Board Readiness Assessment — The Rock Report — Red Flagg™
New Service The Rock Report

Board Readiness
Assessment

Find out exactly where your organisation stands on cyber security — before your board is asked. Two documents. One named analyst. One 60-minute walkthrough call.

  • Independent, third-party assessment aligned to ACSC Essential Eight
  • One for your board. One for your IT team. Delivered together.
  • Includes a live phishing simulation against your staff
  • Named analyst. 60-minute delivery call. 12 months valid.
  • Risk register extract — ready to drop into your board risk register
Request this assessment → Read the director guide

Microsoft 365 or Google Workspace  ·  NFP rates available  ·  No lock-in

What you receive
The Rock Report — Board Brief
6 pages · For your board · Built on sand or rock?
Cyber Security Posture Review
Up to 14 pages · For your IT team · All findings in detail
Delivery call60 min · named analyst
Phishing simulationIncluded
Risk register extractIncluded
Valid for12 months
EnvironmentM365 or Workspace
Access methodRemote only · GDAP
Starting from
$1,500
Board pack $2,500 · Premium $3,500
ACSC Essential Eight aligned AICD Cyber Governance Principles V2 Configuration review — not a penetration test Australian analysts only NO SUBCONTRACTORS. EVER.
What is it?

One engagement.
Two documents.

The Board Readiness Assessment is an independent, point-in-time security review of your cloud environment and your people. It produces two documents delivered together — one written for your board, one for your IT team or CISO.

This is not a penetration test. It is a configuration assurance review — conducted remotely using GDAP or Delegated Admin access, with no data retained and no changes made to your environment.

Every engagement includes one live phishing simulation campaign run against your staff, a risk register extract your board can copy directly into their risk management system, and a 60-minute delivery call with your named analyst to walk through every finding.

This report is Rung 4 of the Director Defence Ladder — recognised by the AICD, the ACSC, and the Privacy Act "reasonable steps" guidance as evidence that you asked.

Document 1 — Board Brief
The Rock Report — Board Brief
Built on sand or built on rock? Six pages. Rock Meter score, risk rating, Level 0 people controls, director liability, 10-point reasonable steps self-check, three board questions, and your Sand→Rock position.
For your board
One engagement. Delivered together.
Document 2 — Technical Report
Cyber Security Posture Review
Up to 14 pages. Every technical finding in detail — observation, risk, recommended action, Essential Eight mapping, implementation roadmap, licensing reality, and a risk register extract ready for your board.
For your IT team or CISO
How it works

Four steps. 21 business days.

From request to 60-minute delivery call.

1
Request & brief
Request via the store. We assign your named analyst and send a 10-question pre-audit survey. You grant remote GDAP access.
2
Review & phishing
Your analyst reviews your cloud environment remotely. We run one live phishing simulation campaign against your staff.
3
Reports delivered
Both documents are delivered within 21 business days. Named analyst, dated, 12 months valid.
4
60-min walkthrough
Your named analyst walks through every finding with you personally. Questions answered. Next steps agreed. Paper trail complete.
Everything included

Every engagement includes all of this

Rock Meter™ Score
A scored 1–10 position on the Sand→Rock security spectrum, with your Secure Score or Google Health Score benchmarked against the industry average.
Board Brief
Risk Register Extract
Every finding tabulated — severity, E8 control, current maturity, recommended action, owner, timeframe. Copy it directly into your board risk register, Confluence, or SharePoint.
Posture Review
Live Phishing Simulation
One real phishing campaign against your staff — click rate, report rate, and a Verizon DBIR 2024 benchmark comparison. The piece most assessments skip. We don't.
Both documents
Level 0 People Controls
Ten controls across People & Culture and Technical Basics. Survey-based with technical verification where possible — DMARC, SPF, DKIM checked against DNS.
Both documents
60-Minute Delivery Call
Your named analyst walks through every finding with you personally. Not a recording. Not a webinar. A real conversation with the analyst who wrote the report. Included in every tier.
Every tier
Implementation Roadmap
Three-stage sequenced roadmap: Critical path days 0–14, Harden environment days 15–30, Complete Level 0 days 31–90. Each finding mapped to a timeframe and owner.
Posture Review
Pricing

Clear, fixed price. No surprises.

All tiers include the Board Brief, Posture Review, phishing simulation, risk register, and 60-minute delivery call.

Base
$1,500
One-time · GST inclusive
  • Board Brief — 6-page report for your board
  • Cyber Security Posture Review
  • Phishing simulation campaign
  • Risk register extract
  • 60-minute delivery call
  • 12 months validity
Request this →
Most Popular
Board Pack
$2,500
One-time · GST inclusive
  • Everything in Base
  • Director liability tier assessment — personalised to your organisation
  • Have You Done Reasonable Steps? — 10-point self-check
  • Three board questions personalised to your findings
  • IOC observation — indicators of compromise reviewed
  • Licensing reality assessment
Request this →
Premium
$3,500
One-time · GST inclusive
  • Everything in Board Pack
  • Legal/health/finance sector addendum — CPS 234, ACNC, Privacy Act enhanced
  • Two delivery calls — board session and IT session separately
  • 30-day check-in call included
  • Priority analyst assignment and turnaround
Request this →

NFP rates: Base $1,200 · Board Pack $2,200 · Premium $3,000 · Contact us to confirm eligibility  |  Covers one environment — Microsoft 365 or Google Workspace

Choose your environment

Microsoft 365 or Google Workspace

Each engagement covers one cloud environment. If you use both, two separate engagements are required.

■ MICROSOFT 365
Microsoft 365 — Configuration Assurance Review
Remote access via GDAP (Granular Delegated Admin Privileges). Auditable, least-privilege, time-bound. Login and logout notifications sent to your IT admin.
  • 14 technical findings — identity, email, Teams, SharePoint, audit controls
  • Microsoft Secure Score benchmarked against global average (~52%)
  • MFA, Defender, Legacy Auth, Guest users, Admin hygiene, PIM, DMARC
  • Essential Eight maturity mapping across all 8 controls
■ GOOGLE WORKSPACE
Google Workspace — Configuration Assurance Review
Remote access via Delegated Admin. Read-only, auditable. All access visible in Google Admin Console audit log.
  • 8 technical findings — 2SV, Admin roles, OAuth, Gmail, Meet, Drive, Audit
  • Google Security Health Score benchmarked against industry average (~55%)
  • 2-Step Verification, Super Admin hygiene, DMARC, external sharing
  • Essential Eight mapping adapted for Workspace environment
Required reading for your board

Don't Build on Sand
— The Director's Guide

A plain-English guide to your personal liability as a director. What Section 180 means for cyber. The five Australian cases every director should know. The Defence Ladder. What "reasonable steps" looks like in practice. Seven pages. 12 minutes.

Read it free → redflagg.com.au/sand-vs-rock
Inside the director's guide
  • The $5.8M ACL penalty — what it means for every organisation holding personal data
  • The Bekier Principle — why non-executive directors walked in March 2026
  • 72 hours — ransomware reporting deadline under the Cyber Security Act 2024
  • The six-rung Defence Ladder and where this assessment fits
  • The 10-point reasonable steps self-check for every director
  • "If something happens tomorrow, can you show what you asked and what you were told?"
Common questions

Questions we get asked

Is this a penetration test?
No. This is a configuration assurance review — we review settings, controls, and people-side indicators against established security frameworks. We do not actively exploit vulnerabilities. Penetration testing is available separately from Red Flagg™.
How long does it take?
We deliver both documents within 21 business days of receiving your survey responses and access. The 60-minute delivery call is scheduled on completion.
Do you access our data?
We review configuration settings only — not emails, files, or personal data. GDAP and Delegated Admin are read-only, time-bound access methods. All access is logged and visible to your IT admin. No data is retained after the engagement.
What if we use both 365 and Workspace?
Each engagement covers one cloud environment. If you use both, two separate engagements are required. We recommend starting with the environment that holds your most sensitive data.
Who are the analysts?
Red Flagg™ analysts are based in Melbourne, Australia. We use no subcontractors, ever. Your named analyst is assigned before the engagement begins and is the same person who conducts the review, writes the reports, and runs the delivery call.
How often should we do this?
Reports are valid for 12 months. We recommend annual reassessment, or following any significant change to your environment or organisational structure. NFP boards under ACNC governance should treat annual reassessment as part of their reasonable steps evidence trail.

Built on sand or built on rock?

Find out. Two documents. One analyst. One 60-minute call. Starting from $1,500.

Request the assessment → 1800 930 329

hello@redflagg.com.au  ·  No lock-in  ·  NFP rates available

RED FLAGG If Something Feels Off — Check it with Red Flagg™. That's what we're here for. © 2026 Red Flagg™ Pty Ltd · ABN 81 683 346 116 · Melbourne, Australia