Zac Carius

Information Security Advisory

Services

I provide pragmatic information security advisory services for government and highly regulated organisations. Engagements are risk-based, outcome-focused, and aligned with recognised standards and whole-of-government frameworks.

01 Information Security Governance & ISMS

Design, uplift, and operationalisation of Information Security Management Systems (ISMS) aligned with ISO/IEC 27001 and government requirements.

  • ISMS design, review, and remediation
  • Policy and procedure development
  • Audit finding analysis and treatment
  • Risk-based governance models

Typical outcomes include reduced audit findings, clearer accountability, and security controls that are embedded into operational practice rather than existing solely as documentation.

02 Essential Eight & Control Maturity

Independent assessment and uplift planning for Essential Eight and related control frameworks, with a focus on practical and sustainable maturity improvement.

  • Control gap assessments
  • Maturity uplift roadmaps
  • Architecture patterns for secure-by-default solutions
  • Executive and audit-ready reporting

This service is suited to organisations seeking to move beyond compliance checklists toward demonstrable and repeatable control effectiveness.

03 Security Architecture & Risk Advisory

Security-focused solution architecture and risk advisory services to support new initiatives, cloud adoption, and system changes within regulated environments.

  • Solution security architecture reviews
  • Threat modelling (STRIDE, OWASP)
  • Information security risk assessments
  • Facilitated risk workshops

Engagements emphasise enabling delivery while ensuring risks are understood, documented, and treated proportionately.

04 Vulnerability & Assurance Programs

Design and uplift of vulnerability management and security assurance operating models aligned with organisational risk appetite and capacity.

  • Vulnerability management governance and cadence
  • Tooling oversight (e.g. SIEM, vulnerability scanners)
  • Metrics, dashboards, and reporting models
  • Cross-stakeholder coordination and prioritisation

The focus is on moving from reactive remediation to predictable, risk-informed vulnerability treatment.