How It Works

Your Journey

A structured pathway to independent certification

Australian Cyber Essentials (ACE) is not a self-assessment checklist. It is a guided, evidence-based pathway that leads to independent certification by Bureau Veritas.

The programme is structured across three tiers, ACE Ready, ACE Robust, and ACE Resilient, allowing organisations to start where they are and build maturity over time.

ACE is designed to be practical and proportionate, including for organisations without large internal security teams. The process is structured to support preparation, evidence gathering, and independent certification in a manageable way.

Watch Now

The ACE Process

2. Readiness and Preparation Support

The ACE programme team helps the organisation identify its likely starting point, understand evidence requirements, and prepare for assessment. This includes up to twelve guided workshops with Cyber Audit Team, covering the key control areas relevant to the organisation’s tier and context.

3: Evidence Review and Assessment

Evidence such as documentation, artifacts, and supporting materials is compiled by the business and uploaded to the ACE evidence portal in a structured and manageable way. Cyber Audit Team will conduct a final review to ensure everything is completed.

4: Independent Certification Decision

Bureau Veritas conducts the independent certification review and, where satisfied, issues ACE certification at the appropriate tier.

5: Ongoing Assurance and Renewal

ACE is designed to support ongoing assurance, not only point-in-time certification. Certified organisations may be required to complete defined ongoing activities, including periodic confirmation that key controls remain in operation, refresh of selected evidence, notification of material changes, and renewal at defined intervals.

Common Questions

Is ACE a self-assessment or is it independently verified?

ACE is not a self-assessment or questionnaire-based exercise. Organisations submit practical evidence through the ACE evidence portal, and Bureau Veritas independently reviews that evidence before issuing certification. Certification is only issued when requirements are met.

What happens if our evidence submission doesn't meet requirements?

ACE is a maturity journey, not a pass/fail exam. If your initial evidence submission does not meet requirements, Cyber Audit Team (CAT) will provide clear feedback identifying the gaps during your guided workshops. You can then implement the necessary controls and resubmit. The goal of the process is to help your organisation succeed, not to create barriers.

What counts as evidence?

Evidence consists of practical artefacts that demonstrate a control is in place. Depending on the requirement, this may include documents, screenshots, configuration exports, policies, and other supporting materials

How is evidence submitted?

Everything is submitted through the ACE evidence portal, which is structured to make the process manageable. The guided workshops will help you understand exactly what is needed for your tier and operating context.

Does certification mean we are protected against cyber security incidents?

No. ACE certification reflects independent review of evidence at the time of assessment. It demonstrates that essential controls are in place and evidenced, but it does not guarantee an organisation will not experience a cyber security incident. Ongoing assurance activities, including periodic confirmation that key controls remain in operation and renewal at defined intervals, help maintain your certification status over time rather than treating it as a one-off exercise.