--- title: "Ransomware Readiness Assessment | Insicon Cyber" description: "Insicon Cyber's Ransomware Readiness Assessment gives Australian and New Zealand organisations a clear, board-ready view of their ransomware exposure — mapped to the ASD Essential Eight. North Sydney." type: article version: 2 version_id: "fd29615c-08dc-476a-b735-ec1a5754724d" generated_at: "2026-04-21T00:40:05.199Z" author: "an attack" language: en reading_time: "22 min" word_count: 4252 keywords: ["Ransomware Readiness Assessment", "Insicon Cyber", "What you receive", "How it works", "Common questions"] url: "https://insiconcyber.com/services/ransomware-readiness-assessment" --- # Ransomware Readiness Assessment | Insicon Cyber > Insicon Cyber's Ransomware Readiness Assessment gives Australian and New Zealand organisations a clear, board-ready view of their ransomware exposure — mapped to the ASD Essential Eight. North Sydney. ## Key Takeaways - Designed for boards and leadership teams, not IT departments - What the assessment covers - What you receive - How it works - Conducted by senior practitioners, not junior analysts ## Contents - [Designed for boards and leadership teams, not IT departments](#designed-for-boards-and-leadership-teams-not-it-departments) - [What the assessment covers](#what-the-assessment-covers) - [What you receive](#what-you-receive) - [How it works](#how-it-works) - [Conducted by senior practitioners, not junior analysts](#conducted-by-senior-practitioners-not-junior-analysts) - [The regulatory landscape has changed — the assessment keeps you ahead of it](#the-regulatory-landscape-has-changed-the-assessment-keeps-you-ahead-of-it) - [Common questions](#common-questions) - [Find out where you actually stand — before an attacker does](#find-out-where-you-actually-stand-before-an-attacker-does) Service # Ransomware Readiness Assessment An honest, evidence-based view of your organisation's exposure to ransomware attack — mapped to the ASD Essential Eight and presented in language your board can act on. Available to organisations across Australia and New Zealand. [Book Your Assessment](/contact) [Ransomware Protection Overview](/services/ransomware-protection) ## Designed for boards and leadership teams, not IT departments The Ransomware Readiness Assessment is commissioned by CEOs, CFOs, and boards who want an independent, senior-level answer to a single question: if a ransomware attack hit our organisation tomorrow, how bad would it actually be? It is not a penetration test. It is not an IT audit. It is a structured assessment of your organisation's ransomware posture — covering technical controls, backup integrity, incident response readiness, and board governance — delivered with findings your leadership team can understand and act on immediately. Organisations typically commission this assessment when: A high-profile ransomware attack has affected a peer organisation or competitor The board or audit committee has asked for independent assurance on cyber resilience New mandatory ransomware reporting obligations under the Cyber Security Act 2024 are not yet understood Cyber insurance renewal requires evidence of security controls and incident response capability APRA CPS 230 or CPS 234 obligations require demonstrated resilience planning The organisation lacks a dedicated CISO and senior cyber leadership is needed on an advisory basis ## What the assessment covers The assessment works across five layers. Each represents a distinct category of ransomware exposure. Together they give a complete picture of where your organisation stands. 01 ### Essential Eight Maturity Baseline The technical spine of the assessment. We evaluate your organisation's current maturity level (ML0 to ML3) across all eight ASD strategies, with particular focus on the four most directly relevant to ransomware: regular backups, multi-factor authentication, restrict administrative privileges, and application and operating system patching. The output is a ranked gap map — not a score for its own sake, but a prioritised list of what an attacker could exploit today and in what sequence. For New Zealand organisations, findings are mapped to NZISM equivalents. 02 ### External Attack Surface Review Before ransomware can be deployed, attackers need a way in. This component reviews what is visible and exposed on the internet: remote access services (VPNs, RDP, remote desktop gateways), unpatched internet-facing applications, exposed administrative interfaces, and services running with default or weak credentials. Groups such as BianLian — which has actively targeted Australian organisations across critical infrastructure and professional services — use automated vulnerability scanning to identify targets at scale. This layer identifies what they would find first. 03 ### Backup Integrity and Recovery Validation Backups are the primary ransomware recovery mechanism — and the first thing sophisticated attackers target before encrypting production systems. We verify whether backups are isolated from production networks (immutable or air-gapped), how recently they were successfully tested, whether a restore process has actually been practised, and whether your recovery time objective is realistic given business continuity requirements. A New Zealand health organisation recovered from a significant ransomware attack in 2025 because backups had run one hour before the attack commenced. Most organisations do not know whether their backups would hold up under real conditions. This layer finds out. 04 ### Incident Response Plan Review This layer tests whether your organisation knows what to do in the first 24 hours of an attack. We review whether a documented ransomware response plan exists, who has authority to make decisions (including the decision on whether to pay), how your legal counsel and insurer are engaged, and whether mandatory reporting obligations under the Cyber Security Act 2024 are understood, assigned, and can be met within the 72-hour window. For organisations subject to APRA CPS 230, business continuity planning is assessed here. For New Zealand organisations, Privacy Act 2020 notification obligations are reviewed. We also assess whether the response plan has been tested through a tabletop exercise in the past 12 months. 05 ### Board Governance and Leadership Readiness This is the layer that separates a technical audit from a genuine readiness assessment. We examine whether the board understands the organisation's actual ransomware exposure, whether ransomware risk has been formally risk-rated with a named owner and treatment plan, and whether the organisation has the senior cyber leadership — whether in-house or through a Fractional CISO — to respond decisively under pressure. The output from this layer is a one-page board briefing alongside the technical findings — written for directors, not practitioners. It frames ransomware exposure in the financial and regulatory terms that boards need to make decisions. ## What you receive Three distinct outputs, each written for a different audience within your organisation. ### Technical Findings Report A detailed report for your IT and security team covering every assessed control, its current maturity rating, identified gaps, and a prioritised remediation action list with effort and cost guidance. Each finding is rated critical, high, or medium. Audience: IT Manager, Security Lead, MSP or MSSP ### Executive Summary A concise summary for the CEO and CFO translating technical findings into business risk. Covers your top three to five critical exposures, estimated recovery cost scenarios, regulatory obligations triggered by an attack, and a recommended 90-day action plan. Audience: CEO, CFO, COO ### Board Briefing A one-page briefing written for directors — not practitioners. Frames ransomware exposure in financial and regulatory terms. Covers the organisation's current risk rating, key obligations under the Cyber Security Act 2024, and the board's accountability under applicable frameworks. Suitable for presentation directly to the audit committee or full board. Audience: Board, Audit Committee, Risk Committee ## How it works For a mid-market organisation, the assessment is completed across three weeks. It does not require intrusive penetration testing or extended system access. WK 1 ### Discovery and Documentation Review Structured interviews with your IT, operations, and executive leadership. Review of existing security policies, incident response plans, backup schedules, and compliance documentation. No disruption to daily operations. WK 2 ### Technical Validation Hands-on review of the external attack surface, backup configuration and isolation, identity and access management controls, MFA deployment, and patching status. Essential Eight maturity is assessed across all eight strategies using the current ASD Maturity Model criteria. WK 3 ### Reporting and Briefing Delivery of the three outputs: technical findings report, executive summary, and board briefing. A live debrief session is included for your executive team. For organisations that request it, Insicon Cyber can present findings directly to the board or audit committee. ## Conducted by senior practitioners, not junior analysts The assessment is led by Insicon Cyber's co-founders and Fractional CISOs. You receive the direct attention of experienced practitioners who have advised boards and managed cyber incidents across Australia and New Zealand — not a templated report produced by a junior team. Matt Miller Co-founder, CEO and Fractional CISO Matt advises boards and executive teams across Australia and New Zealand on cyber risk, regulatory obligations, and security strategy. He brings a board-first lens to every assessment — ensuring findings translate into decisions, not just documents. Greg Bunt Co-founder, Director and Fractional CISO Greg brings deep technical and operational expertise to every engagement, with hands-on experience across Essential Eight uplift, incident response, and managed security operations for mid-market organisations in regulated sectors across both countries. ## The regulatory landscape has changed — the assessment keeps you ahead of it Ransomware is no longer just a technology risk. Across Australia and New Zealand, it now carries direct regulatory consequences. The assessment specifically addresses your obligations under each relevant framework. Cyber Security Act 2024 Mandatory ransomware payment reporting for organisations with turnover above $3 million and critical infrastructure entities. 72-hour notification window. Effective 30 May 2025. Privacy Act 1988 (Australia) Notifiable data breach obligations activated when personal information is compromised in a ransomware attack. Notification required to the OAIC and affected individuals. APRA CPS 230 and CPS 234 Regulated financial institutions must maintain material service provider registers, operational resilience plans, and information security capability — all directly tested in a ransomware event. NZ Privacy Act 2020 New Zealand organisations must notify the Privacy Commissioner and affected individuals when a privacy breach is likely to cause serious harm — a threshold routinely met in ransomware incidents involving data exfiltration. SOCI Act Critical infrastructure operators in Australia face mandatory incident reporting obligations and are required to maintain a critical infrastructure risk management programme under the SOCI Act. ASD Essential Eight The Australian Government's recommended baseline for ransomware defence. Increasingly referenced by insurers, regulators, and procurement requirements as an expected standard of care. ## Common questions ### How is this different from a penetration test? A penetration test attempts to actively exploit vulnerabilities in your systems. The Ransomware Readiness Assessment is a structured review — it evaluates your controls, processes, and governance against the attack chain ransomware groups actually use, without requiring the level of system access or disruption that a penetration test involves. The two are complementary, not interchangeable. The assessment typically precedes a penetration test and informs its scope. ### How long does the assessment take and what is required from our team? The assessment is completed across three weeks for most mid-market organisations. We require structured interview time with your IT lead, a member of your executive team, and ideally your CEO or COO. We also require access to relevant security documentation — policies, backup schedules, incident response plans — but do not require ongoing system access or any disruption to daily operations. ### What size organisation is the assessment suited to? The assessment is designed for mid-market organisations across Australia and New Zealand — typically those with between 50 and 1,000 employees, an annual turnover above $3 million, and no dedicated full-time CISO. It is particularly relevant for organisations in regulated sectors including healthcare, aged care, financial services, and professional services, where the regulatory consequences of a ransomware attack are most acute. ### What happens after the assessment? The assessment produces a prioritised remediation roadmap. Insicon Cyber can support implementation through our Essential Eight advisory, Managed Compliance, and Fractional CISO services — or you can take the findings to your existing IT team or MSP. There is no obligation to engage further services. Many organisations also use the assessment outputs to support cyber insurance applications, board reporting, or regulatory submissions. ### Is the assessment available for New Zealand organisations? Yes. Insicon Cyber operates across Australia and New Zealand. For New Zealand organisations, Essential Eight findings are mapped to NZISM equivalents, incident response obligations are assessed against the Privacy Act 2020 and CERT NZ reporting requirements, and the board briefing reflects New Zealand regulatory context. The assessment can be conducted remotely for New Zealand-based organisations. ## Find out where you actually stand — before an attacker does The Ransomware Readiness Assessment gives your board and leadership team an honest, evidence-based view of your current exposure. No jargon. No vendor push. Direct access to senior practitioners who have advised organisations across Australia and New Zealand through exactly this kind of risk. [Book Your Assessment](/contact) [Email Our Team](mailto:info@insiconcyber.com) North Sydney, NSW, Australia  |  info@insiconcyber.com  |  insiconcyber.com --- ## Frequently Asked Questions ### How is this different from a penetration test? A penetration test attempts to actively exploit vulnerabilities in your systems. The Ransomware Readiness Assessment is a structured review — it evaluates your controls, processes, and governance against the attack chain ransomware groups actually use, without requiring the level of system access or disruption that a penetration test involves. The two are complementary, not interchangeable. The assessment typically precedes a penetration test and informs its scope. ### How long does the assessment take and what is required from our team? The assessment is completed across three weeks for most mid-market organisations. We require structured interview time with your IT lead, a member of your executive team, and ideally your CEO or COO. We also require access to relevant security documentation — policies, backup schedules, incident response plans — but do not require ongoing system access or any disruption to daily operations. ### What size organisation is the assessment suited to? The assessment is designed for mid-market organisations across Australia and New Zealand — typically those with between 50 and 1,000 employees, an annual turnover above $3 million, and no dedicated full-time CISO. It is particularly relevant for organisations in regulated sectors including healthcare, aged care, financial services, and professional services, where the regulatory consequences of a ransomware attack are most acute. ### What happens after the assessment? The assessment produces a prioritised remediation roadmap. Insicon Cyber can support implementation through our Essential Eight advisory, Managed Compliance, and Fractional CISO services — or you can take the findings to your existing IT team or MSP. There is no obligation to engage further services. Many organisations also use the assessment outputs to support cyber insurance applications, board reporting, or regulatory submissions. ### Is the assessment available for New Zealand organisations? Yes. Insicon Cyber operates across Australia and New Zealand. For New Zealand organisations, Essential Eight findings are mapped to NZISM equivalents, incident response obligations are assessed against the Privacy Act 2020 and CERT NZ reporting requirements, and the board briefing reflects New Zealand regulatory context. The assessment can be conducted remotely for New Zealand-based organisations. Find out where you actually stand — before an attacker does The Ransomware Readiness Assessment gives your board and leadership team an honest, evidence-based view of your current exposure. No jargon. No vendor push. Direct access to senior practitioners who have advised organisations across Australia and New Zealand through exactly this kind of risk. Book Your Assessment Email Our Team North Sydney, NSW, Australia  |  info@insiconcyber.com  |  insiconcyber.com --- ## About This Content **Source:** [Ransomware Readiness Assessment | Insicon Cyber](https://insiconcyber.com/services/ransomware-readiness-assessment) **Author:** an attack *This content is provided for informational purposes. Please visit the original source for the most up-to-date information.*