Cyber Maturity Self-Assessment
In under five minutes, get a clear, risk-aligned view of your current cyber maturity – and what to prioritise next.
Before frameworks or uplift, you need a clear view of your current cyber maturity.
The Australian Signals Directorate Annual Cyber Threat Report shows that 70% of cyber incidents in Australia target organisations with critical operational dependencies. As a result, cyber exposure and business resilience are now inseparable. New regulations, hybrid work, complex supply chains, and emerging AI risks are reshaping what “good” looks like in cyber security — and many organisations aren’t as prepared as they think.
Not every organisation needs the same cyber controls – but every organisation needs clarity.
To help organisations cut through complexity, we’ve created the Cyber Maturity Self-Assessment. In under five minutes, the assessment establishes a clear baseline of your current cyber maturity across twelve critical domains.
Your results are then reviewed in a guided walkthrough with Avocado, where we assess your risk context — including your organisation’s size, sector, operating model, and risk exposure, and provide right-sized recommendations aligned to real business risk.
This gives you an objective view of your current maturity – before decisions are made, budgets are set, or controls are added.
About the self-assessment
Surface-level compliance doesn’t reduce risk. Meaningful action does.
This self-assessment acts as a maturity baseline. We don’t start with a framework and force your organisation to fit it.
We start with your maturity and risk context, then use frameworks to validate and prioritise the right level of uplift.
Our approach ensures uplift is proportionate, defensible, and aligned to how your organisation actually operates.
Built on real-world delivery experience across regulated industries including healthcare, financial services, utilities and government, our Cyber Maturity Self-Assessment and walkthrough is aligned to Essential Eight and other industry frameworks, then goes further to reflect the broader risks organisations face today. It evaluates maturity across twelve domains — spanning technical controls, governance, enterprise risk, third-party exposure and emerging AI risks — to provide a practical view of how well you protect, detect, respond and recover.
”Essential Eight is a baseline - not a strategy. It tells you whether key controls exist. Our assessment and walkthrough tells you whether they’re enough for your business.
How the assessment works - designed to give leaders clarity — not complexity.
1. Complete a short, structured questionnaire
Answer 12 quick, multiple choice questions that assess your current practices across technical controls and GRC domains. It’s quick to complete and designed to gain a baseline maturity. We’ll gather extra details to assess your risk context such as organisation size and sector.
2. Use the maturity scale to guide your responses
For each question, select a rating from 1 to 5 that best reflects how your organisation operates today. Once complete, you’ll receive a classification placing your organisation into one of four cyber resilience maturity levels. This is not a pass/fail score, it’s a directional view to support informed decision-making.
3. Explore your results with Avocado
In your complimentary results walkthrough, our cyber specialists will unpack your maturity classification, validate what it means in the context of your business, and help identify the most appropriate next steps — whether that’s embedding Essential Eight, aligning towards ISO 27001 where justified, applying SMB1001, or prioritising targeted uplift based on your risk profile and operating model.
4. Decide your next move
You now have clarity on risk prioritisation – not checkbox compliance. Use your tailored insights to inform strategy, support board conversations, justify investment, and prioritise initiatives – with the option to partner with Avocado to deliver your roadmap.
Cyber Resilience Maturity Levels
Avocado’s Self-Assessment Maturity Model
- Starting Out
- Developing
- Maturing
- Advanced
Avocado’s Maturity Self-Assessment provides a clear maturity scale from 1–4, underpinned by our proven Assessment Model. Drawing on decades of delivery, security, and governance experience, the model applies a practical, real-world lens across both foundational controls and emerging risks.
It goes beyond traditional checklists to assess how effectively your organisation protects, detects, and responds across critical areas – including application security, patching, privilege management, resilience, governance, third-party exposure, and the rapidly evolving risks introduced by AI and machine learning.
Our walkthrough approach is tailored to your sector, organisational size, and risk appetite – ensuring uplift is proportionate and meaningful.
Ensures only approved and trusted applications can run across your environment, reducing the risk of malicious or unauthorised software execution.
Addresses known vulnerabilities by ensuring all applications receive timely and consistent security updates.
Reduces exposure to malicious scripts by blocking or limiting macros from untrusted sources.
Minimises attack surface by disabling unnecessary features, plugins and risky behaviours in commonly used applications.
Controls and limits elevated access to reduce the risk of privilege misuse and compromised credentials.
Maintains system integrity by keeping operating systems updated with essential security patches.
Strengthens identity assurance by requiring additional verification beyond passwords.
Ensures rapid recovery and data resilience through secure, consistent, and tested backup practices.
Provides clarity, accountability, and alignment by embedding security into organisational oversight and decision-making.
Identifies, evaluates, and prioritises cyber risks to drive informed, actionable remediation.
Assesses the security posture of suppliers and partners to reduce exposure across your digital supply chain.
Examines how effectively sensitive data is classified, protected, and monitored across its lifecycle – including storage, use, transmission, encryption, access control, and secure disposal.
Who is this assessment for?
Designed for CISOs, CIOs, Risk teams, Cyber Security teams, IT leaders, and organisations looking for a pragmatic, fast way to benchmark their cyber maturity before making strategic decisions. Whether your controls are emerging or already mature, this assessment provides a clear baseline and practical next steps.
Whether you are just starting to formalise your cybersecurity controls or are looking to validate a mature programme, this assessment will help you understand where you are today and what to prioritise next.
Why Avocado?
Founded in 2004, Avocado is a trusted Australian IT consultancy helping organisations uplift cyber security, technology delivery, and operational resilience. Our cybersecurity and GRC expertise spans strategy, architecture, implementation, and ongoing risk optimisation.
We help you:
- Translate technical controls into business language your executives understand
- Align cyber initiatives with governance, risk, and compliance expectations
- Prioritise use cases that deliver real risk reduction and measurable value
- Move from reactive firefighting to confident, data-driven decision-making
- Right-size recommendations to your industry, threat exposure, organisational size, and risk appetite – we never recommend unnecessary controls.
With Avocado, you’re not just filling out a survey. You’re taking the first step towards a clearer, more mature cybersecurity and GRC posture – so you can deliver with certainty.
Frequently asked questions
Isn't this just another cyber checklist?
No. Checklists show whether a control exists. This assessment helps you understand whether your current approach is sufficient for your organisation’s size, sector, and operating model — and what to prioritise next.
We’ve already completed Essential Eight. Why do this?
That’s a strong foundation. Essential Eight is the government-recommended baseline. Our assessment and walkthrough confirm whether that baseline is sufficient for your current risk profile and identify any targeted uplift that would materially reduce exposure.
What if we haven’t implemented Essential Eight yet?
That’s exactly where this assessment is useful. We assess your current maturity and provide a practical, prioritised path forward — starting with the fundamentals and building from there.
Do we need to be aiming for ISO 27001?
Not necessarily. We don’t default to a one-size-fits-all end state.
Recommendations are right-sized and may align to Essential Eight uplift, SMB1001, ISO, or targeted improvements — based on what’s appropriate for your organisation.
What will we get at the end of the assessment and walkthrough?
A clear view of your current maturity, the risks that matter most, and practical next steps aligned to your business context and adopted frameworks.
Is this designed for smaller organisations too?
Yes. The assessment scales to your context. The focus is on practical controls that reduce risk — without introducing unnecessary complexity.
How often should we repeat the self-assessment?
Cyber risk changes as your organisation changes. It depends on how rapidly your organisation is changing. Many teams re-assess maturity annually or after a major change, such as a cloud migration, new systems, M&A, or a significant incident.
How is this different from automated assessment tools?
Automated tools are useful for snapshots and for monitoring established controls. This assessment goes further by incorporating business context and helping you prioritise what will actually reduce risk for your organisation.
Cybersecurity Control Maturity Scale - How to select your responses
This questionnaire has 12 multiple choice questions. For each question, choose the rating that best reflects what actually happens in your organisation today (not what’s written in policy).
You can complete it on your own or with a colleague from risk, IT, or security. For the most accurate result, we recommend involving at least one person who understands your day-to-day operations and existing controls.
