Skip to content
BISTEC IT Services

Compliance

Compliance built in, not bolted on.

BISTEC operates against the frameworks regulators and cyber-insurers actually ask for — CPS 234, Essential Eight ML2, Privacy Act / NDB. Not as a project add-on. As the default posture on every managed engagement. Our deepest track record is with the Australian frameworks; equivalent mappings available for other regions.

Talk to usCPS 234 Readiness Worksheet

Control documentation, board-ready evidence packs, and senior named accountability where the framework demands it.

Three frameworks

The frameworks your board is accountable to

Each one has a different regulator, a different consequence set, and a different evidence shape. We know all three.

APRA

CPS 234 Alignment

The board-accountable information-security standard for APRA-regulated entities — banks, mutuals, insurers, super funds. §11/§13/§15/§35 control mapping. 72-hour breach notification readiness. Evidence pack on request.

Financial Services — APRA-regulated

Full framework detail
ASD

Essential Eight ML2

The Australian Signals Directorate's mitigation strategies at Maturity Level 2. Patch cadence, MFA, application control, backup integrity — documented, tested, evidenced. The baseline your cyber-insurer and government contracts now expect.

All sectors — financial services, legal, healthcare

Full framework detail
OAIC

Privacy Act / NDB

Australian Privacy Act APP 11 security obligations and Notifiable Data Breach scheme readiness. Breach response playbook, retention alignment, NDB notification within 30 days. Applies to every organisation handling personal information.

All sectors — any organisation with personal data

Full framework detail

Why this matters now

  • Regulators are enforcing, not advising

    APRA issued its first CPS 234 enforcement notice in 2023. The OAIC issued record NDB determinations in 2024–25. The penalty regime has arrived.

  • Cyber-insurers use the same frameworks as questionnaires

    Your renewal questionnaire maps almost exactly to Essential Eight and CPS 234 controls. If you can evidence those, you can answer the underwriter.

  • Frameworks are now contractual requirements

    ASX-listed counterparties, government procurement, and major-bank supply-chain audits are embedding Essential Eight ML2 as a vendor prerequisite.

Always Watching

The story behind managed security — tap Play

What does your current posture look like?

Twenty minutes. We'll bring the control framework, map it against what you've told us, and give you an honest read — not a sales deck.

Talk to us

or call (+61) 413 649 132