Zac Carius

Services

I provide pragmatic information security advisory services for government and highly regulated organisations. Engagements are risk-based, outcome-focused, and aligned with recognised standards and whole-of-government frameworks.

Information Security Governance & ISMS

Design, uplift, and operationalisation of Information Security Management Systems (ISMS) aligned with ISO/IEC 27001 and government requirements.

• ISMS design, review, and remediation
• Policy and procedure development
• Audit finding analysis and treatment
• Risk-based governance models

Typical outcomes include reduced audit findings, clearer accountability, and security controls that are embedded into operational practice rather than existing solely as documentation.

Essential Eight & Control Maturity

Independent assessment and uplift planning for Essential Eight and related control frameworks, with a focus on practical and sustainable maturity improvement.

• Control gap assessments
• Maturity uplift roadmaps
• Architecture patterns for secure-by-default solutions
• Executive and audit-ready reporting

This service is suited to organisations seeking to move beyond compliance checklists toward demonstrable and repeatable control effectiveness.

Security Architecture & Risk Advisory

Security-focused solution architecture and risk advisory services to support new initiatives, cloud adoption, and system changes within regulated environments.

• Solution security architecture reviews
• Threat modelling (STRIDE, OWASP)
• Information security risk assessments
• Facilitated risk workshops

Engagements emphasise enabling delivery while ensuring risks are understood, documented, and treated proportionately.

Vulnerability & Assurance Programs

Design and uplift of vulnerability management and security assurance operating models aligned with organisational risk appetite and capacity.

• Vulnerability management governance and cadence
• Tooling oversight (e.g. SIEM, vulnerability scanners)
• Metrics, dashboards, and reporting models
• Cross-stakeholder coordination and prioritisation

The focus is on moving from reactive remediation to predictable, risk-informed vulnerability treatment.