Cyber Health Check — Coastal Cyber

The problem

You don't have a technology problem.
You have an assurance problem.

Your IT provider, or your IT department, keeps the systems running. What they typically can't provide — and what insurers, boards, and regulators increasingly require — is independent evidence of your cyber security posture.

Your board has started asking "are we cyber-safe?" — and no one can give a confident, evidence-backed answer.

Your MSP manages infrastructure, but you're not sure anyone is looking at governance, regulatory alignment, or evidence for your insurer.

A peer organisation made the news for a data breach and you're wondering how you'd cope if it were you.

Regulatory obligations under the Privacy Act, Essential Eight, or sector-specific requirements are tightening — and you're not sure where you stand.

You've had an IT review — but no one looked at governance, accountability, third-party risk, or privacy obligations.

A data breach or prolonged outage isn't just an IT incident. It's a regulatory, financial, and reputational event. The organisations that navigate those situations well are the ones with evidence on the table before anything goes wrong.

Assessment framework

Ten non-negotiable control areas,
scored with evidence.

Every Health Check covers the same ten areas, regardless of sector. Each is scored on a 0–4 maturity scale backed by documented evidence — not assertions. We also map your controls against the ACSC's Essential Eight at Maturity Level 1.

Enterprise cyber risk assessment

Is cyber risk formally assessed, owned, and reported to leadership on a regular cycle?

Framework alignment

Are controls mapped to Essential Eight, NIST CSF, or ISO 27001? Are gaps tracked and improving?

Crown Jewels identification

Do you know what your most critical data and systems are — and are they specifically protected?

Privacy Act and NDB readiness

Is your privacy policy current? Do you have a breach response process that actually works?

Third-party and supplier risk

Is your vendor inventory current? Do data processors have appropriate agreements in place?

Identity and access management

Is MFA enforced everywhere? Are privileged accounts controlled, separated, and reviewed?

Incident response planning

Does a plan exist? Has it been tested? Does it include clear decision-making authority?

Backup, recovery and ransomware readiness

Is the 3-2-1 rule applied? Has a restore test been completed within the last 12 months?

Security awareness and culture

Is training delivered at onboarding and annually? Are incidents reported, not quietly buried?

AI governance

Is there a policy for GenAI use by staff? Are approved tools and data classifications defined?

What you receive

A defined deliverables pack.
No variation. No surprises.

Every engagement produces the same four deliverables. The report is written for your board and leadership team — not a security operations centre.

Health Check Report

14–18 pages, plain English, Australian English. Executive summary, ten-point scored scorecard, Essential Eight ML1 mapping, and a prioritised remediation roadmap across three time horizons. Evidence-linked throughout.

Board Briefing One-Pager

A single A4 page designed to be tabled at a board or executive meeting without modification. Overall posture rating, traffic-light dashboard across all ten control areas, and the top three actions with indicative cost.

60-Minute Debrief

A structured video call with your leadership team at the end of the engagement. We walk through findings, agree priorities and owners, and take questions. Agenda provided 24 hours in advance.

30 Days of Email Q&A

From the debrief date, email questions about the findings and receive a considered response within two business days. No additional charge. No time limit on the question.

How it works

Ten business days. 6–8 hours
of your team's time.

The engagement is structured, time-boxed, and runs around your schedule — not ours.

Step 1 · Days 1–4

Discovery

Kick-off with your leadership team. Document review. Structured interviews with Principal/CEO, Business Manager/CFO, and IT/MSP lead. Technical walkthrough of identity, patching, backup, and email controls.

Step 2 · Days 5–7

Assessment

Maturity scoring across all ten control areas. Essential Eight ML1 mapping. Gap identification. Remediation roadmap built around your risk and your resources — not a generic checklist.

Step 3 · Days 8–9

Reporting

Report assembly. Board one-pager. Full QA pass. Plain English throughout. Every finding cites the evidence that produced it.

Step 4 · Day 10

Debrief and handover

60-minute debrief with your leadership team. Deliverables pack handed over. 30-day Q&A window opens. No hard sell on what comes next.

Who delivers it

One advisor.
Start to finish.

Every Health Check is delivered by Daniel Johns, Principal of Coastal Cyber. No account manager, no junior consultant doing the real work, no handoffs.

~30 years in cyber security, governance and risk
CRISC certified
Former ISACA Global Advisory Council member
Former CompTIA Executive Council ANZ member
Former leadership roles at MyCISO and CyberCX
Assessments delivered across financial services, healthcare, technology, and critical infrastructure
Independent — no product to sell, no vendor relationship influencing the advice
Sunshine Coast, QLD — available to work on-site where relevant

The Clear Picture Guarantee

If, at the end of your debrief, you don't feel the Health Check gave you a clear picture of where you stand and what to do next — we'll refund your fee in full. No questions, no paperwork.

Insurance $5M professional indemnity and $10M public liability. Certificates of currency available on request before engagement commencement.

Common questions

If you're wondering,
you're not the only one.

We already have an MSP managing our security. Why do we need this?

MSPs keep your systems running — that's their job and a good one does it well. Independent assurance, regulatory alignment, and evidence for your board are a different job. A Health Check complements your MSP; it doesn't replace them. Most MSPs welcome the clarity.

We're a small business. Is this really necessary?

Smaller organisations often carry more concentrated risk — one compromised account or unpatched system affects a higher proportion of your operations. The Privacy Act's Notifiable Data Breach scheme applies regardless of size. The Health Check is scoped and priced for organisations that aren't enterprise — that's deliberate.

How much time will my team need to commit?

Approximately 6–8 hours across the ten business days — the kick-off (90 minutes), three structured interviews (Principal, Business Manager, IT/MSP lead), and the debrief. We work around your schedule.

Is this a penetration test or a formal audit?

Neither. It's a structured diagnostic — broader than a pen test, more practical than a full audit. The goal is a clear picture of where you stand and a prioritised plan for what to do next. Pen testing and deep audits are separate engagements; if either is warranted, we'll tell you.

Who sees the report?

You do. Only you. The report is your property. You decide what to share with your board, your insurer, your MSP, or any regulator. Nothing is shared outside the engagement without your written consent.

What happens after the Health Check?

Entirely your call. Some clients take the report, action the top priorities with their MSP, and return in 12 months for a follow-up. Others want ongoing advisory — a monthly vCISO retainer. Both are fine. Neither is pushed.

Take the first step

A 20-minute call. No obligation.
No jargon. No sales pitch.

We'll talk about your organisation, your current cyber position, and whether a Health Check is the right next step. If it's not, we'll tell you — and point you somewhere that is.

Inquire now

Coastal Cyber · Sunshine Coast, QLD · dj@coastalcyber.com.au

Know where your business standson cyber — with evidence.

You don't have a technology problem.You have an assurance problem.

Ten non-negotiable control areas,scored with evidence.