Cyber Health Check · For Independent & Catholic Schools

Know where your school stands on cyber.
In 10 business days. $4,950.

A fixed-fee independent Cyber Health Check for Australian Independent and Catholic K-12 schools. Aligned to the Essential Eight, NIST CSF, ISO 27001, the Privacy Act and ACSC guidance. Plain English. Board-ready. Works alongside your existing IT provider — not a replacement.

Book a 20-minute chat See what's included
Fixed fee. No scope creep.
Clear Picture Guarantee
Sunshine Coast based
Does this sound familiar?

You have an assurance problem —
not a technology problem.

A data breach in a school isn't an IT incident — it's a child-safety, parent-trust and regulatory event. Your Board, your families, your insurer and the OAIC will all be looking for the same thing: evidence that you took it seriously, before it happened.

What you get

A scorecard, a plan,
and a Board-ready answer.

Ten business days. One honest scorecard against the ten non-negotiables. One prioritised plan. One debrief your Board, your Business Manager and your IT provider can all sit in on. No 200-page doorstop. No offshore audit team who've never set foot in a Queensland school.

A 10-point cyber scorecard

A holistic assessment against the ten critical areas every school cyber program should cover — Essential Eight, NIST CSF, ISO 27001, Privacy Act, third-party risk, incident response, AI governance and more. You'll know your score before the debrief ends.

A prioritised action plan

The top ten things to fix, sequenced by risk and effort, mapped to a 12–24 month roadmap and indicative budget. Something your Business Manager can take to Finance on Monday and your IT provider can start on Tuesday.

A Board-ready report

Written for your Board, School Council, Finance & Risk Committee and Diocesan oversight — not for a Security Operations Centre. Plain English. Evidence-linked. Defensible. Insurance-ready.

Works alongside your IT provider

Independent advisory, not a competing service. Your MSP or internal IT team is welcome in every interview and debrief. Most of them thank me afterwards — the ones who don't, that's useful information on its own.

The 10 non-negotiables

Your cyber program either covers these
— or it doesn't.

Ten critical areas every Australian K-12 school cyber program should cover. We assess each one holistically during the Health Check — not a deep audit, a clear view of "do you have this, do you have it working, or is this a gap".

If you can confidently say yes to fewer than five, the Health Check is step one — and a monthly advisory retainer is almost certainly step two.

Most schools score between three and six the first time through. That's not a failure — it's a starting point. The Health Check tells you which of the ten to fix first, in what order, and roughly what it'll cost.

What's included

Fixed scope. Fixed fee.
No surprise invoice.

What this isn't A penetration test, a full ISO 27001 audit, a SOC 2 readiness programme, or a three-month consulting engagement. It is a deliberately-scoped diagnostic. Think of it as a building inspector's report, not a structural engineer's plan. If the scorecard shows you need deeper work, we'll have an honest conversation about what comes next — no pressure, no drip campaign.
$4,950 + GST
Fixed fee · Ten business days · No scope creep
How it works

Three steps.
Ten business days.

One clear outcome: a Board-ready picture of where your service sits on cyber, and a prioritised plan for what to do next.

01

Book a 20-minute chat — no charge

We check fit. If Coastal Cyber isn't right for your school, I'll tell you — and point you somewhere that is. No sales pitch. No deck. Your IT provider is welcome on the call.

02

The Health Check — ten business days

Structured interviews with the Principal, Business Manager, IT provider and key operational staff. Evidence review across policies, contracts, MSP reports and insurance documentation. Holistic assessment against the ten non-negotiables, mapped to Essential Eight, NIST CSF, ISO 27001 and the Privacy Act.

03

Board-ready report and debrief

A written report you can hand to your Board, School Council or Diocesan oversight. A 60-minute debrief with your leadership team — MSP and IT manager welcome to attend. Questions encouraged. Defensive posturing optional.

Frequently asked

The questions everyone asks,
answered honestly.

We already have an MSP or IT provider managing our network and security. Why do we need this?
MSPs keep your network running, your identities provisioned and your endpoints patched — that's their job, and a good one does it well. Independent governance assurance, regulatory alignment and evidence for your Board are a different job entirely. The Health Check complements your MSP; it doesn't replace them. Your MSP is welcome in every interview and the debrief — most of them are quietly grateful for the clarity, because it also tells their story to the Board.
What exactly do you mean by "holistic" — aren't some of these topics huge?
Yes, individually they are. The Health Check is not a deep audit of any one area — it's a diagnostic across all ten. Think of it as a building inspector walking the whole building, not a structural engineer redesigning the foundations. For each non-negotiable we're asking three questions: do you have something in place, is it actually working, and where are the gaps? That's enough to produce an honest scorecard and a prioritised plan. Deeper work on any single item is a separate engagement.
What do I actually get for $4,950?
A defined, fixed-scope professional deliverables pack: an executive summary written for your Board or School Council, a scored assessment against the ten non-negotiables with evidence notes, a prioritised 90-day / 6-month / 12-month remediation roadmap, a top-ten risk register, an Essential Eight Maturity 1 gap analysis sized for your insurer's attestation questions, and a one-page Board briefing sheet. It's a 10-business-day diagnostic, not a penetration test, full ISO 27001 certification or multi-month programme. If deeper work follows, that's a separate engagement on its own terms.
What if we score badly?
Most schools score three to six out of ten the first time through. That's the usual starting point, not a failure. The Health Check is designed to surface gaps so you can close them in the right order, within a realistic budget. If you'd like hands-on help closing them, a monthly Virtual CISO (vCISO) retainer can sit alongside your MSP and work through the list in priority order. If you'd rather take the report and run with it yourself, that's equally fine.
Is this appropriate for Catholic schools under Diocesan oversight?
Yes. The Health Check output is Diocese-friendly — the report is structured so it can be shared with your Catholic Education Office, Diocesan Information Services team or central IT governance function. If your Diocese has specific cyber or privacy frameworks they expect schools to align to (for example, Sydney Catholic Schools, MACS Melbourne, Brisbane Catholic Education), tell me in the intro call and I'll map to those explicitly.
Will this help with our cyber insurance renewal?
Directly, yes. Most school insurers now ask for Essential Eight Maturity 1 attestation, MFA coverage, backup and recovery arrangements, incident response planning and staff awareness training — eight of the ten non-negotiables. The Board-ready report gives you the documented evidence base your broker and insurer are asking for, and shows you where you can honestly tick the box versus where you need to close a gap first.
How much time will my team need to commit?
Roughly 6–8 hours of leadership, Business Manager and IT staff time, spread over the ten business days. Most interviews are 45–60 minutes. We work around term dates, staff meetings and exam periods — not the other way around.
Who sees the report?
You do. Only you. The report is your school's property. You choose what to share with your Board, School Council, Diocese, insurer, broker, auditor or MSP. Nothing is published or shared without your written go-ahead.
Are you insured?
Yes — professional indemnity and public liability cover held. Certificates of currency available on request before the engagement begins. Working With Children (Blue Card) and National Police Check available on request — relevant given we may be interviewing staff who work with students.
What happens after the Health Check?
Entirely your call. Some schools take the report, action the top ten items with their MSP and come back in 12 months for a follow-up Health Check. Others want ongoing advisory — a monthly Virtual CISO (vCISO) retainer that works alongside your MSP to close the scorecard gaps, chair a termly cyber risk forum and keep the Board report up to date. Both options are fine. Neither is pushed.
Our promise to you

The Clear Picture Guarantee

If, at the end of your debrief, you don't feel the Health Check gave you a clear picture of where you stand and what to do next, we'll refund your fee in full. No questions, no forms, no "but".

Book a chat

Twenty minutes.
No sales pitch.

A free 20-minute call to talk about your school, your current cyber position, and whether a Health Check is the right next step. Your IT provider is welcome on the call. If the Health Check isn't the right fit, I'll tell you — and point you somewhere that is.

hello@coastalcyber.com.au
Sunshine Coast, QLD — remote delivery Australia-wide, on-site available