Compliance & Audit

Overview

Compliance isn’t about ticking boxes — it’s about understanding where you stand, what’s at risk, and what to do about it. Opcode conducts practical assessments against industry frameworks, giving you a clear picture of your security posture and a prioritised plan to improve it.

What’s included

• Gap analysis — Detailed assessment of your current controls against a target framework, identifying gaps and their business impact.
• Maturity assessment — Evaluation of your security program maturity across key domains, with actionable recommendations for each maturity level.
• Remediation planning — Prioritised roadmap for closing gaps, with realistic timelines and resource estimates.
• Audit preparation — Support in preparing for external audits: evidence gathering, control documentation, and pre-audit readiness checks.
• Policy and procedure review — Assessment and improvement of security policies, standards, and operating procedures.

IRAP readiness and assessment

Opcode provides end-to-end support for organisations preparing for or undergoing Information Security Registered Assessors Program (IRAP) assessments — independent validation against the Australian Government’s Information Security Manual (ISM).

• ISM gap assessment — Identify gaps between your current security posture and ISM requirements before engaging a formal assessor. Understand what needs to change and where to focus effort.
• IRAP readiness preparation — Practical support to get your organisation assessment-ready: evidence preparation, control documentation, stakeholder interview preparation, and remediation of identified gaps. Typical readiness activities run 1-3 months depending on environment maturity.
• Assessment coordination — Working with both technical and business teams to map controls to ISM frameworks, improve security maturity, and ensure your organisation presents clearly during the formal assessment process.
• Post-assessment remediation — Support for addressing findings from IRAP assessments, with prioritised remediation planning and implementation guidance.

IRAP assessments focus on risk management rather than simple compliance — Opcode’s approach ensures your organisation demonstrates genuine security maturity, not just paperwork.

CI Fortify — Critical infrastructure resilience

Australia’s critical infrastructure is under sustained threat from state-sponsored actors and cybercriminals. The Australian Signals Directorate’s CI Fortify guidance sets clear expectations for CI operators: be able to isolate vital OT and enabling systems from the internet and adjacent networks for three months while maintaining critical services, and prove the ability to rapidly rebuild those systems from known-good backups.

Most CI operators know they should be doing this. Few have tested whether they actually can.

Opcode helps critical infrastructure operators move from intent to capability:

• OT asset inventory and classification — Identifying and classifying all operational technology assets, their roles, dependencies, and criticality to critical service delivery. An accurate inventory is the foundation CI Fortify requires — without it, isolation planning is guesswork.
• Vital system identification — Mapping which OT and enabling systems must remain functional to sustain critical services. This requires perspectives across business impact, operational dependencies, and technical architecture — not just an IT asset list.
• Isolation planning and testing — Developing graduated isolation plans that define thresholds, sequence isolation measures, and identify which automated processes will need manual fallbacks. Opcode designs and runs tabletop exercises and live isolation tests so operators know their plan works before a crisis forces them to find out.
• Rebuild validation — Verifying that offline backups of firmware, configuration, and processes for vital systems are complete, current, and tested. Opcode validates rebuild procedures end-to-end, including pre-positioning of spare equipment and documentation of minimum operating states that may differ significantly from business-as-usual.
• IT-OT boundary hardening — Assessing and strengthening the boundaries between corporate IT, OT networks, and third-party connections. The Colonial Pipeline incident demonstrated that IT compromises trigger OT shutdowns when these boundaries aren’t properly architected — isolation capability is meaningless if the trigger point is in a connected network you didn’t plan for.
• Supply chain dependency mapping — CI Fortify explicitly calls out supply chain risk. Opcode maps third-party dependencies across your OT environment so isolation plans account for vendor access, remote monitoring, and cloud-connected services that cross network boundaries.

CI Fortify isn’t a compliance checkbox — it’s a capability that CI operators need to build, test, and maintain. Opcode brings the operational technology security expertise and the structured approach to turn ASD’s guidance into a demonstrated, repeatable capability.

Frameworks

Opcode works with the frameworks your industry and regulators care about:

• NIST CSF — Comprehensive cybersecurity framework widely adopted across industries.
• ASD Essentials — The Australian Signals Directorate’s baseline mitigation strategies. Opcode assesses against all maturity levels (ML1 through ML3).
• ISO 27001 / 27002 — International standard for information security management systems.
• ISM — The Australian Government Information Security Manual, the basis for IRAP assessments.
• CIS Controls — Prioritised set of defensive actions for cyber defence.
• APRA CPS 234 — Prudential standard for information security in Australian financial services.

How it works

1. Scoping — Define which framework(s), which business units, and which systems are in scope.
2. Assessment — Evidence collection through documentation review, interviews, and technical validation. Each control is assessed for implementation status and effectiveness.
3. Reporting — Clear, actionable report with findings, risk ratings, and prioritised recommendations. No 200-page documents that nobody reads — Opcode delivers reports your team will actually use.
4. Remediation support — Optional ongoing engagement to support your team through remediation activities.