ACE Tiers

Tiers

Start where you are.
Build from there.

ACE uses a three-tier model so organisations can begin at a level that reflects their current maturity and build genuine cyber security capability over time. The tiers are not medals or grades. They are designed to reflect real preparedness, and to give enterprises, insurers, and procurement teams a meaningful and defensible basis for comparison.

Each tier requires evidence. Certification at any tier is issued by Bureau Veritas following independent review of that evidence. There is no self-declaration shortcut at any level.

The right tier is determined by where your organisation sits today, not by whether you have already been asked to demonstrate it. Regulatory expectations, customer requirements, and insurer scrutiny are moving in one direction. The organisations that act ahead of that pressure are the ones that will be best placed when it arrives.

Watch Now

About the ACE tiers

Essential controls

ACE Ready

ACE Ready is designed for organisations that are newer to formal cyber security programs, or suppliers entering enterprise supply chains for the first time. It establishes the essential baseline that any responsible supplier should be able to demonstrate: that the right foundations are in place, that obligations are understood, and that the evidence exists to show it.

The focus at ACE Ready is on getting the fundamentals right. Not every organisation needs a sophisticated security program to achieve this tier, but every organisation that achieves it can demonstrate that the essentials are genuinely in place, not just documented on paper.

ACE Ready is likely the right starting point if you are a smaller or growing business building toward a formal cyber security program, you hold or process any personal or business data on behalf of your customers, you are subject to baseline obligations including those under the Privacy Act 1988, or you supply to organisations that are beginning to require independently evidenced cyber security maturity from their suppliers. If you are not sure whether that describes you, it probably does.

Strengthened controls and governance

ACE Robust

ACE Robust is designed for organisations that have outgrown the basics and need to demonstrate a more structured and defensible security posture. It builds on ACE Ready with stronger governance practices, more mature access and identity controls, formalised risk management, and a more rigorous approach to protecting sensitive data and managing third-party risk.

At ACE Robust, an organisation can demonstrate that cyber security is actively managed, not just in place on paper. There is visibility over risk, controls are formalised and governed, and the security posture is maintained and evidenced over time.

ACE Robust is likely the right tier if your organisation handles sensitive, personal, or commercially confidential data as part of its service, you supply to enterprise customers who have structured procurement, compliance, or risk management requirements, your organisation is subject to sector-specific regulatory obligations, or you have existing controls in place but they have not been formally documented, independently reviewed, or evidenced in a way that would withstand scrutiny from a customer, insurer, or regulator. Waiting until that scrutiny arrives is not a strategy.

Mature controls and recovery readiness

ACE Resilient

ACE Resilient is designed for organisations operating in higher-risk, more scrutinised, or more demanding supply chain environments. It represents the most advanced level of independently verified cyber security maturity under the ACE framework, covering not just prevention and detection but the organisation's ability to respond, recover, and sustain operations under real-world adversarial conditions.

At ACE Resilient, an organisation can demonstrate that its security posture is mature, actively monitored, regularly tested, and maintained under formal governance. This is the tier for organisations where a failure of cyber security would have material consequences, not just for the organisation itself but for the customers, partners, and communities that depend on it.

ACE Resilient is likely the right tier if your organisation operates in a sector with significant regulatory obligations including critical infrastructure, financial services, health care, or defence, a failure of your cyber security could have significant downstream consequences for your customers or supply chain partners, your customers, insurers, or regulators require independently verified assurance at the highest available level, or you have achieved ACE Robust and are ready to evidence a security posture that is not just in place but genuinely resilient and operationally tested. If the consequences of getting this wrong are material, this is the tier for you.

Not self-attested.

Evidence based assessment certified by Bureau Veritas

At A Glance

Which Tier Fits?

The right tier is determined by where your organisation sits today, not by whether you have already been asked to demonstrate it.

This table is a general guide. The ACE program team will confirm the most appropriate starting point as part of your initial enquiry.

	ACE Ready	ACE Robust	ACE Resilient
Organisation maturity	Earlier stage, building toward a formal cyber security program.	Controls exist but are not yet formalised, documented, or independently evidenced.	Formal program in place and maturing toward a resilient, operationally tested posture
Data and obligations	Holds business or personal data and is subject to baseline obligations including Privacy Act requirements	Handles sensitive, personal, or commercially confidential data on behalf of customers or third parties	Handles highly sensitive or regulated data, or operates in a sector with significant regulatory obligations
Supply chain position	Supplies to organisations that are beginning to require evidence of cyber security maturity from their suppliers	Supplies to enterprise customers with structured procurement, compliance, or risk requirements	Supplies to organisations where a failure of your cyber security could have significant downstream consequences
Security posture today	Foundations need to be put in place and evidenced	Controls are in place but need to be formalised, strengthened, and independently verified	Controls are mature and the focus is on evidencing resilience, recovery readiness, and sustained operational security
Insurance context	Holds general business insurance and has not yet been scrutinised on cyber security specifically	Holds or is renewing cyber insurance and facing more detailed underwriting questions	Cyber insurers, regulators, or enterprise customers are requiring independent verification of security controls

Not sure where to start?

Most organisations do not need to know their tier before registering interest.
The ACE program team will review your enquiry and help you identify the most appropriate starting point based on your organisation's size, sector, existing controls, and what your customers and other stakeholders are asking for.

A few questions worth thinking through beforehand:

Do you hold or process any personal or business data on behalf of customers or third parties?
Do regulatory obligations apply to your organisation or the sectors you supply to?
Do you have a formal cyber security program in place, and if so, could you evidence it independently today?
Are your insurers asking more detailed questions about your security controls at renewal?
Would a cyber security incident affecting your organisation have consequences beyond your own business?

If the answer to any of those questions is yes, or even possibly, register your interest and the ACE program team will help you work out where to start.

Existing Certification

Already hold a certification or framework alignment?

If your organisation already holds ISO/IEC 27001, has implemented the ASD Essential Eight, holds SMB1001, or has done substantive work against another recognised framework, that existing work can often be drawn on to support your ACE evidence submission.

ACE does not ask organisations to start from zero. It is designed to build on what is already in place, fill the gaps that matter for supply chain assurance, and produce a credential that is independently certified and reusable across multiple customer relationships.

Not sure which tier is right for your organisation?

The ACE program team will help you work that out as part of the initial enquiry.

Common Questions

Which ACE tier is right for my organisation?

The right tier depends on your current cyber security maturity, the types of customers you serve, and the supply chain environments you operate in. The ACE programme team can help you assess your starting point and progress at a pace that suits your business.

Do we have to start at ACE Ready and work up through each tier?

No. ACE is designed so organisations can begin at an appropriate level. If your existing controls and governance already reflect intermediate or higher maturity, you can enter the programme at ACE Robust or ACE Resilient.

How long does it take to achieve ACE certification?

The timeline depends on your current maturity and how quickly you can implement required controls and submit evidence. The programme includes 12 guided workshops, which can be delivered over 12 months or accelerated based on your availability. You control the pace. If gaps are identified during the process, Cyber Audit Team will provide clear feedback so you can address them and resubmit prior to certification.

Does ACE certification replace other compliance obligations we already have?

ACE is not a replacement for frameworks such as ISO/IEC 27001 or the Essential Eight. It is purpose-built for supply chain assurance and curates practical, evidence-ready controls from these frameworks into a supplier-friendly pathway with independent Bureau Veritas certification. Rather than adding to your compliance burden, ACE is designed to consolidate it: build your evidence pack once and reuse it across all customer relationships instead of responding to multiple questionnaires each year.