Industry — Financial Services
FS-grade IT services with named accountability.
Service Desk, Cloud and Managed Security for mid-market — banks, credit unions, mutuals, pension/super funds, mid-tier insurers. APRA CPS 234 alignment in writing where it applies. CPS 230 critical-operations mapping. Senior named security analysts.
- ISO 27001
- Microsoft Solutions Partner
- AWS Partner
- APRA CPS 234 alignment
- Essential Eight ML2
- Senior security operations
The mid-market FS reality in 2026
Mid-market FS spent 2025 watching the wave hit funds with two-million-plus member books — credential stuffing, weeks of public reporting, regulator letters, board-pack rewrites. APRA's cyber-stocktake letter is no longer a position paper; it is a control test the board has already failed once.
Three states recur in our intake calls:
The IT Manager state
"My ticket queue is fine, but I can't show the auditor what was fixed, by whom, when. Co-managed worked when I had a permanent partner. The current arrangement is tickets-in-a-tunnel."
The CISO state
"Two-to-four-year tenure. Reports to Risk now, not IT. Needs 24/7 eyes a regulator will accept, an evidence pack that survives a §15 control test, and one named analyst who picks up the phone at 2am — not a queue in a different time zone."
The Head of Risk state
"CPS 234 §15 and CPS 230 critical-operations sit on my desk. I'm ex-Big-4, not ex-IT. I need IT translated into risk-register language, board-grade evidence quarterly, and to know who's accountable, named, reachable."
How we work with mid-market FS
Service Desk that earns the audit pack
Co-managed — your team keeps ownership, ours embeds. Every ticket logged, categorised, evidenced, reportable against ITIL-aligned SLAs. First-fix rates published quarterly. Boring done well, on a regulator-grade timeline.
Cloud and Microsoft 365 hardened to CPS 234 §35–§36
Identity uplift, Conditional Access, Privileged Identity Management, encryption-at-rest mapping, backup immutability, sovereign data location. Mapped line-by-line against CPS 234 sub-clauses — the audit conversation is short.
Managed Security with senior named analysts
Three tiers — Foundation, Defence, Resilience. Defence is the most chosen across the mid-tier banks and pension/super funds we look after. Named senior security analysts. CREST credentials. 30-minute acknowledge / 1-hour containment on Defence. Quarterly board-grade evidence packs included.
Engineering depth from Colombo for everything that isn't security
Migrations, integrations, data work, M365/Azure builds, identity rollouts. Named accountability, with bench depth a 50-person practice could never staff alone. Security work stays with senior named analysts — that line never moves.
Evidence-grade reporting for Risk and Board
Quarterly board-pack template on Defence and above. CPS 234 §15 control-test mapping. CPS 230 critical-operations alignment. Tolerable-disruption-window narratives in risk language.
“Senior security with named accountability. Engineering depth from Colombo for everything that isn't security.”
What's on the contract
- ISO 27001 in force
- CPS 234 alignment documented
- CPS 230 critical-operations mapping
- Essential Eight ML2 + uplift roadmap
- SOC 2 Type II in flight
- We don't claim AI in security operations — humans do this work
- Mid-market on purpose
Mid-market mutual, NSW. Story coming soon.
12-page worksheet
CPS 234 Readiness Worksheet
A 12-page self-assessment mapping your control state against §13–§36. Plus Essential Eight Maturity Level 2 self-scoring and a sample evidence-pack table of contents.
Sample CPS 234 Evidence Pack
What an audit-grade quarterly evidence pack actually looks like, redacted from a real engagement. Use it as a procurement reference even if you never call us.
Frequently asked
Yes. We document control mapping against §13–§36 in writing as part of every onboarding. Sample evidence pack downloadable above. Equivalent prudential framework mappings (e.g. for non-AU regulators) available on request.
Paired with CPS 234 throughout. We map your critical operations, dependency registers and tolerable-disruption windows; we don't treat 230 as a separate stream.
Yes. ML2 alignment with a documented uplift roadmap is included on Defence and above. ML1 baseline is part of Foundation.
Senior named security analysts, on the contract, with CREST credentials. Engineering depth from Colombo for non-security work — never the security operations.
No. We don't claim AI in security operations. Humans do this work. We think that's the honest answer in 2026.
No — and we say that on purpose. Mid-market FS is the segment we serve: banks, pension/super funds under $50bn AUM, mutuals, credit unions, mid-tier insurers, fintechs.
Yes — co-managed is our default at this size. Your team keeps ownership; we embed.
Ready for board-grade IT?
Twenty minutes. Bring your CPS 234 control register; we'll bring the evidence-pack template and three references in your sub-segment.
or call (+61) 413 649 132