRC

Introduction

As Principal of the Ionize GRC team and CISO, I spend a lot of time with colleagues across government who are simultaneously managing PSPF, ISM, Essential Eight, IRAP, DISP, portfolio-specific directions and an ever-growing backlog of projects. The Ionize GRC Maturity Model is designed to bring structure and coherence to that complexity.

In this paper, I outline how I would apply the model to assess your current position and shape a cybersecurity program that is coherent, defensible and genuinely fundable.

A Single Framework for a Very Noisy Environment

The Ionize GRC Maturity Model is structured as five levels that describe how a security and GRC capability matures over time:

  • Level 1 – Governance and policy foundation
  • Level 2 – Control implementation and documentation (including SSPs, IRPs, DR/BCP and procedures)
  • Level 3 – Risk management and gap remediation
  • Level 4 – Monitoring, audit and performance evaluation
  • Level 5 – Integrated GRC platform and continuous control monitoring.

Each Level is deliberately concrete. It is defined in terms of artefacts, roles, decision rights and behaviours, not abstract labels like “ad hoc” or “optimised”. It aligns to ISO 27001 and the reality of PSPF, ISM, Essential Eight and IRAP in the Australian Government context.

You can think of Levels 1–3 as building how you run security, Level 4 as proving it works overtime, and Level 5 as using platforms and automation to make it sustainable and visible.

Evaluating your current state with the model

To evaluate your current state, you treat those five levels as five lenses on the same security program – governance and policy, control implementation and documentation, risk management, assurance and monitoring, and integrated GRC and automation.

I recommend that you define a simple, consistent scale for each level. For example, from zero to three, where zero means not in place, one means ad hoc or inconsistent, two means defined and repeatable, and three means embedded and measured. You then run a structured assessment workshop with your direct reports and key stakeholders from governance, risk, architecture, SOC, operations, GRC and privacy, and work your way through the levels in turn. A detailed evaluation matrix is included at the end of this document.

Figure 2 Recommended Scale for Assessment

In the governance and policy level, you are evaluating the strength of your foundations. You examine whether there is a clearly defined ISMS and GRC scope aligned to PSPF and ISM obligations, whether roles and accountabilities are genuinely clear, whether security committees operate with meaningful charters, and whether your policy suite is consolidated, current and explicitly mapped to PSPF and ISM requirements. You also look for a single, maintained obligations register covering legislation, PSPF, ISM, Essential Eight, DISP and portfolio-specific directions, rather than tacit knowledge scattered across teams. The picture that emerges tells you how firm the ground floor really is.

Figure 3 Measuring your Foundations

In the control implementation and documentation level, the focus shifts from intent to practice. For your major systems, you assess the existence and quality of System Security Plans, incident response plans, disaster recovery and business continuity plans, and system operating procedures. You check whether these documents align with ISM expectations and the way systems are actually run, not just the way they were meant to be run when someone filled in a template three years ago. You review Essential Eight implementation against your stated target maturity levels and ask a simple question: how easily could we demonstrate control implementation and configuration to an IRAP assessor or an internal audit? This tells you whether your control environment is robust and evidence ready, or whether it relies on heroics and tribal knowledge.

In the risk management level, you look at how cyber risk is identified, analysed and tracked across the department. You examine whether there is a single, ISM aligned methodology that is used for projects, changes and enterprise risks; whether cyber risks appear coherently in the departmental risk register; and whether risk appetite and tolerance are articulated in a way that guides decisions, rather than just appearing in an annual report. You also check that Essential Eight and broader ISM gaps are captured as risks with explicit treatments, owners and timelines, rather than living only in technical reports. This shows you whether “risk-based” is a reality or a distant aspiration.

In the assurance and performance level, you evaluate your feedback loops. You examine how logging, detection and incident response line up with ACSC guidance and your own risk scenarios; how internal audits, control tests and Essential Eight spot checks are planned and executed; and how findings from IRAP, ACSC engagements and internal reviews are captured, prioritised and driven through to closure. You are looking for evidence that issues and weaknesses are managed within a disciplined assurance program, rather than treated as isolated fires.

Finally, in the integrated GRC and automation level, you look at how all of this is stitched together in systems and data. You determine whether there is a single system of record for risks, controls, obligations, incidents and audits; whether PSPF, ISM and Essential Eight reporting can be generated reliably from a common data set; and to what extent continuous control monitoring is in place for vulnerability management, logging coverage and Essential Eight telemetry. You also assess whether dashboards and reports based on that data are actively used by your executive and governance committees or produced solely for compliance.

When you pull this together ideally in a simple heatmap or narrative summary, you end up with a very clear picture level by level, where you are strong, where you are fragile, and where you are trying to operate at a higher level than your foundations support. That picture is far more useful than a standalone E8 score or PSPF rating.

Reconciling PSPF, ISM, Essential Eight and IRAP

Every Federal Government department is living with multiple forms of maturity reporting, PSPF self-assessments, Essential Eight maturity reporting to ACSC, ISM adoption expectations, IRAP reports on critical systems, and often portfolio specific requirements as well.

Figure 4- Level Assessment Heatmap

The Ionize model lets you do is put those reporting obligations into context.

If your Essential Eight maturity for patching and MFA is in stasis, you can ask whether that is truly a tooling problem, or whether it is hamstrung by weak standard baselines (Level 2), inconsistent risk prioritisation (Level 3) or the absence of meaningful metrics and ownership (Level 4). If your PSPF governance outcome is only “partially effective”, you can explicitly identify that as a Level 1 and 3 issue, rather than blaming tools or SOC processes in Level 4.

In other words, instead of having separate, sometimes contradictory scorecards, you have a single language for explaining why those scores look the way they do and what you intend to do to address the issues.

Turning diagnosis into a three-year roadmap

Once you have that level-by-level picture, the next step is to convert it into a roadmap.

I suggest that CISOs set realistic target levels by domain. You might decide that enterprise governance should reach Level 4 within three years, that high-risk or PROTECTED systems should target Levels 4–5, and that lower-risk business applications only need to solidify at Level 3. That immediately makes your program risk based and aligned with both ISM and Essential Eight guidance about tailoring controls to business criticality, rather than trying to do everything at once.

You then sequence initiatives according to dependency following a simple rule. Do not invest ahead of your level. If your governance is weak, fix that before rolling out a large GRC platform. If your controls are undocumented and inconsistent, address that before you invest into continuous monitoring. If you keep getting hammered in audits on the same themes, fix the underlying Level 2 and 3 issues rather than running more spot checks in Level 4.

From there, you group initiatives into a small number of streams within each level i.e. governance and policy consolidation, control and SSP standardisation, unified cyber risk framework and integration with enterprise risk, integrated assurance and Essential Eight validation, and then platform and automation once the foundations are in place. Each stream gets clear objectives, ownership, indicative timing and explicit links to your external obligations and internal pain points.

The result is a roadmap that reads logically upward through the levels, instead of a disconnected list of projects.

Figure 5 – Example High Level Roadmap

Embedding the levels in governance and reporting

The model really comes to the fore when you use it to reshape the way you report to the Secretary, the Executive Committee and the Audit and Risk Committee.

Rather than structuring your papers around technology silos (“network security”, “end-user computing”, “identity”, “projects”), you can frame them around the five levels. You provide a short narrative and a small set of indicators for each i.e. the health of your governance and policy baseline, the coverage and quality of your control documentation, the state of your cyber risk profile, the performance of assurance and monitoring, and the maturity of your integrated GRC and automation.

A set of carefully chosen measures under each level is usually enough. Examples could be the percentage of systems with current SSPs and IRPs, the proportion of high cyber risks with active treatment plans, the age and status of audit and IRAP findings, the spread of Essential Eight levels across key environments, the coverage of systems and controls in any GRC or monitoring platform.

Figure 6- Reporting on Capability Maturity

Presented this way, your program stops looking like a collection of technical initiatives and starts reflecting what it should be, the progressive construction of a resilient, auditable and transparent security capability.

Using the model with IRAP and ACSC

For systems heading toward IRAP assessment or increased ACSC scrutiny, the model helps you avoid wasting effort.

You can insist that any system be brought to at least a credible Level 3 with a clear governance context, documented controls and a coherent risk picture well before you send an IRAP assessor anywhere near it. Above that, you can aim to bring critical systems to Level 4 so that IRAP findings are naturally absorbed into your normal assurance and remediation machinery, instead of becoming separate, ad hoc workstreams every couple of years.

Similarly, you can take the inevitable shifts in Essential Eight guidance and maturity expectations and explain them through the levels. Which changes you must incorporate into Level 2 baselines, how they will be reflected in Level 3 risks and treatment plans, and how you will adjust Level 4 monitoring and validation to prevent regressions. That turns external assessments from surprises into inputs to your roadmap.

The value of the Ionize GRC Maturity Model for you as a CISO is that it gives you one coherent story that runs from where you are today to where you need to be. It lets you evaluate your current state in a structured, evidence-based way, to reconcile PSPF, ISM, Essential Eight and IRAP into a single picture, and then translate that picture into a practical, three-year roadmap that builds upwards through the levels. It gives you a clear, repeatable frame for how you talk about security with your Executive, and a disciplined way to turn IRAP and ACSC demands into planned work rather than constant disruption. Rather than a diagram on a slide the model becomes the organising logic for a security program that is risk-based, auditable and sustainable within the Federal Government context.

GRC Maturity Model Assessment

How to use the Matrix

  1. Pick the scope – whole department, or a specific environment (e.g. PROTECTED systems).
  2. For each row, ask your stakeholders which description (0–3) best matches reality today.
  3. Capture evidence or examples as you go (systems, documents, reports, incidents).
  4. Roll up scores per level (average or median) to see where you’re strongest and weakest.

Use the result to:

  • Build a heatmap (levels vs criteria).
  • Prioritise initiatives (e.g. fix Level 1/2 gaps before chasing Level 5 tooling).
  • Explain to your Secretary and ARC why PSPF / ISM / E8 / IRAP outcomes look the way they do.

The Scoring Scale

Use the same scale for every row:

  • 0 – Not in place
    No consistent approach; nothing formal, or only in pockets.
  • 1 – Ad hoc / Fragmented
    Some practices exist but are inconsistent, person-dependent, or undocumented.
  • 2 – Defined / Repeatable
    Documented, approved and used in most relevant areas; not yet fully measured or optimised.
  • 3 – Embedded / Measured
    Widely adopted, routinely measured, continually improved; survives staff turnover and audit scrutiny.

Level 1 – Governance and Policy Foundation

Criterion 0 – Not in place 1 – Ad hoc / Fragmented 2 – Defined / Repeatable 3 – Embedded / Measured
ISMS / security scope and context No clear statement of security scope; obligations and environments are implied, not written down. Some scope statements exist (e.g. for individual systems), but they are incomplete, out of date or not used in decision-making. ISMS / security scope is documented, approved and aligned with PSPF/ISM; used for audits and major decisions. Scope is routinely reviewed, updated for organisational change and referenced in governance, risk and project processes.
Roles, accountability and committees No defined CISO/CSO role or security governance structure; responsibilities are unclear. Roles exist on paper and committees meet, but accountability gaps and overlaps are common. Security roles, responsibilities and committees are defined, chartered and mostly followed in practice. Roles and committees operate as designed; decisions, escalations and reporting are consistent and evidenced.
Policy framework and obligations register Policies are missing, obsolete or scattered; no single view of obligations. Mix of old and new policies; some alignment to PSPF/ISM/E8 but no authoritative register. Consolidated security policy suite and obligations register exist, mapped to PSPF, ISM, E8 and key legislation. Policies and obligations are kept current through a regular review cycle and used actively in risk, audit and project processes.

Typical deliverables for a government security program at Level 1

  • ISMS Scope Statement / System Boundary Diagram (text + architecture diagram).
  • Information Security Policy (approved by executive) and associated policy register.
  • Compliance Obligations Register (PSPF, ISM, Privacy Act, DISP mapping).
  • Roles and Responsibilities Matrix (RACI) for security functions.
  • Security Governance Charter / Terms of Reference for governance committees.
  • Risk Management Framework & Risk Appetite Statement (methodology, scales, treatment options).
  • Policy Review Schedule and Policy Owner Registry.
  • Executive Briefing Pack (initial) outlining current posture, top risks, and required decisions/resourcing.

Level 2 – Control Implementation and Documentation

Criterion 0 – Not in place 1 – Ad hoc / Fragmented 2 – Defined / Repeatable 3 – Embedded / Measured
System Security Plans (SSPs) and system documentation SSPs and similar artefacts are largely absent or exist only for a few systems. SSPs exist for some priority systems but are incomplete, outdated or inconsistent in structure and quality. SSPs exist for all in-scope systems at required classifications, using a consistent template aligned to ISM. SSPs are current, drive implementation decisions and are routinely used in IRAP, audit and change processes.
IRP / DR / BCP and playbooks Incident response and recovery are informal; no documented processes or only high-level statements. Some plans exist (e.g. cyber-IRP or DR) but they are not regularly tested or widely understood. Documented IRP, DR and BCP plans exist, tested periodically with lessons incorporated for major systems. Plans are integrated with enterprise crisis management; exercises are regular and drive continuous improvement.
Essential Eight and baseline controls No coherent view of Essential Eight; implementation is opportunistic. Some strategies are implemented (e.g. patching, AV) but maturity is inconsistent across environments. Target maturity levels are defined; baselines and build patterns exist and are applied to most in-scope systems. Essential Eight is monitored, exceptions are formally managed, and maturity levels are sustained or improving across the estate.

Typical deliverables for a government security program at Level 2

  • ISM Annex A — control list with implementation status and rationale.
  • System Security Plan (SSP) — full system-level control descriptions and implementation evidence.
  • Control Implementation Matrix — mapping controls → procedures → evidence → owners.
  • Operational SOPs and Runbooks — patching, backups, access provisioning, change control.
  • Configuration Baselines & Hardening Guides — standard images and hardening scripts.
  • Logging & Monitoring Implementation Document — SIEM data sources, retention, alerting rules.
  • Supplier / Third-Party Control Evidence Pack — cloud provider attestations, vendor SOC reports, contractual security clauses.
  • Statement of Residual Risk / Exceptions Register — documented, approved exceptions with compensating controls.

Level 3 – Security Risk Management and Gap Remediation

Criterion 0 – Not in place 1 – Ad hoc / Fragmented 2 – Defined / Repeatable 3 – Embedded / Measured
Cyber risk methodology and integration with ERM No consistent cyber risk method: risks are described inconsistently or only in technical language. A method exists but is used inconsistently; cyber risks are partially represented in the enterprise risk register. A documented, ISM-aligned cyber risk methodology is used for projects, systems and enterprise risks; cyber risk is integrated with ERM. Risk criteria, appetite and tolerance are actively used in decisions; cyber risk is regularly discussed at executive and ARC level.
System- and project-level risk assessments Risk assessments are rare or only done for major procurements. Some systems and projects undergo assessments, but coverage and quality are inconsistent. Key systems and projects have recorded risk assessments, with treatments linked to control implementation. Risk assessments are systematic, kept current and drive prioritisation of remediation and funding decisions.
Gap management and remediation (ISM / E8 / IRAP) Gaps are known informally but not tracked; remediation is reactive and uncoordinated. There are lists of findings and issues, but ownership, timelines and status are opaque. Gaps from audits, IRAP and E8 assessments are tracked in a register with assigned owners and due dates. Gaps are prioritised by risk, tracked to closure, and trend information is used to refine controls and strategy.

Typical deliverables for a government security program at Level 3

  • Security Risk Management Plan (SRMP) — governance, methodology, roles.
  • System-level Risk Register — scored risks, residual risk after controls.
  • Enterprise Risk Register — aggregated strategic risks and trends.
  • POA&M / Remediation Backlog — prioritised actions, owners, timelines.
  • Risk Treatment Worksheets — decision records & executive approvals for accepted risks.
  • Remediation Project Charters — for major uplift efforts (e.g., patching sprint, privileged access overhaul).
  • Supplier Risk Assessments — for critical vendors with remediation plans.
  • Evidence of Risk Reduction — after remediation: test results, configuration snapshots, updated control attestations

Level 4 – Monitoring, Audit and Performance Evaluation

Criterion 0 – Not in place 1 – Ad hoc / Fragmented 2 – Defined / Repeatable 3 – Embedded / Measured
Logging, monitoring and incident handling Limited logging and monitoring; incident detection and handling are mostly manual and ad hoc. Some centralised logging or SOC function exists, but coverage is patchy, and playbooks are inconsistent. Logging, monitoring and incident response are defined for key systems and aligned to ACSC and ISM expectations. Detection and response are measured, tuned and regularly tested; coverage is deliberate and driven by risk.
Internal audit and control testing Internal audit rarely touches cyber; no structured control testing program. Audits occur but scope is opportunistic, and findings are addressed on a best-effort basis. A planned audit and control testing program exists, covering key control domains and high-risk systems. Audit and testing results are integrated with risk and remediation processes; themes drive structural improvements.
Metrics, KPIs and reporting Minimal or purely technical metrics; little linkage to risk or obligations. Some metrics exist (e.g. incidents, vulnerabilities) but they are not consistently reported or trusted. A defined set of KPIs/KRIs covers key aspects of governance, risk, controls and incidents; reported regularly to governance forums. Metrics are accurate, automated where possible and drive decisions, prioritisation and resource allocation.

Typical deliverables for a government security program at Level 4

  • Security monitoring and incidents
    • Security monitoring / SOC plan (scope, log sources, retention, responsibilities)
    • SOC runbooks and incident playbooks
    • Evidence of centralised logging and monitoring coverage
    • Security incident register and significant incident PIRs / lessons learned
    • Regular vulnerability and patch management reports and exceptions register
  • Audit, review and control testing
    • Annual cyber / internal audit and assurance plan (ISM / PSPF aligned)
    • Completed internal audit and IRAP reports with agreed actions
    • Control testing evidence (access reviews, config checks, E8 validation, etc.)
    • Consolidated register of findings / non-conformities with owners and due dates
  • Performance, risk and governance reporting
    • Routine security governance packs for the Exec Committee / ARC (ISM, PSPF, E8, IRAP status)
    • Cyber risk dashboard linked to enterprise risk register
    • Defined and tracked KPIs/KRIs (incidents, vuln SLAs, findings age, etc.)
    • Governance minutes showing decisions, risk acceptance and reprioritisation
  • Continuous improvement
    • Corrective action / continuous improvement register
    • Exercise plans and post-exercise reports (cyber, BCP/DR)
    • Updated policies, standards and procedures driven by findings and lessons learned

Level 5 – Integrated GRC Platform and Continuous Control Monitoring

Criterion 0 – Not in place 1 – Ad hoc / Fragmented 2 – Defined / Repeatable 3 – Embedded / Measured
System of record for risks, controls and obligations Information is spread across spreadsheets, documents and inboxes; no single source of truth. A GRC or similar tool exists but only supports a narrow use case (e.g. incidents or risks) and is poorly adopted. A core GRC platform is implemented for selected domains (risks, controls, obligations, audits), with agreed data structures. The platform is the accepted source of truth across domains; data quality is managed, and the tool is integrated with other systems.
Automation and integrations (e.g. E8, vuln, logs) No automated feeds: data is entered manually and infrequently. Some integrations or imports exist but are one-off or unreliable. Key telemetry (vulnerabilities, asset inventories, some E8 metrics) is fed into the platform regularly. Continuous control monitoring is in place for priority controls; automated data drives dashboards and alerts used by management.
Executive dashboards and decision support Executives receive ad hoc or highly technical reports that are hard to interpret. Some dashboards exist but focus on tools or technology, not risk and obligations. Regular dashboards present PSPF/ISM/E8 posture, risks and trends in business language to Executive Committee and ARC. Dashboards are trusted and routinely used to make decisions, set priorities and support external reporting.

Typical deliverables for a government security program at Level 1

  • GRC platform as system of record
    • Configured GRC platform with agreed data model for risks, controls, obligations, incidents, audits
    • On-boarded systems, registers and workflows (risk, issue, findings, exceptions, approvals)
    • Data quality rules and ownership defined (stewards, reconciliations, completeness checks)
  • Integrations and data feeds
    • Automated feeds from vulnerability scanners, asset inventories, identity systems, ticketing tools, SIEM/SOC
    • Integration with enterprise risk, project/portfolio and HR systems where relevant
  • Continuous control monitoring (CCM)
    • Defined CCM use cases and mapped controls (e.g. E8, privileged access, patch SLAs, logging coverage)
    • Automated control checks with thresholds, alerts and exception workflows
    • CCM result dashboards showing pass/fail trends and coverage across systems
  • Executive dashboards and decision support
    • Role-based dashboards for CISO, Executive Committee and ARC (PSPF/ISM/E8 posture, risks, incidents, findings, trends)
    • Regular use of these dashboards in governance forums, with decisions and actions recorded
  • Reporting and external alignment
    • Standardised, repeatable reports for PSPF, ACSC / Essential Eight, IRAP remediation tracking and portfolio bodies
  • Automation and workflow
    • Automated routing of incidents, findings, exceptions and approvals to the right owners
    • Reminder and escalation workflows for overdue risks, actions and attestations
    • Periodic policy / control attestations executed and recorded through the platform

For further information or a (no obligation) briefing on our GRC service offering and capability, please contact Ionize at sales@ionize.com.au  

END

Categories

Top Articles

Cyber language – a high level guide to understanding common jargon in Defensive Services

ISO 27001 Compliance: The 2025 Deadline and What You Need to Know

Ionize 2025 Cyber Security Update

Beyond Technology

Discover Your Perfect Security Fit

Our Services
Cyber language - a high level guide to understanding common jargon in Defensive Services

Stay Up to Date

Latest News

View All

News

  1. Home
  2. News
  3. Cyber language – a high level guide to understanding common jargon in Defensive Services
For Industry
23 Jun 2025

Cyber language – a high level guide to understanding common jargon in Defensive Services

Cyber security is laden with jargon and terminology, often understood only by a handful of professionals and experts. With the intense interest in cyber security over the past few years, we have seen a corresponding increase in the introduction of and therefore misinterpretation of commonly used security terms.

This is particularly cumbersome is in the Security Operations or Defensive Services domain.  We recognise this challenge at Ionize, so we have built a common lexicon for consumers and providers alike to speak the same language, improve clarity, and reduce ambiguity.

We have found people are using terms such as MDR, SOC, SIEM interchangeably. This makes discussing, planning and aligning a cyber capability uplift difficult.  The development and promulgation of a common cyber language can help to alleviate confusion.

Managed Detection and Response (MDR) describes the final service that is delivered. We refer to managed because it is a managed service, delivered by a skilled and experienced cyber security service provider. The references to detection and response aligns with the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) domains that the service covers.

This term is often used interchangeably with SOC, SIEM, SOC as a Service (SOCaaS) or SIEMaaS.

A Security Operations Centre (SOC) is the physical facility from which the service is delivered.  But why are we talking about a physical facility in the age of work from home? This is because some clients have strict security requirements for the management of their information and systems. These strict security requirements do not preclude SOC analysts and engineers working from home; they just require a secure solution to access the MDR related infrastructure. Ionize maintains a PROTECTED SOC facility to meet Australian government security requirements. However, not all clients require this.  The Ionize SOC operates 24x7x365 with a true “eyes-on-glass” service where our analysts monitor activity for our clients on a continuous basis. Learn more here.

Endpoint Detection Response (EDR) software resides in the desktops, laptops and servers, which are designed to detect, facilitate, and ultimately prevent a cyber security event—often referred to as a breach. EDR is great when you can identify and control the endpoints in your network. If that is not the case, then EDR may not help you achieve your cyber security objectives.

Network Detection Response (NDR) is hardware/software that monitors network traffic, detects, and prevents malicious activity passing through the network. NDR is great when you are unable to identify or control the endpoints in your network.

Extended Detection Response (XDR) software is the natural adaptation of EDR into a cloud first world, with a focus on Response. Most modern networks are hollowed out of infrastructure with most functionality residing  in cloud services (e.g., M365, Google Workspace, etc). This means that the endpoint has extended into the cloud and interactions with these services are included in the detection and response. The XDR tools also provide greater incident response capability through improved workflows. This is a response to the increase in network compromises and the effort required by security analysts to respond to them.

Security Incident and Event Management (SIEM) software is a log/event collection, search, and correlation capability. SIEM technology emerged in response to the growing size and complexity of networks, and the growing need to trace and compare results across system logs.

Contrary to popular belief, a SIEM is not required for an MDR service. It helps, but an MDR service refers to the function performed, not the tools used. A SIEM will certainly help improve the quality and coverage of an MDR service but ultimately is not required.

Security Orchestration and Automated Response (SOAR) technology is, again, a natural and evolutionary response to the increase in cyber threats and compromises. A SOAR capability is configured to detect a malicious activity and automatically respond or orchestrate a response to the activity. Increasingly, the line between SIEM and SOAR is blurred as SIEM technology incorporates SOAR capabilities.

Summary

This piece provides an initial high-level overview of the use of common jargon, and what they mean in some detail.  A follow-up piece will be developed addressing the name of the tech, what it does, common use cases, and leading vendors of that tech. Stay tuned.

For comments and questions, drop us an email at info@ionize.com.au

Follow us on LinkedIn for weekly insights: https://www.linkedin.com/company/ionize

Categories

Top Articles

Building a Defensible Security Roadmap with the Ionize GRC Maturity Model – by Ionize GRC

ISO 27001 Compliance: The 2025 Deadline and What You Need to Know

Ionize 2025 Cyber Security Update

Beyond Technology

Discover Your Perfect Security Fit

Our Services
ISO 27001 Compliance: The 2025 Deadline and What You Need to Know
Building a Defensible Security Roadmap with the Ionize GRC Maturity Model - by Ionize GRC

Stay Up to Date

Latest News

View All

News

  1. Home
  2. News
  3. ISO 27001 Compliance: The 2025 Deadline and What You Need to Know
For Industry
20 May 2025

ISO 27001 Compliance: The 2025 Deadline and What You Need to Know

ISO27001 is a global standard for Information Security Management Systems (ISMS) that offers a framework for managing an organisation’s information assets. Published by the International Organization for Standardization (ISO), it aims to ensure the confidentiality, integrity, and availability of information within your organisation.

In 2022, ISO updated the framework from the 2013 version, setting a crucial deadline for compliance by October 31, 2025. If your organisation is accredited under the 2013 version, here’s a heads-up! You have just four months left to update, assess, and re-accredit to the new standard before your current certification expires.

Why the Change?

The reason for the update is straightforward. As more businesses adopt digital platforms and services, the threats to information security have increased. To better reflect current business practices, ISO has streamlined the compliance guidelines and expanded on risk management and organisational operations.

Key Changes

Here are the main updates:

  • Streamlined Control Areas: The framework now groups controls into four main areas instead of the previous 14:
    • People
    • Organisational
    • Physical
    • Technological
  • Reduced Number of Controls: The number of controls has been reduced from 114 to 93. However, many controls have been merged or altered, and 11 new controls have been added.
  • New Attributes: The framework now includes attributes to better align with modern terminology, such as:
    • Control type
    • Information security properties
    • Cybersecurity concepts
    • Operational capabilities
    • Security domains

What Do You Need to Do?

Updating to the new standard involves revisiting your policies and procedures. If you already have ISO27001:2013 accreditation, you’re familiar with the process. Here’s a broad outline of what you need to do:

  1. Gap Analysis: Compare the new requirements with your current implementation to identify areas that need updating.
  2. Update Policies: Revise your policies to align with the new terminology and classifications.
  3. Implement Controls: Add the required controls, document them, and ensure your evidence-gathering processes are robust.
  4. Communicate Changes: Inform all staff who interact with the ISMS about the updates to ensure continuous improvement.

Next Steps

After making the necessary updates, conduct an internal audit to verify compliance. This is a critical step before coordinating with an external auditor for certification assessment. An internal audit helps demonstrate that continuous improvement processes are in place.

If you have checked all the boxes, you are ready to schedule an external audit to achieve ISO27001:2022 compliance!

However, if you need assistance with your internal audit or need to update your policies and procedures and need expert help, we are here to assist. Whether you’re new to ISO27001 or looking to update your accreditation, Ionize can help guide you through the process.

Categories

Top Articles

Building a Defensible Security Roadmap with the Ionize GRC Maturity Model – by Ionize GRC

Cyber language – a high level guide to understanding common jargon in Defensive Services

Ionize 2025 Cyber Security Update

Beyond Technology

Discover Your Perfect Security Fit

Our Services
Ionize 2025 Cyber Security Update
Cyber language - a high level guide to understanding common jargon in Defensive Services

Stay Up to Date

Latest News

View All

News

  1. Home
  2. News
  3. Ionize 2025 Cyber Security Update
Cyber Security
09 Jan 2025

Ionize 2025 Cyber Security Update

Welcome to 2025!

2024 was a busy year in the cyber realm, with 2025 already shaping up to be more of the same.  With that in mind, Ionize is pleased to provide this overview of key cyber developments as 2025 begins.

Some of the key changes in the legislative and regulatory landscape that were paved in 2024 and will dominate 2025 include:

  • Cyber Security Act 2024 – This legislation introduced several key measures requiring action, including:
  • Privacy Act amendments introduced stricter data protection measures, including:
    • a Statutory tort for serious invasions of privacy where the conduct was intentional or reckless;
    • the introduction of a criminal offence for doxing; and
    • eligible data breach declarations and information sharing.
  • For organisations operating critical infrastructure, there were Security of Critical Infrastructure Act amendments which broadened the definition of critical infrastructure to include data storage systems tied to critical assets. This expanded the Government’s ability to intervene during severe incidents to:
    • increase Government powers to manage the consequences of incidents;
    • enable Government to direct entities to address serious deficiencies in their risk management programs; and
    • simplify information sharing across industry and Government.
  • For organisations servicing Australian Government, the Australian Government Information Security Manual (ISM) changes in December 2024 focused on:
    • maintaining an organisational system register;
    • handling malicious software safely;
    • expanding security controls to non-classified systems;
    • expanding logging and monitoring requirements; and
    • updates to cryptographic algorithms and key sizes.
  • Further to the ISM changes, the Protective Security Policy Framework changes were released on 1 November 2024:
    • The most significant change to the PSPF is the move away from Maturity Levels back to a compliance-based framework, changing recommended guidance to mandatory compliance activities; and
    • The number of policies has been expanded from 16 to 25 and the number of controls from 60 to 211. However, rather than a significant expansion of responsibilities, controls and requirements, certain domains and policies have been split to enhance clarity and to refine compliance activities.
  • For organisations servicing Defence, the Defence Industry Security Program (DISP) flagged changes to uplift the requirement for Essential 8 Maturity Level 1, to Maturity Level 2. These changes require a significant technology and process uplift.

In the operational cyber context, Australia continues to be targeted by very active issue motivated cyber threats groups such as RipperSec, DXPLOIT and many others. Further to this, Australia (through the ACSC) and our other 5-eyes partners attributed supply chain and living off the land cyber-attacks to Russia and the PRC respectively, indicating a growing concern about coordinated cyber-attacks against Australian interests and Western democracies more broadly.  During 2024 the Ionize Hunting Analysis and Warning Centre (HAWC), through our 24×7 eyes on glass monitoring, provided frequent unsolicited notifications to clients and partners of threat actor activities and their criminal intentions to harm.

We have seen the most common cyber-attack methods continue to be compromised account credentials for both government and critical infrastructure organisations, while email compromise was the most common attack vector for business. HAWC has observed the constant evolution of phishing vectors and techniques to be the initial point of compromise, whether through direct code execution or theft of credentials.

The self-reported cost of cybercrime for 2024 was:

  • small business: $49,600
  • medium business: $62,800
  • large business: $63,600.

Ionize’s incident response experience indicates that these numbers are understated and probably only represent the direct response action to the incidents, not the ongoing remedial actions required which are often significantly higher.

In short, the legislative and regulatory environment is responding to the increasing cyber threat level, requiring organisations to uplift their cyber resilience and pave the way for the Federal Government’s to intervene when required. Addressing the legislative, regulatory and operational cyber controls has now become the base cost of doing business.

Please contact us if you’d like to discuss any aspect of these changes in the cyber domain. Our team would be pleased to delve deeper into those facets and issues that are of most concern to your organisation and what clear actions can be taken to reduce the risk of a cyber incident.

We look forward to supporting you through 2025 and beyond.

Categories

Top Articles

Building a Defensible Security Roadmap with the Ionize GRC Maturity Model – by Ionize GRC

Cyber language – a high level guide to understanding common jargon in Defensive Services

ISO 27001 Compliance: The 2025 Deadline and What You Need to Know

Beyond Technology

Discover Your Perfect Security Fit

Our Services
Ionize Partnership with Paralympics Australia
ISO 27001 Compliance: The 2025 Deadline and What You Need to Know

Stay Up to Date

Latest News

View All

News

  1. Home
  2. News
  3. Ionize Partnership with Paralympics Australia
Cyber Security
15 Nov 2024

Ionize Partnership with Paralympics Australia

Paralympics Australia Partners With Top Cyber Security Firm

Paralympics Australia and cyber security provider Ionize have announced a new partnership that will provide Paralympics Australia with the best possible protection from online attack.

The Canberra-headquartered security provider, which delivers operational, testing and consultancy services, adds to Paralympic Australia’s partner suite as an Official Supporter.

Paralympics Australia CEO (interim) Cameron Murray said his organisation held personal, professional and corporate data that required optimal safeguarding.

“We are extremely conscious of the need to secure our corporate data and information and to protect our athletes and other supporters from the threat of a cyber-attack or data breach,” Mr Murray said.

“We want all our athletes, stakeholders, donors and others to know that our organisation takes the protection of their information very seriously and we will do whatever we can to minimise the chances of a breach.

“We are reassured with Ionize behind us, not only because of their around-the-clock monitoring of threats, but also their ongoing support to ensure compliance with key cyber security frameworks.”

Ionize already supports Paralympics Australia with regular desktop-based scenario training and effective response planning.

“This partnership provides Paralympics Australia with peace of mind, knowing our online environment and that of our athletes is being constantly monitored against cyber threats and those who may wish to do us harm,” Mr Murray said.

“We look forward to working with Ionize over the coming years continuing to build our cyber security capability and procedures.”

CEO and Founder of Ionize Andrew Muller is delighted by this new partnership and the trust placed in Ionize to keep Paralympics Australia cyber safe.

“Every day we see a broad range of cyber criminals attempt to steal data and information from organisations around Australia, and in many cases these attempts are successful.  As we have all seen, a successful data breach can cause great pain to everyday Australians and do significant damage to the reputation of the organisations these criminal’s breach.”

Mr Muller went on to say “this new partnership with Paralympics Australia enables Ionize to deploy our highly skilled cyber security professionals and the state-of-the-art technology they use to monitor and protect Paralympics Australia, our exceptional paralympic athletes and their supporters around the clock.  Our sovereign capability, our exceptional team and our values-based approach to cyber security now places Paralympics Australia in safe hands where Ionize will always have their back.”

Ionize is the Official Cyber Security Provider to Paralympics Australia and Official Cyber Security Supporter of the 2024/2026 Australian Paralympic Team.

Categories

Top Articles

Building a Defensible Security Roadmap with the Ionize GRC Maturity Model – by Ionize GRC

Cyber language – a high level guide to understanding common jargon in Defensive Services

ISO 27001 Compliance: The 2025 Deadline and What You Need to Know

Beyond Technology

Discover Your Perfect Security Fit

Our Services
Cloud Misconfigurations
Ionize 2025 Cyber Security Update

Stay Up to Date

Latest News

View All

News

  1. Home
  2. News
  3. Cloud Misconfigurations
For the Techs
16 Aug 2024

Cloud Misconfigurations

Cloud Misconfigurations – by Ionize Senior Penetration tester, Geoffrey Macleod

The cloud is heavily integrated into, if not the sole provider for, almost all services consumed on the internet today. This post briefly covers the current cloud marketplace background, and then looks at some of the red team tooling used, including an occasional meme and pop culture reference to take the edge off what may be a boring topic.

In true consultancy form, there are some remediations and recommendations to take away from this as well.

This blog is loosely structured to be broad initially, stating many well-known or accepted observations and anecdotes, becoming more technical as it progresses.

Don’t be concerned to leave off at any point, or skip to the parts further down, it is almost certain that one half has your type of content, the other doesn’t and the impact of reading only half is very low.

Die Wolke (The Cloud)

This is the cloud, there are many like it, but this one is not yours, it’s everyone’s and it’s everywhere. Without the cloud you are useless, you must use the cloud. You must use it better than your adversary who is trying to breach you. You must secure it before they hack you.

If life imitates art, does that mean something bad is coming for Gunnery Sergeant Microsoft? Microsoft Cloud revenue in 2023 was over $111 US billion, accounting for more than 50% of their total revenue for 2023 and a 22% increase from FY 202212. The recruits (clients) are not about to exit the cloud due to security concerns; the cloud is here to stay.

Cloud tenancies, be it Microsoft, AWS, or Google, have several baseline controls around users for security that are considered a ‘must’. These are simple at first look but grow considerably more complex as you implement controls. The larger the organizational structure, the harder it is to maintain a secure posture. Least privilege is an example of this, for a few users its simple, but in a large complex organization the privilege creep is real and trying to constrain privileges scales poorly.

The effort required to create, maintain, and enforce a policy for least privilege is significant. Frequently auditing user accounts and related privileges at scale may only be possible with automated tools. Failing to ensure users only have required privileges assigned to relevant accounts quite often leads to breaches that have significant impact.

Microsoft’s experience with Midnight Blizzard in Late 2023, early 2024 shows exactly that5. This breach was due to ‘a legacy non-production test tenant account’ but the account had permissions to somehow access ‘a very small percentage of Microsoft corporate email accounts’ which included a seemingly large number of departments from senior leadership, cybersecurity, legal and more.

The test account which should have no ability to access production, led to a significant problem due to the privileges assigned to that account. What other accounts or assets are languishing, forgotten by policy or ignored because they are ‘DMZ’, ‘test’ or otherwise.

One of the first rules of security is to know what you have in the way of assets. This used to be based on purchased hardware and software, a relatively direct equation. From this asset and inventory, you could work out what you had to manage, patch and update. With cloud tenancies there is a wider range of intangible items, software, applications, configuration, storage.

Remember when the default for S3 was open buckets? It was only set to default-block for new buckets in April 20231. Prior to this, S3 buckets with private files (based on sensitivity of content and expectation of user) but unfortunately set to public access, routinely appeared in the news headlines as the source of a data breach.

Configuration options for cloud are intended to make materials sharable, collaborative, and accessible to select parties. The likelihood of misconfiguring a multi-Tenant environment or a SharePoint Online site resulting in a data spill is not low.

Guides such as the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark2 and tools such as the Cybersecurity and Infrastructure Security Agency (CISA) Secure Cloud Business Applications (SCuBA)3 are good to get a handle on the current best practices and to help you and your organization conduct an audit for security controls against your Microsoft tenancy. These documents establish standards and can help to produce reports. The CISA SCuBA tool, can be run with credentials of a Microsoft Tenancy, and produce a report in an HTML formatted output, which also provides hyper-links to details for each of the controls it reports against. This can be used effectively and quickly, to assess the standing of your tenancy.

Some of those highlighted configurations, if found to be in a lax state, are worth taking time to correct urgently.

  • Legacy Authentication
  • MFA options for privileged users
  • Teams external contacts
  • Highly Privileged User Access
  • Consent to Applications

This user environment is only part of the picture when it comes to cloud breaches. Other services are used to store data but are not a direct user resource, such as Amazon Web Services (AWS) S3 buckets, Microsoft’s Azure Blob Storage and Google Cloud storage. These organizations have a market share of 32% for AWS, 23% for Azure and 10% for Google, the remainder being other companies, based on 2022 research4. The data stored in these locations also forms a type of asset that requires inventory and maintenance.

Who has access to these platforms, the storage buckets, the tenancies, applications, who’s account has privileges that let them do actions that may be more than they need and how do you find and fix these things?

A Penetration Testers Perspective:

Figure 1.  Team Scoping Meeting

“Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources.”

An increasing number of cloud penetration test tools, rely on Microsoft Graph API. A recent release of a Command and Control (C2) tool, created by the USA based company Red Siege, backed their reasoning for creating the tool off the number of threat actors using the Graph API, a sound rationalisation. The tool is called GraphStrike and is available on GitHub. This extends on the C2 tool Cobalt Strike, by creating an HTTPS beacon over the Microsoft Graph API. This fits in as a post-compromise activity, once a user credential set has been breached, an attacker will go about setting up C2 communications, creating persistence mechanisms and gaining additional privileges. The GraphStrike tool sends data out from a compromised host over to graph.microsoft.com before being forwarded to the C2 server which is controlled by the attacker and issues the command and control. The advantage of doing this, is that a Microsoft subdomain looks far more trustworthy than a strange subdomain communicating at suspicious frequency periods. You are logging and analysing your traffic for strange things, correct?

The privileges attached to an account, even a basic users account, are critically important for an attacker to identify, the aim for more persistent threats being to establish C2. Equally it is therefore important for an organization to have a clear view on privileges in an environment. Often your ability to control account privileges in a large enterprise comes from having strong, clearly defined policy, implemented when an account is created and any time a change is made to an account. This should include clear offboarding steps for users when they depart.

A legacy authentication (No MFA) accessible account with no active user to report suspicious system behaviour would be very attractive to any attacker as an initial access vector. Once on this dormant account the attacker may use a tool such as GraphRunner, another tool freely available on GitHub, created by Black Hills Information Security. This tool is not a C2 related product but is a post-exploitation tool.

GraphRunner leverages PowerShell and an account with tenancy access, to complete a device authentication flow. Once that authentication flow is complete the tool has many built in commands to enumerate where the account has access to, using the Microsoft Graph API.

Figure 2. Initializing the GraphRunner Tool with Device Authentication against a Dev365 Tenancy

Figure 3. Completion of the Authentication and Note the Token Expiration Can be Extended.

Using Invoke-GraphRecon -Tokens $tokens we can explore what our account has permissions to do, in this case we have used a privileged user, however lower privileged accounts may have less to work with. The expiry of a token can be refreshed with Invoke-RefreshGraphTokens

Figure 4. Query Using the Broad Recon Command Invoke-GraphRecon

Figure 5. Some Policy Information Returned

Figure 6. User Access Rights Returned

Some of these User Settings and Policy Information results indicate that a high number of avenues are available. The field Users Can Consent to Apps: true implies that a user will be able to grant access to an application to be added to the tenancy, which can be beneficial to an attacker8, 9. A tool like GraphRunner can abuse this with a simple function Invoke-InjectOAuthApp to add an application to the tenancy and persist access through various state changes such as user password change and session expiry, using the app tokens. Fortunately, Microsoft provides advice on remediating illicitly granted applications10. If this feature is not required by an organisation, the feature for user consent to allow applications should be disabled. If it is required, then consenting by users for applications to access the organisation should require administrator approval.

Figure 7. Some Consent Options for Applications

The CISA tool SCuBA will report on such a configuration as seen below. Additionally, the SCuBA report embeds links to resources to aid understanding of the issue.

Figure 8. CISA SCuBA Audit Result for Applications Consent

Once an attacker understands what options exist on the compromised account, such as consenting to applications, the attacker can leverage this to grant themselves further access to things like sharepoint files as guest, persistence through app granting or privilege escalation through adding themselves to other groups, all this depends on the rights the compromised user has. Do your account management policies and processes cover how to manage each of these permissions?

Takeaway Points

  • Use templates such as CIS Benchmarks as a reference model for a mature cyber security posture.
  • Use tools such as CISA SCuBA and Graphrunner to gain visibility over your current configuration.
  • Consider that C2 tools can use Microsoft cloud infrastructure to establish legitimate looking network connections.
  • Understand that the tools mentioned in this article can be used together, stand alone, or not at all, don’t rely on the detection of any one thing for the defense of your important data and networks.
  • Legacy authentication, missing MFA, assets, permission and privileges are all important aspects that you need to have perspective and visibility into.
  • The cloud is a Stanley Kubrick film, full of horror scenes, but highly acclaimed as a masterpiece.

References

  • (13 Dec, 2022) Advanced notice: Amazon S3 will automatically enable S3 block public … Available at: https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/ (Accessed: 22 December 2023).
  • CIS Microsoft 365 Benchmarks, CIS. Available at: https://www.cisecurity.org/benchmark/microsoft_365 (Accessed: 30 January 2024).
  • Secure Cloud Business Applications (SCUBA) project: CISA, Cybersecurity and Infrastructure Security Agency CISA. Available at: https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project (Accessed: 30 January 2024).
  • Zheldak, P. (2024) AWS vs azure vs GCP [2024 cloud comparison guide], AWS vs Azure vs GCP [2024 Cloud Comparison Guide]. Available at: https://acropolium.com/blog/adopting-cloud-computing-aws-vs-azure-vs-google-cloud-what-platform-is-your-bet/ (Accessed: 30 January 2024).
  • (January 19, 2024) Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ (Accessed: 29 January 2024).
  • GraphStrike: Using Microsoft Graph API to make beacon traffic disappear, redsiege.com. Available at: https://redsiege.com/blog/2024/01/graphstrike-release/ (Accessed: 30 January 2024).
  • GraphStrike: Anatomy of Offensive Tool Development, redsiege.com. Available at: https://redsiege.com/blog/2024/01/graphstrike-developer/ (Accessed: 30 January 2024).
  • RatulaC, Compromised and malicious applications investigation, Microsoft Learn. Available at: https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-compromised-malicious-app (Accessed: 30 January 2024).
  • Dansimp, App Consent grant investigation, Microsoft Learn. Available at: https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent#what-are-application-consent-grants (Accessed: 30 January 2024).
  • CISA releases Microsoft 365 Secure Configuration Baselines and scubagear tool: CISA (2024) Cybersecurity and Infrastructure Security Agency CISA. Available at: https://www.cisa.gov/news-events/alerts/2023/12/21/cisa-releases-microsoft-365-secure-configuration-baselines-and-scubagear-tool (Accessed: 30 January 2024).
  • Dafthack/graphrunner: A post-exploitation toolset for interacting with the microsoft graph api, GitHub. Available at: https://github.com/dafthack/GraphRunner (Accessed: 30 January 2024).
  • Microsoft annual report 2023 (Oct 16, 2023) Microsoft 2023 Annual Report. Available at: https://www.microsoft.com/investor/reports/ar23/index.html (Accessed: 31 January 2024).

Bibliography

  • CISA releases Microsoft 365 Secure Configuration Baselines and scubagear tool: CISA (2024) Cybersecurity and Infrastructure Security Agency CISA. Available at: https://www.cisa.gov/news-events/alerts/2023/12/21/cisa-releases-microsoft-365-secure-configuration-baselines-and-scubagear-tool (Accessed: 30 January 2024).
  • Cisagov () CISAGOV/ScubaGear: Automation to assess the state of your M365 tenant against Cisa’s baselines, GitHub. Available at: https://github.com/cisagov/ScubaGear (Accessed: 30 January 2024).
  • A hole in the bucket: The risk of public access to Cloud native storage (2023) YouTube. Available at: https://youtu.be/8IkLG60b7ec (Accessed: 30 January 2024).
  • RedSiege (Jan 2024) Redsiege/GraphStrike: Cobalt strike HTTPS beaconing over Microsoft Graph API, GitHub. Available at: https://github.com/RedSiege/GraphStrike (Accessed: 30 January 2024).

Categories

Top Articles

Building a Defensible Security Roadmap with the Ionize GRC Maturity Model – by Ionize GRC

Cyber language – a high level guide to understanding common jargon in Defensive Services

ISO 27001 Compliance: The 2025 Deadline and What You Need to Know

Beyond Technology

Discover Your Perfect Security Fit

Our Services
SSH Tunnelling with Rospo
Ionize Partnership with Paralympics Australia

Stay Up to Date

Latest News

View All