Abstract data network
PROTECTED Specialist · Australian Owned

Microsoft 365 and Azure, built for PROTECTED. Documented. Delivered. Audit ready.

ACT Cyber is the specialist consultancy that designs, deploys and documents Microsoft cloud environments to the Australian Government ISM PROTECTED standard — so when your independent IRAP assessor arrives, the work is already done.

Who we are

An Australian specialist firm.

  • 100%Australian owned and operated. AGSVA-cleared team.
  • M365
    Azure    Designed, built and documented to ISM & Essential 8 — up to PROTECTED.
  • HybridPROTECTED extends from cloud to on-premises — no weak links.
  • ISMSGRC consulting and complete custom ISMSs aligned to ISO/IEC 27001.
  • ArchCyber security architecture for cloud, hybrid and regulated environments.
  • AdvisoryIndependent technical and strategic cyber advisory.
  • IRAPWe prepare you for assessment. The assessor stays independent.
§ 01 · Position

Anyone can say they "deliver secure M365." We design in what assessors look for — so you don't waste months fixing gaps later.

ACT Cyber is an Australian-owned consultancy with a deliberately narrow practice: Microsoft 365, Azure and hybrid environments, engineered to the ISM PROTECTED control baseline and the Essential Eight. We produce the full accreditation package alongside the build — SSP, SRMP, SoA, risk register and control evidence — in the formats IRAP assessors expect.

No retrofit, no rewrite, no surprises when the assessor arrives.

Sovereign · Specialist Modern professional consulting environment
§ 02 · Frameworks

Frameworks we build to.

ISM

Australian Government Information Security Manual — every configuration traces back to an ISM control.

E8

ACSC Essential Eight Maturity Model — implemented by platform configuration, not documentation alone.

PSPF

Protective Security Policy Framework — informs information handling and governance patterns.

ISO 27001

International information security management standard — our ISMS designs are ISO/IEC 27001 conformant.

NIST

NIST Cybersecurity Framework — used where hybrid or US-aligned control mapping is required.

Configured for regulated workloads
Plate I · Configured for regulated workloads
§ 03 · Differentiators

Why ACT Cyber.

01 · Assessor-first design

Built for the assessor in the room.

Every artefact is produced in the format IRAP assessors expect — SSP, SRMP, SoA — concurrently with build, not retrofitted afterwards.

02 · Configuration over paperwork

Controls satisfied by the platform.

ISM and Essential Eight controls met by Microsoft platform configuration and operational practice — not documentation alone.

03 · Cleared, Australian delivery

AGSVA-cleared, end to end.

Australian-owned, AGSVA-cleared consultants operating under Australian jurisdiction. No offshore touch, no outsourced accountability.

04 · Hybrid by design

Cloud to on-premises, one baseline.

We extend PROTECTED compliance from Azure and M365 into your on-prem estate — no weak links between cloud and legacy.

§ 04 · Microsoft Platform

The Microsoft stack — configured for regulated workloads.

We work across the full Microsoft security and productivity stack, configured to the ISM control baseline.

AzureMicrosoft 365Entra IDIntuneDefenderPurviewSentinelSharePointTeams
Modern Australian architecture

Audit pressure mounting?

Talk to a cleared PROTECTED specialist. Fast compliance, cost-effective delivery, zero audit surprises.

§ 00ACT Cyber / Services

Schedule of services.

Nine service lines covering the complete lifecycle of a PROTECTED-aligned Microsoft environment — from initial assessment through to handover or managed operations.

SCH · A
PROTECTED M365 & Azure DeliveryFlagship Engagement
A complete, ISM-aligned Microsoft 365 and Azure environment — custom designed, deployed, documented and ready to operate. Delivered with the artefacts, evidence and control mapping needed for IRAP assessment from day one. The engagement most clients start with.
PROTECTEDISMIRAP ReadyEssential 8
SCH · B
Secure Cloud DesignDesign & Architecture
ISM-aligned Azure landing zones, hub-and-spoke architecture, identity-first security design, private endpoints and PROTECTED workload hosting patterns. Reference architecture mapped to ISM controls.
AzureLanding ZoneReference Architecture
SCH · C
Identity-First SecurityIdentity & Access Management
Entra ID architecture, Conditional Access, Privileged Identity Management and Zero Trust access patterns — the identity discipline that PROTECTED environments demand, applied to a modern Microsoft stack.
Entra IDZero TrustPIM
SCH · D
Managed Device HardeningEndpoint Security
Intune and Defender for Endpoint, ACSC hardening baselines, automated compliance enforcement and SOC integration across managed and distributed endpoints.
IntuneDefenderACSC Baselines
SCH · E
Secure M365 CollaborationData & Collaboration
M365 for regulated workloads — sensitivity labels, Data Loss Prevention, Teams governance, SharePoint architecture and Purview data classification operating within ISM data handling boundaries.
M365PurviewDLPTeams
SCH · F
Tailored ISMSGovernance, Risk & Compliance
An Information Security Management System that fits your organisation — practical, actionable, and designed to prove controls in practice, not just on paper. Aligned to ISM, PSPF and Essential Eight.
ISMSPSPFRisk Management
SCH · G
IRAP ReadinessPreparation — We Do Not Assess
End-to-end preparation for an independent IRAP assessment — SSP, SRMP, risk register, SoA and control evidence. Pre-assessment gap analysis, rehearsal and remediation. Your assessor arrives to a complete, coherent package. ACT Cyber prepares organisations for IRAP. We are not an IRAP-endorsed assessor — that role is filled by an independent assessor of your choosing.
ReadinessSSPSRMPGap Analysis
SCH · H
Cloud to On-Prem IntegrationHybrid Infrastructure
Seamlessly extend PROTECTED compliance from Azure and M365 into your on-premises estate — hybrid identity, secure connectivity, unified logging. No weak links between environments.
HybridActive DirectoryFortinet
SCH · I
Outsourced Managed SecurityMSP Partner Network
Prefer to outsource day-to-day operations? We partner with trusted Australian MSPs delivering full-stack managed security services at PROTECTED level. We handle the build; they run the ongoing operation.
MSSSOC 24x7Managed

Ready to scope an engagement?

A 30-minute discovery call to understand where you are, what PROTECTED means for your workloads, and a realistic view of the path to accreditation.

§ PROGACT Cyber / PROTECTED Programme

Accreditation built in. Not bolted on. From day one.

A structured programme for organisations that need a Microsoft 365 and Azure environment capable of supporting workloads classified up to PROTECTED — delivered ready for IRAP assessment, with the artefacts and evidence already in the formats an independent assessor expects.

§ 01 · Objective

Deliver a Microsoft cloud and hybrid environment capable of supporting workloads up to PROTECTED — with accreditation artefacts, control evidence and operational readiness produced as part of delivery.

The programme is structured so that the same team who designs the environment also produces the SSP, SRMP, SoA and supporting evidence. That single team, working against a single control baseline, is what makes the difference between an 18-month accreditation ordeal and an 8–12 month delivery.

Scope boundary: the IRAP assessment itself is conducted by an independent, IRAP-endorsed assessor of your choosing. ACT Cyber's role ends at the point your environment and evidence are ready for assessment. We maintain that separation deliberately — it preserves assessor independence.

§ 02 · Method

The four phases.

Phase · 01
Assess
Security posture review. ISM control gap analysis, classification alignment, on-prem-to-cloud transition risks, audit of any existing artefacts. We tell you exactly where you stand before we move. OutputPosture report · Gap matrix · Risk snapshot
Phase · 02
Design
Accreditation-ready architecture. Control-mapped design patterns, SSP, SRMP, risk register and authority artefacts — produced concurrently, in the formats assessors expect. OutputReference architecture · SSP · SRMP · SoA draft
Phase · 03
Implement
Secure platform build. M365, Azure, identity, endpoint and collaboration deployed against pre-validated patterns. Hardened by default. Documented as-built, not reconstructed later. OutputProduction environment · Configuration baselines · Evidence set
Phase · 04
Operate
Continuous compliance. Governance, uplift and evidence collection to sustain accreditation through operational life. Handover to your team, or to an MSP partner of your choice. OutputRunbooks · Evidence automation · Handover pack
Programme planning and delivery
Plate I · A programme, in flight
§ 03 · Reference Architecture

How it fits together.

A simplified view of the environment we design for clients. Every component is mapped to ISM controls, with evidence produced from configuration — not narrative.

FIG. 01 · Reference Architecture · ACT/REF-01 PROTECTED ALIGNED
▸ PROTECTED CLASSIFICATION BOUNDARY ISM ALIGNED · IRAP READY ▸ ▼ A · IDENTITY BACKBONE Entra ID · Conditional Access · Privileged Identity Management · Zero Trust ▼ B · CLOUD · MICROSOFT 365 Collaboration & Data Teams · SharePoint · Exchange Online · OneDrive Purview (DLP, Sensitivity Labels) · Defender for O365 SCH·B SCH·E SCH·F ▼ C · CLOUD · AZURE Platform & Workloads Landing Zone · Hub-and-Spoke · Private Endpoints Sentinel (SIEM) · Log Analytics · Compliance Manager SCH·B SCH·G ▼ D · MANAGED ENDPOINTS Devices & Users Intune (MDM/MAM) · Defender for Endpoint (XDR) ACSC Hardening Baselines · Compliance enforcement SCH·D ▼ E · HYBRID · ON-PREMISES Existing Estate Active Directory · Hybrid Identity · ADFS Fortinet edge · Site-to-site VPN · ExpressRoute SCH·H
▸ A

Identity Backbone

Zero Trust identity is the spine. PIM, Conditional Access, MFA enforcement — the ISM controls every other layer relies on.

▸ B

M365 Collaboration

Sensitivity labels, DLP, Teams governance and SharePoint architecture — within ISM data handling boundaries.

▸ C

Azure Platform

ISM-aligned landing zone, hub-and-spoke architecture, private endpoints, Sentinel-based SIEM. Built right the first time.

▸ D / E

Endpoints & Hybrid

Intune + Defender XDR + ACSC baselines on the device side. Hybrid identity and secure connectivity on the on-prem side.

§ 04 · Timeline

Concurrent, not sequential.

Most PROTECTED programmes run 18–24 months because accreditation is treated as a separate workstream. Ours run shorter because the artefacts are produced during build.

MONTHS →
4812162024
Without ACT Cyber
Architecture
Build
Documentation
Remediation
IRAP assessment (independent)
With ACT Cyber
Assess + Design
Build
Documentation (concurrent)
Remediation
IRAP assessment (independent)

Indicative. Timelines depend on existing estate, tenant maturity and internal governance cadence.

Documentation and delivery artefacts
Plate II · Documented as built, not after

Audit pressure mounting?

Fast compliance. Cost effective. Zero audit surprises. Talk to a cleared PROTECTED specialist about your programme.

§ PARTNERINGACT Cyber / Partnering
Industry Capability Partner

Bidding on Commonwealth work? Already won it? Be ready, fast.

For industry organisations bidding on, or already delivering, Commonwealth contracts — ACT Cyber is the sovereign Microsoft cloud and PROTECTED-readiness partner that gets your team to Commonwealth security standards (ISM, PSPF, Essential 8, ISMS) fast.

§ 01 · The Value We Bring

Why partner with ACT Cyber.

Commonwealth contracts come with security obligations few industry teams have in-house. Whether you're bidding for the work or scrambling to meet the standards after winning it — ACT Cyber is built to lift you to Commonwealth-ready, fast.

Our team has spent careers delivering into Australian Government and regulated environments. We don't compete with our partners — we specialise in what most industry teams don't have in-house: deep PROTECTED-aligned Microsoft cloud delivery, ISM and Essential Eight uplift, ISMS design and IRAP readiness acceleration. The kind of capability tender evaluators recognise and contract sponsors trust.

Sovereign and cleared.

100% Australian owned, AGSVA-cleared personnel, no FOCI risk. Passes probity without caveats.

Deep technical credibility.

PROTECTED-aligned M365 and Azure delivery with ISM and Essential Eight as the baseline. Operational, not theoretical.

Accreditation acceleration.

The ACT Cyber Method produces SSP, SRMP and SoA artefacts concurrently with build — a credible differentiator in any tender evaluation.

Microsoft specialisation.

Azure, M365, Entra ID, Intune, Defender, Purview and Sentinel — the platforms most Commonwealth programmes are moving to.

Tender-ready pack.

CVs, case studies and capability statements ready to insert once a partnering agreement is established.

Tenders move fast. Contract clocks tick faster. Our partner pack is ready for both.

Most Commonwealth tenders give industry days — not weeks — to lock in their delivery team. And once you've won, the security clock starts running. ACT Cyber maintains a continuously updated Partner Pack and is ready to mobilise on either side of contract award — at the speed your tender or contract demands.

Industry partnership and collaboration
Plate I · Built for partnership
§ 02 · Available once partnering agreement established

What's in the partner pack.

Six artefacts, ready to insert into your tender response — or to demonstrate capability uplift to a contract sponsor post-award.

DOC

Team CVs

Cleared personnel CVs formatted for Commonwealth tender submission.

  • Clearance level stated
  • Programme experience highlighted
  • Microsoft certifications
PDF

Sanitised case studies

Outcome-focused case studies from regulated programme delivery.

  • PROTECTED cloud delivery
  • IRAP readiness outcomes
  • Quantified metrics
PDF

Capability statement

Concise capability statement covering core offerings and sovereign credentials.

  • Two-page and one-page formats
  • ISM, IRAP, Essential 8
  • Microsoft credentials
XLS

Commercial rate card

Labour categories and indicative rates structured to map to common Commonwealth panel formats.

  • Role-based categories
  • Day rate & fixed-price
  • Cleared role variants
PDF

Past performance register

Structured register of relevant programme experience for tender past performance requirements.

  • Categorised by capability
  • Classification indicated
  • Referee contacts on request
DOC

Corporate credentials

Insurance certificates, ABN, Microsoft Partner ID and personnel clearances packaged for tender submission.

  • Professional Indemnity ($10M / $20M)
  • Public & Products Liability ($20M)
  • Microsoft AI Cloud Partner
§ 03 · Sanitised · Full versions in partner pack

Case study snapshots.

A taste of recent engagements. Detailed, sanitised versions live in the Partner Pack — released once a partnering agreement is in place.

Commonwealth Agency
PROTECTED

PROTECTED M365 readiness

Microsoft 365 tenant designed and documented to ISM PROTECTED. Conditional Access, PIM, Purview DLP and sensitivity labels — all artefacts produced concurrently with build.

8wkTo IRAP-ready
ISMAligned
E8ML2 achieved
Regulated Agency
PROTECTED

Sovereign Azure landing zone

ISM-aligned Azure landing zone, hub-and-spoke architecture, identity-first security model and full governance framework stood up alongside the build.

10wkDesign to live
ISMAligned
HybridReady
Commonwealth Regulatory Body
PROTECTED

Zero Trust identity — Entra ID & Essential 8

Complete Entra ID zero trust architecture — Conditional Access, PIM, MFA enforcement and device compliance. Essential 8 Maturity Level 2 achieved.

ML2Essential 8
ZeroTrust
12wkDelivery

Note: case studies above are illustrative pending real engagement data. Real anonymised outcomes will replace these as engagements complete.

Mobilising for tender and delivery
Plate II · Mobilising at the speed your tender demands
§ 04 · From first contact to tender

How the partnering process works.

01

Make contact

Reach out to discuss the opportunity, capability fit and commercial structure.

02

Agree to partner

A teaming or partnering agreement is put in place — protecting both parties.

03

Pack dispatched

CVs, case studies, capability statement and commercial rates provided promptly.

04

We deliver

Bid wins or contract is in place — ACT Cyber mobilises as scoped, cleared, capable and ready from day one.

Bidding for, or delivering, a Commonwealth contract?

Get in touch early — partnering agreements are quick to establish, the pack is ready to go, and we can mobilise to lift your team to ISM, PSPF and Essential 8 standards before the contract clock makes it expensive.

§ 00ACT Cyber / About

Australian. Cleared. Specialist.

ACT Cyber is an Australian-owned cyber consultancy with a deliberately narrow practice — Microsoft 365, Azure and hybrid environments delivered to the ISM PROTECTED standard. Founded and led by practitioners who build for audit, not around it.

§ 01 · Mandate

Most PROTECTED programmes take too long, cost too much, and arrive at IRAP with gaps that should never have been there. We exist to change that.

Our mandate is narrow on purpose. We do not try to be everything to everyone. We focus on Microsoft cloud and hybrid environments, ISM PROTECTED aligned, because that is where deep specialist knowledge saves clients months of effort and tens of thousands of dollars.

Every engagement is led by senior consultants. Every artefact is written by the same team that built the environment. Every configuration traces back to a control, and every control is mapped to evidence that an IRAP assessor will accept.

A team built for audit A team built for audit
§ 02 · Principles

Principles that shape the work.

Principle 01

Build for the assessor in the room.

Every design decision, every artefact, every configuration is produced knowing an IRAP assessor will read it. If it won't pass scrutiny, we don't ship it.

Principle 02

Platform over paperwork.

ISM controls satisfied by Microsoft platform configuration beat controls satisfied only by documentation. Prove it in the tenancy, not just the SSP.

Principle 03

Specialist, not generalist.

We don't try to be everything. PROTECTED Microsoft environments are the brief — that's where depth matters, and depth is where clients save time and cost.

Principle 04

Sovereignty, end-to-end.

Australian-owned, Australian-staffed, Australian-delivered. Clearances, data, decisions and contracts all stay onshore.

§ 03 · Credentials

The firm in six lines.

Ownership
100% Australian owned and operatedNo foreign ownership, no FOCI risk
Clearance
AGSVA-cleared consulting team
Specialisation
Microsoft 365, Azure & hybrid — to PROTECTEDISM-aligned, Essential 8, PSPF, IRAP-ready
Partners
Microsoft, Fortinet, Australian MSP networkFor outsourced managed security at PROTECTED
Registered Office
Canberra, Australia
Entity
ACT Cyber Pty Ltd · ABN 86 688 456 957

Want to know how we'd approach your programme?

A short conversation is the fastest way to find out whether ACT Cyber is a good fit for your PROTECTED pathway.

§ 00ACT Cyber / Credentials

Credentials, in writing.

The certifications, insurances and corporate facts our consultants and clients lean on. All credentials are held by ACT Cyber consultants — verification copies and certificates of currency are available on request as part of due-diligence or tender responses.

§ 01 · Security Leadership

Strategic depth.

Senior credentials in governance, risk and security leadership.

CISM
Certified Information Security Manager
ISACA
Validates strategic capability in information security governance, risk management and incident response. Held by senior team members responsible for aligning cyber programmes with business objectives.
CISSP
Certified Information Systems Security Professional
ISC²
Globally recognised credential covering security architecture, operations and software development. Demonstrates technical depth and the ability to design and run high-assurance security programmes.
CRISC
Certified in Risk and Information Systems Controls
ISACA
Specialist credential in identifying and managing IT and cyber risk and implementing effective controls. Underpins the team's ability to integrate risk with business strategy and compliance requirements.
Governance and security leadership
Plate I · Governance, in practice
§ 02 · Microsoft Architect Credentials

Microsoft cloud, at the architect tier.

Senior individual Microsoft certifications held by ACT Cyber consultants — covering the platforms we build to PROTECTED.

SC-100
Microsoft Cybersecurity Architect Expert
Microsoft
Microsoft's senior cybersecurity architect credential covering Azure, Microsoft 365 and hybrid cloud. Validates the design of zero trust architectures, identity and access strategies, threat protection and data security solutions.
AZ-305
Microsoft Azure Solutions Architect Expert
Microsoft
Validates expertise in designing secure, scalable and reliable solutions on Microsoft Azure across compute, networking, storage and security. Aligned with the Microsoft Cloud Adoption and Well-Architected Frameworks.
Technology architecture detail
Plate II · Microsoft cloud, configured
§ 03 · Architecture & Standards

Independent frameworks, applied with discipline.

Architecture and ISMS standards that underpin our designs and governance practice.

SABSA
Sherwood Applied Business Security Architecture — Foundation
SABSA Institute · SCF
Risk-based enterprise security architecture framework. Ensures security is integrated into every layer of business and IT strategy, with decisions traceable to organisational goals — agile, scalable and governance-focused.
ISO 27001
ISO/IEC 27001 Lead Implementer
PECB
Advanced expertise in establishing, managing and continually improving information security management systems based on ISO/IEC 27001. Underpins the firm's ISMS and GRC consulting practice.
Modern architecture and structured design
Plate III · Architecture, by design
§ 04 · Corporate & Assurance

The procurement-ready facts.

Corporate, insurance and partner details for tenders and due-diligence reviews.

Professional Indemnity
$10M / $20M
$10,000,000 any one claim · $20,000,000 in the aggregate during the insurance period.
Public & Products Liability
$20M
$20,000,000 any one occurrence (and aggregate in respect of product liability) · $20,000,000 any one occurrence in connection with the insured's business.
Entity
ACT Cyber Pty LtdABN 86 688 456 957
Ownership
100% Australian owned and operatedNo foreign ownership · No FOCI risk
Personnel
AGSVA-cleared consulting team
Microsoft Partnership
Microsoft AI Cloud PartnerMember of the Microsoft AI Cloud Partner Program · Partner Success Core Benefits
Microsoft Partner ID
6445298Microsoft AI Cloud Partner Program · Commercial Marketplace, Microsoft 365 & Copilot
Registered Office
Canberra, Australia

On request: certificates of currency for both insurances, certification copies for any of the credentials above, and tender-format CVs for cleared consultants — typically returned within one business day.

Need credentials in tender format?

We maintain capability statements, insurance certificates and CVs ready to insert into tender responses. Get in touch and we'll send what you need.

§ 00ACT Cyber / Contact

Talk to a cleared PROTECTED specialist.

Whether you're scoping a programme, responding to audit pressure, or comparing delivery options — we'll give you a direct, technical answer within one business day.

Email
info@actcyber.com.au
Phone
0420 261 898
Web
www.actcyber.com.au
Entity
ACT Cyber Pty Ltd
ABN 86 688 456 957 · Canberra, Australia
Response commitment
Enquiries are reviewed by a senior consultant — not a salesperson. You'll get a substantive response within one business day, including an honest view on whether we're the right fit.