Compliance
COMPLIANCE & RESOURCES
Frameworks, demystified.
Essential 8, ISO 27001, SOC 2 and SMB1001: the frameworks and standards that matter to Australian businesses, plus the human-layer training that holds them together. BaseHost is the MSP that builds and runs the technology controls underneath them, day in and day out, alongside your compliance lead or auditor. Browse the framework primers, or jump straight to the free compliance triage.
FRAMEWORKS WE COVER
Three frameworks, working together
ACSC
Essential 8
Australian Cyber Security Centre's eight mitigation strategies. Maturity Level 1, 2, and 3. The Australian baseline for cyber maturity.
ISO/IEC
ISO 27001:2022
Information Security Management System certification. The international standard required by enterprise procurement.
AICPA
SOC 2
Trust Services Criteria attestation. Type I and Type II. The standard demanded by US enterprise buyers and increasingly Australian financial services.
HOW THEY RELATE
One environment, three lenses
Most clients we onboard already have to satisfy more than one of these frameworks. Essential 8 is increasingly required by Australian government contracts and large enterprise customers. ISO 27001 is the international procurement gate. SOC 2 unlocks US enterprise software customers and many AFSL relationships.
The good news: 80% of the controls overlap. We design environments that satisfy all three in one engineering pass, then maintain the evidence pack continuously, not in a panic the month before audit.
FREE TOOL
Compliance Triage
Eight questions, two minutes, and a personalised recommendation showing which of Essential 8, ISO 27001, SOC 2, SMB1001 and security awareness actually apply to your business right now.
HOW WE ENGAGE
From the first assessment to ongoing operation
Compliance work runs in four phases. The same engineers carry the project from assessment through to live operation, so the evidence and the runbook stay coherent end to end.
ASSESSMENT
Establish the starting point
Free compliance triage, or a scoping call for Essential 8, ISO 27001, SOC 2 or SMB1001. We confirm the framework, the in-scope environment, the timeline and the audit body, then put a written scope in front of you.
GAP REPORT
Map what is missing
Written findings against the control set, an evidence inventory of what already exists, and a prioritised remediation plan with effort estimates. You can act on the report yourself, or have us run the work.
REMEDIATION
Implement, with evidence
Engineers implement the controls, document the runbook, and capture audit-grade evidence as the work happens. No retrofit before the audit; the evidence library grows in parallel with the technical work.
OPERATION
Keep it operational
Controls live inside the managed service. Evidence is kept current, internal audits run on cadence, and we liaise directly with your external auditor or certification body when assessment time comes around.
SCOPE OF SERVICE
What BaseHost owns. What we don’t.
We’re an MSP, not a compliance consultancy. Frameworks, certifications and audits sit with you and your assessors. The technology underneath sits with us.
What BaseHost owns
- Build and harden the M365, Entra ID, Defender and endpoint stack that each framework requires.
- Configure access governance, MFA, conditional access, logging and monitoring.
- Automate evidence capture and keep it audit-ready, not stale.
- Run patching, change management and the day-to-day operation of every control.
- Sit at the table with your auditor, ISMS lead or risk team and answer the technical questions.
What we don’t
- Write your ISMS, statement of applicability or risk register.
- Issue your certification or attestation.
- Sign off your audit.
- Act as your compliance lead, internal auditor or external assessor.
- Decide which framework you adopt. That’s a business call.
Got an audit coming up? Or a procurement deadline?
30 minutes with a compliance lead. Tell us what you're working toward and we'll map the realistic path, readiness phase, evidence cycle, audit support.
BEYOND THE BIG THREE
A graduated path and the human layer
Essential 8, ISO 27001 and SOC 2 are the frameworks most clients name. For smaller businesses, SMB1001 offers a more graduated on-ramp. And every framework eventually depends on the people using the system, which is where our security-awareness programme comes in.
AUSTRALIAN SMB STANDARD
SMB1001: the SMB cybersecurity framework
SMB1001 is the Australian standard for cybersecurity in small and mid-sized businesses. It exists because Essential 8 ML2 and ISO 27001 are often too heavy for an organisation of 5 to 50 staff. SMB1001 provides a five-tier path that scales with the business.
- Tier 1 - Basics: the no-cost self-assessment baseline (recommended for every SMB).
- Tier 2 - Bronze: a documented foundation of essential controls.
- Tier 3 - Silver: measurable security operations and incident response.
- Tier 4 - Gold: independently verified, suitable for clients with regulated customers.
- Tier 5 - Platinum: mature, audited cyber posture.
We help clients self-certify at Tier 1, then build progressively toward Bronze and Silver as part of the managed service. Many SMB1001 controls overlap with Essential 8 ML1, so the same work counts twice.
Explore the SMB1001 framework →SECURITY AWARENESS · IN PARTNERSHIP WITH KNOWBE4
The human layer, via KnowBe4
Most security incidents we see start with a person clicking a link. BaseHost runs security-awareness training and simulated phishing campaigns for managed clients on the KnowBe4 platform, the de facto enterprise standard.
- Quarterly micro-training assigned to every user, completion tracked.
- Monthly simulated-phishing campaigns, click-through reduction tracked.
- Risk score per user, surfaced in the monthly managed-services report.
- Targeted remediation for repeat clickers, before they become an incident.
KnowBe4 maps to Essential 8 ML2/3 user-awareness controls, ISO 27001 A.6.3 and SOC 2 CC1.4. It is delivered as part of our managed cybersecurity service.
Explore our security-awareness programme →