ONLINE ACT CYBER // SPECIALIST CONSULTING // AUSTRALIA
REF · ACT/2026/PUB/01
ACT Cyber
PROTECTED Specialist
§ 00 Capability Brief

A specialist cyber consultancy for PROTECTED-aligned Microsoft 365 and Azure environments.

ACT Cyber designs, deploys and documents Microsoft cloud and hybrid environments to the Australian Government ISM PROTECTED standard — so you arrive at an IRAP assessment fully prepared, with the artefacts and evidence already in the formats your assessor expects.

§ 01

Position.

Anyone can say they “deliver secure M365.” We design in what assessors look for — so you don't waste months fixing gaps later.

ACT Cyber is an Australian-owned consultancy with a deliberately narrow practice: Microsoft 365, Azure and hybrid environments, engineered to meet the Australian Government's ISM PROTECTED control baseline and the Essential Eight.

We produce the full accreditation package alongside the build — SSP, SRMP, SoA, risk register and control evidence — in the formats IRAP assessors expect. No retrofit, no rewrite, no surprises when the assessor arrives.

A note on scope: ACT Cyber prepares organisations for IRAP assessment. We do not perform IRAP assessments and we are not an IRAP-endorsed assessor — that engagement is deliberately kept separate, with an independent assessor of your choosing.

§ 02

Frameworks we build to.

ISM
Australian Government Information Security Manual — the control baseline for our designs. Every configuration traces back to an ISM control.
Essential 8
ACSC Essential Eight Maturity Model — implemented by platform configuration, not documentation alone.
PSPF
Protective Security Policy Framework — informs information handling, classification and governance patterns.
IRAP
Information Security Registered Assessors Programme — we ready organisations for assessment. The independent IRAP assessor remains a separate party.
PROTECTED
Classification ceiling we design to. All delivery is capable of supporting workloads classified up to PROTECTED.
§ 03

Why ACT Cyber.

  1. Assessor-first design.

    Every artefact is produced in the format IRAP assessors expect — SSP, SRMP, SoA — concurrently with build, not retrofitted afterwards.

  2. Controls satisfied by configuration.

    ISM and Essential Eight controls met by Microsoft platform configuration and operational practice — not documentation alone.

  3. AGSVA-cleared, Australian-delivered.

    Australian-owned, AGSVA-cleared consultants operating under Australian jurisdiction. No offshore touch, no outsourced accountability.

  4. Hybrid by design.

    We extend PROTECTED compliance from Azure and M365 into your on-premises estate — no weak links between cloud and legacy environments.

§ 04

Microsoft platform specialisation.

We work across the full Microsoft security and productivity stack — configured for Australian Government regulated workloads.

AzureIaaS / PaaS
Microsoft 365E3 / E5
Entra IDIdentity
IntuneEndpoint
DefenderXDR
PurviewData
SentinelSIEM
SharePointCollab
TeamsCollab

Partner ecosystems: Microsoft · Fortinet · trusted Australian MSP network for outsourced managed security.

§ 05

Engage.

The fastest way to start is a 30-minute discovery conversation. We'll understand where you are, what PROTECTED means for your specific workloads, and give you an honest view of a realistic path to accreditation.

§ 00 ACT Cyber / Services

Schedule of services.

Nine service lines covering the complete lifecycle of a PROTECTED-aligned Microsoft environment — from initial assessment through to handover or managed operations.

SCH · A
PROTECTED M365 & Azure DeliveryFlagship Engagement
A complete, ISM-aligned Microsoft 365 and Azure environment — custom designed, deployed, documented and ready to operate. Delivered with the artefacts, evidence and control mapping needed for IRAP assessment from day one. This is the engagement most clients start with.
PROTECTEDISMIRAP ReadyEssential 8
SCH · B
Secure Cloud DesignDesign & Architecture
ISM-aligned Azure landing zones, hub-and-spoke architecture, identity-first security design, private endpoints and PROTECTED workload hosting patterns. Reference architecture mapped to ISM controls.
AzureLanding ZoneReference Architecture
SCH · C
Identity-First SecurityIdentity & Access Management
Entra ID architecture, Conditional Access, Privileged Identity Management and Zero Trust access patterns — the identity discipline that PROTECTED environments demand, applied to a modern Microsoft stack.
Entra IDZero TrustPIM
SCH · D
Managed Device HardeningEndpoint Security
Intune and Defender for Endpoint, ACSC hardening baselines, automated compliance enforcement and SOC integration across managed and distributed endpoints.
IntuneDefenderACSC Baselines
SCH · E
Secure M365 CollaborationData & Collaboration
M365 for regulated workloads — sensitivity labels, Data Loss Prevention, Teams governance, SharePoint architecture and Purview data classification operating within ISM data handling boundaries.
M365PurviewDLPTeams
SCH · F
Tailored ISMSGovernance, Risk & Compliance
An Information Security Management System that fits your organisation — practical, actionable, and designed to prove controls in practice, not just on paper. Aligned to ISM, PSPF and Essential Eight.
ISMSPSPFRisk Management
SCH · G
IRAP ReadinessAssessment Preparation — Not Assessment
End-to-end preparation for an independent IRAP assessment — SSP, SRMP, risk register, SoA and control evidence. Pre-assessment gap analysis, rehearsal and remediation. Your assessor arrives to a complete, coherent package. We prepare; an IRAP-endorsed assessor of your choosing conducts the assessment.
ReadinessSSPSRMPGap Analysis
SCH · H
Cloud to On-Prem IntegrationHybrid Infrastructure
Seamlessly extend PROTECTED compliance from Azure and M365 into your on-premises estate — hybrid identity, secure connectivity, unified logging. No weak links between environments.
HybridActive DirectoryFortinet
SCH · I
Outsourced Managed SecurityMSP Partner Network
Prefer to outsource day-to-day operations? We partner with trusted Australian MSPs delivering full-stack managed security services at PROTECTED level. We handle the build; they run the ongoing operation.
MSSSOC 24x7Managed
§ ENGAGENEXT STEP

Ready to scope an engagement?

A 30-minute discovery call to understand where you are, what PROTECTED means for your workloads, and a realistic view of the path to accreditation.

§ PROG ACT Cyber / PROTECTED Programme

Accreditation built in. Not bolted on. From day one.

A structured programme for organisations that need a Microsoft 365 and Azure environment capable of supporting workloads classified up to PROTECTED — delivered ready for IRAP assessment, with the artefacts and evidence already in the formats an independent assessor expects.

§ 01

Objective.

Deliver a Microsoft cloud and hybrid environment capable of supporting workloads up to the Australian Government's PROTECTED classification — with accreditation artefacts, control evidence and operational readiness all produced as part of delivery.

The programme is structured so that the same team who designs the environment also produces the SSP, SRMP, SoA and supporting evidence. That single team, working against a single control baseline, is what makes the difference between an 18-month accreditation ordeal and an 8–12 month delivery.

Scope boundary: the IRAP assessment itself is conducted by an independent, IRAP-endorsed assessor of your choosing. ACT Cyber's role ends at the point your environment and evidence are ready for assessment. We maintain that separation deliberately — it keeps the assessor's independence intact.

§ 02

Method — the four phases.

Phase · 01
Assess
Security posture review. ISM control gap analysis, classification alignment, on-prem-to-cloud transition risks, audit of any existing artefacts. We tell you exactly where you stand before we move. OutputPosture report · Gap matrix · Risk snapshot
Phase · 02
Design
Accreditation-ready architecture. Control-mapped design patterns, SSP, SRMP, risk register and authority artefacts — produced concurrently, in the formats assessors expect. OutputReference architecture · SSP · SRMP · SoA draft
Phase · 03
Implement
Secure platform build. M365, Azure, identity, endpoint and collaboration deployed against pre-validated patterns. Hardened by default. Documented as-built, not reconstructed later. OutputProduction environment · Configuration baselines · Evidence set
Phase · 04
Operate
Continuous compliance. Governance, uplift and evidence collection to sustain accreditation through operational life. Handover to your team, or to an MSP partner of your choice. OutputRunbooks · Evidence automation · Handover pack
Principle

Every document is produced in the format an IRAP assessor expects. No reformatting, no rewriting, no last-minute remediation.

§ 03

Reference architecture.

A simplified view of the environment we design for clients. Every component is mapped to ISM controls, with evidence produced from configuration — not narrative.

DIAGRAM · REF-ARCH-01 ISM / PROTECTED ALIGNED
IDENTITY BACKBONE — ENTRA ID · PIM · CONDITIONAL ACCESS Zero Trust · ISM aligned CLOUD — MICROSOFT 365 Collaboration & Data Teams · SharePoint · Exchange · Purview · Defender CLOUD — AZURE Platform & Workloads Landing Zone · Sentinel · Private Endpoints MANAGED ENDPOINTS Devices & Users Intune · Defender XDR · ACSC Hardening HYBRID — ON-PREMISES Existing Infrastructure Active Directory · Fortinet · Legacy systems PROTECTED · ISM BASELINE · IRAP BOUNDARY
§ 04

Timeline — concurrent vs sequential.

Most PROTECTED programmes run 18–24 months because accreditation is treated as a separate workstream. Ours run shorter because the artefacts are produced during build.

MONTHS →
4812162024
Without ACT Cyber
Architecture
Build
Documentation
Remediation
IRAP assessment (independent)
With ACT Cyber
Assess + Design
Build
Documentation (concurrent)
Remediation
IRAP assessment (independent)

Indicative. Timelines depend on existing estate, tenant maturity and internal governance cadence.

§ 05

Deliverables.

Architecture
Reference architecture, landing zone design, identity architecture, hybrid integration pattern.
Artefacts
System Security Plan, Security Risk Management Plan, Statement of Applicability, IRAP-ready evidence register.
Build
Production Azure & M365 environment configured to ISM baselines: Conditional Access, PIM, Intune policies, Defender, Purview, Sentinel.
Evidence
Control-to-configuration mapping, screenshots, policy exports, SoC test results — in IRAP-accepted format.
Transition
Operational runbooks, handover sessions, or warm handoff to an MSP partner for ongoing managed operations.
§ 06

Engagement.

Engagements begin with a short discovery call, followed by a scoping workshop. We work on fixed-scope, fixed-outcome engagements wherever possible — giving you cost certainty, and us the accountability that comes with it.

§ 00 ACT Cyber / About

Australian. Cleared. Specialist.

ACT Cyber is an Australian-owned cyber consultancy with a deliberately narrow practice — Microsoft 365, Azure and hybrid environments delivered to the ISM PROTECTED standard. Founded and led by practitioners who build for audit, not around it.

§ 01

Mandate.

Most PROTECTED programmes take too long, cost too much, and arrive at IRAP with gaps that should never have been there. We exist to change that.

Our mandate is narrow on purpose. We do not try to be everything to everyone. We focus on Microsoft cloud and hybrid environments, ISM PROTECTED aligned, because that is where deep specialist knowledge saves clients months of effort and tens of thousands of dollars.

Every engagement is led by senior consultants. Every artefact is written by the same team that built the environment. Every configuration traces back to a control, and every control is mapped to evidence that an IRAP assessor will accept.

§ 02

Principles.

  1. Build for the assessor in the room.

    Every design decision, every artefact, every configuration is produced knowing an IRAP assessor will read it. If it won't pass scrutiny, we don't ship it.

  2. Platform over paperwork.

    ISM controls satisfied by Microsoft platform configuration beat controls satisfied only by documentation. Prove it in the tenancy, not just the SSP.

  3. Specialist, not generalist.

    We don't try to be everything. PROTECTED Microsoft environments are the brief — because that's where depth matters, and depth is where clients save time and cost.

  4. Sovereignty, end-to-end.

    Australian-owned, Australian-staffed, Australian-delivered. Clearances, data, decisions and contracts all stay onshore.

§ 03

Credentials.

Ownership
100% Australian owned and operatedNo foreign ownership, no FOCI risk
Clearance
AGSVA-cleared consulting teamCleared to operate at PROTECTED
Specialisation
Microsoft 365, Azure & hybrid — to PROTECTEDISM-aligned, Essential 8, PSPF, IRAP-ready
Partners
Microsoft, Fortinet, Australian MSP networkFor outsourced managed security at PROTECTED
Registered Office
Canberra, Australia
Entity
ACT Cyber Pty Ltd · ABN 86 688 456 957
§ 04

Leadership.

ACT Cyber is directed by practitioners with deep experience in Microsoft platform delivery into Australian Government and regulated environments. Our team is small by design — senior engineers and consultants, not a layered hierarchy — so every client engagement is led by someone who still writes configuration and reviews every artefact.

Direct biographies and CVs are available on request as part of tender or due-diligence responses.

§ 00 ACT Cyber / Contact

Talk to a cleared PROTECTED specialist.

Whether you're scoping a programme, responding to audit pressure, or comparing delivery options — we'll give you a direct, technical answer within one business day.

Email
info@actcyber.com.au
Phone
0420 261 898
Web
www.actcyber.com.au
Entity
ACT Cyber Pty Ltd
ABN 86 688 456 957
Response commitment
Enquiries are reviewed by a senior consultant — not a salesperson. You'll get a substantive response within one business day, including an honest view on whether we're the right fit.