Australian Compliance Hub

Overview

The Australian Compliance Hub is a dedicated module for tracking compliance with Australian-specific regulatory frameworks alongside your ISO 27001 ISMS. It consolidates four compliance areas into a single tabbed interface: the 13 Australian Privacy Principles (APPs), the ACSC Essential Eight maturity model, the Notifiable Data Breaches register, and IRAP readiness. This module requires a Pro plan subscription.

APP Tracker — Australian Privacy Principles

The Privacy Act 1988 establishes 13 Australian Privacy Principles that govern how organisations handle personal information. The APP Tracker lets you record your compliance status against each principle:

• APP 1 — Open and transparent management of personal information.
• APP 2-5 — Collection, dealing with unsolicited information, notification, and use or disclosure.
• APP 6-9 — Direct marketing, cross-border disclosure, adoption of government identifiers, and anonymity/pseudonymity.
• APP 10-13 — Quality, security, access, and correction of personal information.

For each principle, you can track implementation status and record notes about how your organisation addresses the requirement. This is particularly valuable for organisations that handle personal information and need to demonstrate Privacy Act compliance alongside ISO 27001.

Essential Eight Maturity Model

The ACSC (Australian Cyber Security Centre) Essential Eight is a set of baseline mitigation strategies that all Australian organisations are recommended to implement. The eight strategies are:

1. Application control
2. Patch applications
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privileges
6. Patch operating systems
7. Multi-factor authentication
8. Regular backups

Each strategy is assessed across four maturity levels (0 through 3). The Essential Eight tab lets you track your current maturity level for each strategy and identify gaps where uplift is needed. This maps directly to the technological controls in Annex A and helps prioritise your control implementation efforts.

NDB Register — Notifiable Data Breaches

The NDB register provides a dedicated view of all data breaches that meet the notification threshold under Part IIIC of the Privacy Act 1988. It works alongside the Incident Management module but focuses specifically on breaches that require notification to the OAIC and affected individuals. You can track the notification status of each breach and maintain a register for regulatory reporting.

IRAP Readiness Checklist

The Information Security Registered Assessors Program (IRAP) is an Australian government program that assesses the security posture of organisations seeking to handle government data. The IRAP readiness tab provides a checklist of requirements that you can work through to prepare for an IRAP assessment. This is particularly relevant for organisations that supply services to Australian federal or state government agencies.

ISO 27001 Mapping

The Australian Compliance Hub maps to Annex A controls A.5.31 (Legal, Statutory, Regulatory and Contractual Requirements), A.5.32 (Intellectual Property Rights), A.5.33 (Protection of Records), and A.5.34 (Privacy and Protection of PII). These controls require organisations to identify and comply with all relevant legal, regulatory, and contractual requirements — which in the Australian context includes the Privacy Act, NDB scheme, Essential Eight, and IRAP. By tracking these frameworks alongside your ISMS, you demonstrate a holistic approach to compliance.