Case Studies
Proven results across Australian Government, defence industry, and critical infrastructure engagements.
Client identities have been anonymised in accordance with our confidentiality obligations. The challenges, approaches, and outcomes described are representative of real engagements.
IRAP Assessment — Cloud Migration at the Comprehensive Level
The Challenge
A major federal agency was migrating a core business system from on-premises infrastructure to Microsoft Azure. The system processed information at a high security tier under Australian Government security frameworks.
- Incomplete system documentation — SSP and SoA not updated for cloud architecture
- Unclear shared responsibility boundaries between agency, CSP, and MSP
- Control implementation gaps in network segmentation, PAM, and crypto key management
- Hard deadline: legacy environment decommissioning in 14 weeks
Our Approach
Weeks 1-2: Readiness Review
Desktop review of SSP, SoA, SRMP, and incident response plan. Identified and remediated 47 documentation gaps.
Weeks 3-4: Architecture Review
Reviewed Azure landing zone against ISM requirements. Identified 12 control implementation gaps.
Weeks 5-8: Remediation Support
Guided control implementation and validated remediation evidence. All 12 gaps addressed within three weeks.
Weeks 9-12: Assessment & Reporting
Formal IRAP assessment across ~380 ISM controls. SAR delivered and Authorising Officer briefed on residual risks.
Results
Comprehensive authorisation achieved within 12 weeks — two weeks ahead of the decommissioning deadline
Zero critical findings in the final Security Assessment Report
47 documentation gaps identified and remediated during readiness phase
Shared responsibility model formally documented — reusable for future assessments
DISP Readiness — Defence Prime Contractor
The Challenge
A mid-tier defence contractor was pursuing a major Defence contract requiring DISP membership at Level 2. The organisation had never held DISP membership.
- No formal security governance framework aligned to DSPF or ISM
- Personnel security gaps — no clearance management or DSPF-aligned training
- Physical security deficiencies — no secure storage facilities
- Tight timeline — DISP membership required within five months
Our Approach
Weeks 1-3: Baseline Assessment
Comprehensive gap analysis against all four DISP security domains. Assessed 86 requirements: 31 met, 28 partially met, 27 not met.
Weeks 4-6: Remediation Roadmap
Prioritised roadmap addressing governance framework, personnel security procedures, physical security upgrades, and security officer appointment.
Weeks 7-14: Remediation Execution
Implemented 12-policy security suite, delivered DSPF-aligned training to all staff, established clearance management procedures, and stood up incident reporting framework.
Weeks 15-16: Application Support
Prepared and quality-assured the DISP membership application with all supporting evidence and documentation.
Results
DISP Level 2 application submitted within 16 weeks — membership approved 8 weeks later
55 requirements remediated from unmet or partially met to full compliance
12 security policies developed, approved, and implemented across all DISP domains
Contract secured — the organisation successfully bid on the target Defence contract
Essential Eight Uplift — Critical Infrastructure Operator
The Challenge
A critical infrastructure operator in the energy sector needed to uplift its cybersecurity posture following SOCI Act amendments and the requirement to develop a CIRMP. The board mandated Essential Eight ML2 as a baseline.
- Two strategies at Maturity Level Zero — application control and restricting admin privileges
- Legacy OT environment with unpatchable operating systems
- Decentralised IT across three geographically dispersed sites
- Small IT team with no dedicated cybersecurity staff
Our Approach
Weeks 1-4: Formal Maturity Assessment
Technical validation including configuration sampling, log analysis, and control effectiveness testing across all eight strategies.
Weeks 5-8: Uplift Program Design
Structured uplift program leveraging existing M365 E5 licensing. Developed compensating control strategy for legacy OT environment.
Weeks 9-18: Implementation Oversight
Fortnightly oversight across all three sites. WDAC deployment, PAW implementation, phishing-resistant MFA, 48-hour patch SLA, and Office macro hardening.
Weeks 19-20: Reassessment
Formal reassessment validating ML2 achievement across all eight strategies with documented evidence.
Results
Maturity Level Two achieved across all eight strategies within 20 weeks
Two strategies lifted from ML0 to ML2 — application control and restricting admin privileges
Compensating controls documented and accepted for legacy OT systems
CIRMP alignment achieved — Essential Eight uplift mapped to SOCI Act obligations
Virtual CISO Engagement — Cloud Service Provider
The Challenge
A rapidly growing Australian cloud service provider had scaled from 30 to 120 staff in 18 months. With several Australian Government clients, they needed to demonstrate ISM compliance and undergo IRAP assessments — but had no dedicated security leadership.
- No documented security strategy — investments were reactive, not planned
- Minimal security policies — unreviewed for over three years
- Two government contracts at risk without IRAP assessment within 12 months
- Engineering culture viewed security as a blocker, not an enabler
Our Approach
Phase 1 — Foundation (Months 1-3)
Security posture assessment, 12-month strategy development, governance framework establishment, core policy suite (12 policies), and security awareness program launch.
Phase 2 — Uplift (Months 4-8)
Essential Eight ML2 implementation, cloud security architecture review, vulnerability management program, incident response framework with tabletop exercises, and client engagement.
Phase 3 — Compliance & Maturity (Months 9-12)
IRAP assessment preparation and coordination, finding remediation, ongoing compliance cadence, and security metrics dashboard for board reporting.
Results
Security strategy endorsed by the board within 8 weeks of engagement start
IRAP assessment completed — platform authorised for government workloads
Two government contracts renewed following successful IRAP assessment
Phishing click rates dropped from 34% to 6% over 9 months of awareness training
Zero security incidents resulting in data loss or service disruption
~40% cost saving compared to a full-time CISO hire while delivering equivalent outcomes
Ready to Discuss Your Security Challenge?
Every engagement is led directly by an endorsed IRAP Assessor. When you engage Tech Blaze, you work with the assessor — not an account manager, not a junior consultant.