Free Assessment Tools
Six interactive readiness checklists across ISO 27001, ISO 27701, ISO 42001, SOC 2, Essential Eight, and DISP/IRAP — each scored against the framework's published criteria, with a prioritised PDF roadmap delivered instantly.
Built around what auditors actually look for — not generic compliance theory. Each checklist is mapped directly to the published criteria of the standard it covers.
Choose the standard most relevant to your situation. Not sure? See the decision guide below.
Yes / Partial / No across each control domain. Takes 12–16 minutes depending on the framework.
Real-time scoring across each domain — strong areas in green, gaps highlighted in red.
Branded report with score breakdown, top gaps, and a prioritised action plan you can take to your team.
Each checklist is built directly from the published criteria of the relevant standard — ASD's ML2 evidence requirements for Essential Eight, ISO 27001:2022 Annex A controls, AICPA Trust Services Criteria for SOC 2, and ISO 42001:2023 AIMS clauses. The scoring weighting reflects what certification auditors actually sample most heavily — not a generic best-practice list.
Most organisations come to us with a specific trigger. Match your situation below to the right checklist.
→ Start with ISO 27001. If they're US-based, also run SOC 2.
→ Essential Eight — scored to ML1, ML2, and ML3 across all eight controls.
→ Essential Eight first — most insurers map their questionnaires to ASD controls.
→ ISO 42001 — model inventory, risk assessment, oversight, monitoring.
→ ISO 27701 — DPIA, ROPA, data subject rights, consent management.
→ DISP / ISM / IRAP — covers entry-level defence assurance frameworks.
Each checklist is free, takes 12–16 minutes, and produces a downloadable PDF roadmap.
Score your ISMS across scope definition, risk assessment, Annex A controls, Statement of Applicability, internal audit, and management review.
Assess your maturity across all eight ASD controls — application control, patching, macros, MFA, admin privileges, OS patching, hardening, and backups. Scored to ML0–ML3.
Score your AI governance maturity — model inventory, AI risk and impact assessments, human oversight, monitoring, and responsible AI policy. Aligned to the Australian AI Safety Standard.
Assess your PIMS across ROPA, DPIA, data subject rights handling, consent management, and third-party privacy risk. Aligned to the Australian Privacy Act and APP requirements.
Score your SOC 2 readiness across the five Trust Services Criteria — Security, Availability, Confidentiality, Processing Integrity, and Privacy. Type I and Type II differentiated.
Assess your readiness for DISP entry, ISM alignment, and IRAP assessment — covering the security domains required for government and defence supply chain participation.
Every report is structured the same way — branded, ready to share with your team or board, and built to drive action rather than just sit in an inbox.
A single percentage score — calibrated against the framework's maturity criteria — so you can see at a glance where you sit. With a maturity-stage label (Foundation / Developing / Audit-Ready) for context.
Score for each control domain (ISMS scope, risk, Annex A, etc.) with a visual progress bar. Strong areas in green, gaps in red — easy to scan and immediately useful for prioritisation.
The five highest-impact gaps based on your responses, with framework-specific guidance on what good looks like. The list a CISO would build for you in a 1-hour discovery call — automated.
A sequenced 90-day roadmap covering the most important steps — what to fix first, what depends on what, and realistic effort estimates for each priority.
Where relevant, specific guidance on which Microsoft 365 capabilities (Conditional Access, Defender, Purview, Intune) address each priority gap — so you can implement using tools you already own.
Three paths forward — a self-led DIY approach, a structured assessment engagement, or a full uplift programme — with realistic timelines and what each path delivers.
Yes. No sign-up, no email gate, no paywall. The PDF download happens directly in the browser. We make the checklists genuinely free because they're a far better introduction to our practice than any sales pitch.
The score is an honest indicator based on your responses, calibrated against the framework's published criteria. It's not a substitute for a formal gap assessment — but it'll tell you within a few percentage points where you actually sit.
No. The checklist runs entirely in your browser — your responses never leave your device. The PDF is generated client-side. We don't collect, store, or analyse your inputs.
Yes — many teams complete the checklist as a group, with the security lead, IT lead, and a senior stakeholder going through the questions together. It often surfaces internal disagreement about what's actually in place.
A low score isn't a problem — it's a starting point. Most organisations score 40–60% on first run. The PDF tells you the highest-impact gaps to close first, so a low score becomes a structured plan rather than an overwhelming list.
Yes — the report is designed to be shared with leadership, the board, or a security committee. Many clients use it as the discussion document for getting budget approval for a structured uplift programme.
After running a checklist, a free 30-minute call will help you make sense of the score, prioritise the gaps that matter most, and understand what a realistic uplift programme would look like for your environment.
Compliance365 
