Cyber Maturity Self-Assessment
Know exactly where your cyber maturity sits — and what to fix first
Before frameworks or uplift, get a clear view of your cyber maturity.
New regulations, hybrid work, complex supply chains, and emerging data risks are reshaping what “good” looks like in cyber security — making it harder for organisations to be confident their current controls still reduce risk.
Without a clear understanding of current maturity and risk context, cyber initiatives can create activity — without delivering meaningful risk reduction. Not every organisation needs the same cyber controls – but every organisation needs clarity.
Avocado’s Cyber Maturity Self-Assessment and guided walkthrough helps you establish a practical baseline first, so you can confidently answer:
- Are we exposed?
- What matters most right now?
- What should we fix first?
About Avocado's self-assessment
Surface-level compliance doesn’t reduce risk. Meaningful action does.
Avocado’s online cyber maturity self-assessment tool acts as your maturity baseline. We don’t start with a framework and force your organisation to fit it. We start with your maturity and risk context, then use frameworks to validate and prioritise the right level of uplift.
- Complete Avocado’s Cyber Maturity Self-Assessment in under five minutes
- Designed to cut through cyber complexity and establish clarity fast.
-
Gain a clear baseline of your current cyber maturity across Avocado’s twelve critical domains
-
Receive a guided walkthrough of your results with Avocado
-
Assess your risk context, including organisational size, sector, operating model, and risk exposure
-
Get right-sized recommendations aligned to real business risk
-
Walk away with an objective view of your current maturity — before decisions are made, budgets are set, or controls are added
Take Assessment
Built on real-world delivery experience across regulated industries including healthcare, financial services, utilities and government, our Cyber Maturity Self-Assessment and walkthrough is aligned to Essential Eight and other industry frameworks, then goes further to reflect the broader risks organisations face today.
Our approach ensures uplift is proportionate, defensible, and aligned to how your organisation actually operates.
It evaluates maturity across twelve domains — spanning technical controls, governance, enterprise risk, third-party exposure and emerging AI risks — to provide a practical view of how well you protect, detect, respond and recover.
How the assessment works - designed to give leaders clarity — not complexity.
1
Complete a short, structured questionnaire
Answer 12 quick, multiple choice questions that assess your current practices across technical controls and GRC domains. It takes less than 4 minutes to complete and is designed to gain a baseline maturity.
We’ll gather extra details to assess your risk context such as organisation size and sector.
2
Use the maturity rating to guide your responses
For each question, select a rating from 1 to 5 that best reflects how your organisation operates today.
Once complete, you’ll receive a classification placing your organisation into one of four cyber resilience maturity levels.
This is not a pass/fail score, it’s a directional view to support informed decision-making.
3
Explore your results with Avocado
In your complimentary results walkthrough, our cyber specialists will unpack your maturity rating, validate what it means in the context of your business, and help identify the most appropriate next steps.
Whether that’s embedding Essential Eight, aligning towards ISO 27001 where justified, applying SMB1001, or prioritising targeted uplift based on your risk profile and operating model.
4
Decide your next move
You now have clarity on risk prioritisation – not checkbox compliance.
Use your tailored insights to inform strategy, support board conversations, justify investment, and prioritise initiatives – with the option to partner with Avocado to deliver your roadmap.
Avocado's Maturity Levels
Avocado’s Maturity Self-Assessment is underpinned by 12 key domains. For each domain, you’ll rate your organisation against a consistent maturity scale, based on what actually happens in practice. Your self-assessment results in an overall maturity rating from 1 to 4.
Drawing on decades of delivery, security, and governance experience, this assessment model applies a practical, real-world lens across both foundational controls and emerging risks. It goes beyond traditional checklists to assess how effectively your organisation protects, detects, and responds across critical areas – including application security, patching, privilege management, resilience, governance, third-party exposure, and the rapidly evolving risks.
Our walkthrough approach is tailored to your sector, organisational size, and risk appetite – ensuring uplift is proportionate and meaningful.
Ensures only approved and trusted applications can run across your environment, reducing the risk of malicious or unauthorised software execution.
Addresses known vulnerabilities by ensuring all applications receive timely and consistent security updates.
Reduces exposure to malicious scripts by blocking or limiting macros from untrusted sources.
Minimises attack surface by disabling unnecessary features, plugins and risky behaviours in commonly used applications.
Controls and limits elevated access to reduce the risk of privilege misuse and compromised credentials.
Maintains system integrity by keeping operating systems updated with essential security patches.
Strengthens identity assurance by requiring additional verification beyond passwords.
Ensures rapid recovery and data resilience through secure, consistent, and tested backup practices.
Provides clarity, accountability, and alignment by embedding security into organisational oversight and decision-making.
Identifies, evaluates, and prioritises cyber risks to drive informed, actionable remediation.
Assesses the security posture of suppliers and partners to reduce exposure across your digital supply chain.
Examines how effectively sensitive data is classified, protected, and monitored across its lifecycle – including storage, use, transmission, encryption, access control, and secure disposal.
Who is this assessment for?
Designed for CISOs, CIOs, Risk teams, Cyber Security teams, IT leaders, and organisations looking for a pragmatic, fast way to benchmark their cyber maturity before making strategic decisions. Whether your controls are emerging or already mature, this assessment provides a clear baseline and practical next steps.
Whether you are just starting to formalise your cybersecurity controls or are looking to validate a mature programme, this assessment will help you understand where you are today and what to prioritise next.
Why Avocado?
Founded in 2004, Avocado is a trusted Australian IT consultancy helping organisations uplift cyber security, technology delivery, and operational resilience. Our cybersecurity and GRC expertise spans strategy, architecture, implementation, and ongoing risk optimisation.
We help you:
- Translate technical controls into business language your executives understand
- Align cyber initiatives with governance, risk, and compliance expectations
- Prioritise use cases that deliver real risk reduction and measurable value
- Move from reactive firefighting to confident, data-driven decision-making
- Right-size recommendations to your industry, threat exposure, organisational size, and risk appetite – we never recommend unnecessary controls.
With Avocado, you’re not just filling out a survey. You’re taking the first step towards a clearer, more mature cybersecurity and GRC posture – so you can deliver with certainty.
Frequently asked questions
Isn't this just another cyber checklist?
No. Checklists show whether a control exists. This assessment helps you understand whether your current approach is sufficient for your organisation’s size, sector, and operating model — and what to prioritise next.
We’ve already completed Essential Eight. Why do this?
That’s a strong foundation. Essential Eight is the government-recommended baseline. Our assessment and walkthrough confirm whether that baseline is sufficient for your current risk profile and identify any targeted uplift that would materially reduce exposure.
What if we haven’t implemented Essential Eight yet?
That’s exactly where this assessment is useful. We assess your current maturity and provide a practical, prioritised path forward — starting with the fundamentals and building from there.
Do we need to be aiming for ISO 27001?
Not necessarily. We don’t default to a one-size-fits-all end state.
Recommendations are right-sized and may align to Essential Eight uplift, SMB1001, ISO, or targeted improvements — based on what’s appropriate for your organisation.
What will we get at the end of the assessment and walkthrough?
A clear view of your current maturity, the risks that matter most, and practical next steps aligned to your business context and adopted frameworks.
Is this designed for smaller organisations too?
Yes. The assessment scales to your context. The focus is on practical controls that reduce risk — without introducing unnecessary complexity.
How often should we repeat the self-assessment?
Cyber risk changes as your organisation changes. It depends on how rapidly your organisation is changing. Many teams re-assess maturity annually or after a major change, such as a cloud migration, new systems, M&A, or a significant incident.
How is this different from automated assessment tools?
Automated tools are useful for snapshots and for monitoring established controls. This assessment goes further by incorporating business context and helping you prioritise what will actually reduce risk for your organisation.
Cybersecurity Control Maturity Rating - How to select your responses
This questionnaire has 12 multiple choice questions. For each question, choose the rating that best reflects what actually happens in your organisation today (not what’s written in policy).
You can complete it on your own or with a colleague from risk, IT, or security. For the most accurate result, we recommend involving at least one person who understands your day-to-day operations and existing controls.
