A practical, staged security roadmap for small and medium businesses - what to do, why it matters to the business, and what it roughly costs. Every recommendation is mapped to the ASD Essential Eight, ISO 27001:2022, and NIST CSF 2.0, so your decisions hold up to auditors, insurers, and your own board - not just opinion from a blog.
Security maturity isn't a product you buy - it's a sequence you climb. Each stage builds on the one before it. You don't start at zero if you've already done the basics; start where you honestly are and keep moving up.
The technical rungs follow the Essential Eight Maturity Model (Maturity Level 0 → 3), the Australian Signals Directorate's recommended baseline of eight mitigation strategies. The Essential Eight is deliberately preventive, though - it doesn't cover detection, response, or governance on its own, which is exactly why Stages 3 and 4 lean on NIST CSF 2.0 and ISO 27001:2022 to fill those gaps.
The cheap, high-impact moves that remove the most risk: MFA everywhere, tested backups, a patching cadence, no day-to-day admin accounts, email protection, and an honest inventory of what you actually own. This is Essential Eight Maturity Level 1.
Identity is the perimeter now. Least privilege, single sign-on, conditional access, and a joiner-mover-leaver process that doesn't leave ghost accounts behind after people change roles or leave.
Someone has to watch the logs. The build-vs-buy decision, honestly: a small in-house EDR capability with one or two trained people, versus an MDR / MSSP - what each realistically gets you, with rough cost ranges and the tradeoffs that don't make it into the sales deck.
Risk management, policies that fit on a page, and alignment to ISO 27001 and NIST CSF 2.0's new Govern function - so you can prove the program to auditors, insurers, and enterprise customers. In Australia, this is also where board and legal accountability gets managed deliberately.
The concrete action, in plain language - the setting to turn on, the process to put in place, the decision to make. No jargon for its own sake.
The business case, not the fear pitch - the risk it removes, the obligation it meets, and the customer or insurer question it answers.
Time and money, honestly. Public list prices where they exist; clearly-labelled rough ranges where they don't. No invented figures.
A note on Australian obligations: cyber security in Australia is now a board and legal accountability issue, not just an IT one. The Privacy Act's Notifiable Data Breaches scheme, the Cyber Security Act 2024, and regulators like ASIC and APRA all expect demonstrable diligence. The guide flags where a control connects to a real obligation - so the case for doing it is "this is what's expected of us," not "hackers are scary."
This guide teaches the method, openly and for free. If you'd rather not run it alone, the virtual CISO service is the same four-stage arc delivered as an engagement - I build the strategy with you: assess where you are, set the GRC foundation, implement the controls, then run the ongoing uplift as your fractional CISO.
Australian-based, working globally. No obligation - the guide stands on its own.
See how the vCISO engagement works →