Latest News

Cyber Security Compliance: Everyone’s Starting Line is Different

Some organisations are training for the marathon. Think: 

  • APRA CPS 234
  • ISO 27001 
  • Information Security Manual (ISM)
  • SOCI Act 
  • NIST Cyber Security Framework 


These are complex, demanding and long-term compliance programs that require discipline and endurance. 


Others are pacing themselves for a solid social distance run, just enough to meet Privacy Act obligations or pass a security health check from a client or vendor. 


Wherever you are starting from, you are not alone. Cyber security compliance is a journey. Just like athletic training, it is not always about perfection. It is about progress.  


The finish line is always shifting. As a timely reminder, Australia’s new ransomware payment reporting laws take effect 30 May 2025. Many businesses will need to reassess their legal obligations and incident response readiness. Compliance is no longer about ticking boxes. It is about being prepared. 


At CyberUnlocked, I often step into the role of a Compliance Coach. It is not just about frameworks and documentation. It is about supporting businesses as they build capability. What many need most is: 

  • Encouragement to keep going, even when it gets tough
  • Guidance that fits their maturity, industry and supply chain expectations
  • A sounding board to help balance ambition with business reality 


Some organisations are starting with no or limited controls. Others are training to meet new regulatory obligations or align with client demands. No matter the starting point: 

  • Small, consistent steps build maturity
  • Practical wins can be more effective than perfect frameworks
  • Sometimes you need to sprint when deadlines or risks demand it 


There is a new standard worth watching. SMB1001 is designed for small and medium businesses. It: 

  • Supports scalable security maturity and certification
  • Fills the gap or avoids the overkill of applying ASD’s Essential Eight to every context
  • Provides a practical pathway to train towards ISO 27001 


An essential part of the compliance journey is understanding: 

  • What residual risk your business can live with
  • Whether to accept, mitigate or transfer those risks through controls, cyber insurance or both 
  • There is no such thing as perfect security. Defining an acceptable level of risk is key to building a strategy that works. 


If you are on the compliance track or helping your clients along theirs, let’s chat. Sometimes, having a coach in your corner makes all the difference. 

More CyberUnlocked Blogs

Ransomware Payment Reporting is in effect

Sarah McAvoy Featured on Techpartner, “Waiting until an incident is in progress is too late"

by Cyberunlocked 3 June 2025
Ransomware Payment Reporting is, in effect, making it mandatory to report ransomware payments, and businesses must be prepared; "Deciding whether you would pay a ransom isn’t a crisis decision; it’s a preparedness decision".
Channel Meets Security Sydney 2025 | Sarah McAvoy

Channel Meets Security Sydney 2025

by Sarah McAvoy 30 May 2025
One of the highlights of the evening was the honest and engaging conversations about what clients really expect from their tech partners when it comes to cyber security. It was great to hear different views and share experiences with others in the field.
SMB1001 image

Why SMB1001:2025 Is a Game Changer for SMBs

by Sarah McAvoy 14 May 2025
The newly launched SMB1001:2025 standard is transforming the way small and medium-sized businesses (SMBs) approach cyber security. Developed by Dynamic Standards International, this multi-tiered certification is tailored to the unique needs and resource constraints of SMBs, offering a scalable, affordable framework for