SecBoost
SecBoost

Streamlining Your Security Documentation

SecBoost helps Australian organisations meet the requirements of the Information Security Manual (ISM) by streamlining the creation, maintenance and compliance of policy, plan and procedure documents.

Designed to support PROTECTED-level IRAP assessments, SecBoost reduces the manual workload involved in interpreting controls, mapping them to business operations, and generating tailored, cross-referenced documentation.

SecBoost automates your System Security Plan Annex, policy generation and control tracking, enabling you to meet ISM obligations with minimal overhead.

Get started View pricing
The SecBoost dashboard helps you track ISM controls, evidence and documentation in one place.
ISM controls
1,107

ISM Dec 2025 Controls

Documentation suite
20+

Tailored plans, policies & standards

Outcome
Faster

Audits and assessor workflows

Estimated savings
$38k

Annual cost savings

Features

Define your compliance scope

Start with your classification level and ISM version. Use our New Project Wizard to initialise your System Security Plan (SSP) Annex and Control Matrix. Further tailor this to select which controls apply to your business. Record your implementation of those controls within the system.

Choose your compliance scope

Create your policies, plans & procedures

SecBoost auto-generates 20+ aligned documents, customised with your branding. Each is pre-filled, and control-mapped to the ISM. Optionally include details about control implementation and assessments live, inside your documentation suite.

Create your policies, plans and procedures

Collaborate with IRAP assessors

Assign implementation evidence to controls. Export a complete, assessor-friendly document pack. Track IRAP assessor feedback directly in the SecBoost platform and within your documentation suite.

Collaborate with IRAP assessors
New in Dec 2025

AI Security compliance coverage

The December 2025 ISM introduced 14 new AI security controls (ISM-2074, ISM-2082 to ISM-2094), covering AI usage policy, model risk, data poisoning, and output validation. SecBoost maps all of these to your Control Matrix and generates a dedicated AI Security Policy tailored to your organisation - so you're covered out of the box.

Essential Eight compliance tracking

The Essential Eight provides a baseline of eight mitigation strategies, with a maturity model published by ASD that maps maturity requirements to ISM controls.

SecBoost helps you track maturity progress, capture evidence, and keep your documentation aligned with your selected ISM version - so the same work supports both operational uplift and compliance reporting.

DISP Cyber Security

Defence states that all Defence Industry Security Program (DISP) members are required to achieve and maintain compliance with the full Essential Eight at Maturity Level 2 (ML2).

DISP members complete the Essential Eight Cyber Security Questionnaire (CSQ) as part of the Annual Security Report (ASR) in the DISP Member Portal, and the CSQ is aligned with Essential Eight Maturity Level 2.

SecBoost helps you answer these questions, guides your security uplift, and gives you a single place to track Essential Eight maturity, implementation evidence, and the supporting documentation needed for ongoing assurance. Learn more on Defence’s DISP Cyber Assurance page.

Essential Eight maturity tracking

Registers & contacts

Keep the supporting records up-to-date alongside your controls and documentation suite.

Registers

Keep asset, evidence, training and change registers current, with clean export when you need it.

Registers

Contacts

Maintain stakeholder and assessor contacts alongside your system scope and documentation.

Contacts

Pricing Plans

Choose the plan that best suits your organisation's needs. All plans include ISM 2025 compliance support.

Starter

$7k/year + GST

Capture control implementation and produce documentation

  • βœ“ Document generation (20+ plans, policies and procedures tailored to your ISM)
  • βœ“ Full ISM support (updated Dec 2025)
  • βœ“ Wizard-based project creation (with 16 discovery questions)
  • βœ“ SSP Annex and Control Matrix Excel import
  • βœ“ Basic control workflow (New, Editing, Ready for Assessment)
  • βœ“ Dashboard and filterable/sortable control list
  • βœ“ Essential 8: dashboard, control index and report document
  • βœ“ Asset library (store logos, diagrams, contact lists)
  • βœ“ Classifications: Non-classified, OFFICIAL Sensitive, and PROTECTED
  • βœ“ Multiple projects for a single assessed system
  • βœ“ 5 users maximum
  • βœ“ 5 GB storage
  • βœ“ Business hours email support
  • βœ“ 1 hour onboarding support and training
  • βœ“ Single-tenant AWS PROTECTED environment
Contact us

Standard

Most Popular

$12k/year + GST

Full workflow with assessor collaboration and approval steps

  • βœ“ Everything in Starter, plus:
  • βœ“ Full control workflow (includes approval and assessment steps)
  • βœ“ Customisable roles and permissions
  • βœ“ Registers (10+ including Hardware, Training, Contacts, etc.)
  • βœ“ Up to 2 assessed systems, each with multiple projects
  • βœ“ 20 users maximum
  • βœ“ 20 GB storage
  • βœ“ Business hours priority phone support
  • βœ“ Single-tenant AWS PROTECTED environment
Contact us

Enterprise

Contact us

Larger scale organisations that host multiple services or perform third party assessments

  • βœ“ Everything in Standard, plus:
  • βœ“ Custom domain (e.g., secboost.yourorg.gov.au)
  • βœ“ Task management with reminders, escalation, and reporting
  • βœ“ Group users into Teams and assign tasks to specific teams or users
  • βœ“ Custom workflow gates requiring specific fields or tasks
  • βœ“ SSO with JIT provisioning for roles and Teams
  • βœ“ On-premises deployment option
  • βœ“ Classifications: SECRET and TOP SECRET
  • βœ“ Multiple assessed systems, each with multiple projects
  • βœ“ Unlimited users
  • βœ“ Configurable storage
  • βœ“ Extended support
  • βœ“ Custom training sessions
  • βœ“ Quarterly compliance reviews
  • βœ“ Annual penetration test reporting
Contact us

Ready to Get Started?

Simplify your security documentation and meet your ISM compliance obligations.

Get started

Frequently Asked Questions

How does SecBoost automate tasks?

SecBoost maps ISM controls to your chosen scope, generates tailored documentation, and keeps everything aligned with your SSP and the ISM β€” all with minimal manual effort.

When it comes time to be IRAP assessed, SecBoost provides a single source of truth for the auditor, letting assessors drill into control implementations and track assessments directly in the platform.

What is a System Security Plan (SSP)?

The SSP is the formal document providing a complete overview of your cloud service β€” its purpose, architecture, data flows, security authorisations, and operational environment. It's the primary document an IRAP assessor uses to understand what they are assessing.

SecBoost assists in the creation of your SSP and SSP Annex, tracking compliance in a single, easy-to-manage platform.

What is the SSP Annex?

Similar to a Statement of Applicability, the SSP Annex is the official spreadsheet that defines the assessment boundary β€” the clear scope of what an assessor will review, based on the ISM. Each row represents one ISM control, with space to nominate responsibility, state implementation effectiveness, and describe your implementation.

SecBoost supports import and export of the ACSC's SSP Annex spreadsheet template.

Who benefits from using SecBoost?
SecBoost is designed for Australian organisations preparing for IRAP assessments β€” especially those needing to generate ISM-aligned policies and plans quickly and accurately.
How does collaboration work?
You can assign roles, share access with IRAP assessors, and track comments or evidence for each control within your business unit.
Is documentation always up-to-date?
Yes β€” SecBoost tracks ISM version changes and lets you regenerate documents instantly based on your current System Security Plan, ISM version, and classification level.
Who is SecBoost?
SecBoost is a Melbourne-based company founded in 2025 β€” Australian owned and operated, built by two developers with almost 50 years of combined experience securing systems and documentation for Australian government customers.
New in Feb 2026

Machine-readable compliance: OSCAL export

SecBoost generates a complete OSCAL 1.1.2-compliant export of your System Security Plan and Assessment Results - in the machine-readable JSON format defined by NIST.

The SSP export maps every applicable ISM control to a structured implemented-requirement, capturing your implementation narrative, workflow state, applicability, and responsibility. The Assessment Results export captures assessor observations, finding severity, and remediation recommendations for each control - including the date each control was assessed.

OSCAL exports are ready for direct import into OSCAL-aware tooling, including AWS Audit Manager and NIST validation tools, and are schema-validated against the NIST OSCAL 1.1.2 specification before download.

What's included

  • NIST OSCAL 1.1.2 - System Security Plan (SSP) and Assessment Results (AR)
  • Per-control observations with assessment outcome, date assessed, and finding severity
  • Adverse control findings with remediation recommendations
  • SecBoost-namespaced properties preserve full workflow state in the export
  • Schema-validated before download

Documentation Suite

The SecBoost system will generate the following ISM compliant documents matching your tailored control applicability and implementations, ISM version, and classification level.

Documentation suite list
A single, tailored documentation suite mapped to your selected ISM controls.
Generated Risk Management Plan (PDF)
Export-ready PDFs (example: Risk Management Plan).
Generated Risk Management Plan content (PDF)
Detailed, control-aligned content that stays in sync.

Policies

  • Access Control Policy
  • AI Security PolicyNew
  • Asset Management Policy
  • Backup & Recovery Policy
  • Change Management Policy & Procedure
  • Cloud Security Policy
  • Cryptographic Controls Policy
  • Data Classification and Handling Policy
  • Email and Communications Policy
  • Endpoint Protection Policy
  • Information Security Policy
  • Interconnection Security Policy
  • Logging & Monitoring Policy
  • Physical Security Policy
  • Secure Development Policy
  • Supplier Security Management Policy

Registers

Managed and filled in within the SecBoost system, with full auditing and export to PDF.

  • Access Control Register
  • Change Management Register
  • Cloud Service Inventory
  • Crypto Key Inventory & Certificate Register
  • Data Retention Schedule
  • Evidence Register
  • Hardware Asset Register
  • Incident Register
  • Interconnection Register
  • Review/Audit Log
  • Software Asset Register
  • Supplier Risk Assessment
  • Training Register
  • Vulnerability Management Register

Plans

  • Business Continuity Plan (BCP)
  • Disaster Recovery Plan (DRP)
  • Incident Response Plan
  • Risk Management Plan
  • Security Awareness and Training Plan
  • Security Review & Audit Plan
  • System Security Plan (SSP)

Standards

  • Environment Management Standard
  • Network Security Standard
  • Platform Security Standard
  • System Hardening Standard
  • Vulnerability and Patch Management Standard

Reports & Exports

Generated reports and structured exports ready for download, import into other tools, or submission to assessors.

  • System Security Plan Annex (XLSX)
  • OSCAL System Security Plan export (JSON, NIST 1.1.2) New
  • Cloud Control Matrix (XLSX)
  • OSCAL Assessment Results export (JSON, NIST 1.1.2) New
  • Essential Eight Maturity Report (PDF)

Get in touch

Tell us about your system, timeline, and assessment scope. We’ll get back to you shortly.

We work with Australian organisations preparing for IRAP assessments and teams looking to reduce the effort involved in producing ISM-aligned documentation.