Why ACE?
Security
Genuine Assurance.
Independently Verified.
Australia has no shortage of cyber security frameworks, standards, and guidance such Essential 8, ISO 27001, NIST CSF, SMB1001 or APRA CPS 234.
What many organisations still lack is a practical, independently certified approach to supply chain assurance that is accessible to suppliers and credible to enterprises.
Australian Cyber Essentials (ACE) was developed to address gaps that existing frameworks, taken individually, do not fully close.
Created in 1828, Bureau Veritas is a world leader in laboratory testing, inspection and certification services.
With more than 2,500 employees located in more 50 offices and laboratories in Australia and New Zealand, Bureau Veritas helps businesses improve performance, manage risk, and meet regulatory and sustainability standards through independent auditing, verification, accreditation and assurance services.
No single framework is sufficient
ASIC’s Cyber Resilience Guide states you need both governance and technical controls. Other frameworks address important areas, but none covers everything. ACE synthesises recognised frameworks, Australian regulatory expectations, and industry best practice into a single programme calibrated for businesses of all sizes, covering governance as well as technical controls.
Point-in-time certification is no longer enough
The ASD’s Cyber Threat Report repeatedly highlights the rapidly changing cyber threat environment meaning that there is a increased need for current, ongoing assurance rather than historical snapshots.
Self-attestation is not assurance
ASIC guidance highlights the importance of assurance processes, testing and evidence-based oversight to confirm cyber controls are effective. ACE requires evidence review by Bureau Veritas, so certification carries weight with enterprises, regulators, and insurers.
Fully guided support
ACE provides ongoing support including twelve guided workshops with our delivery partner Cyber Audit Team, so organisations are supported through the process, not left to navigate it alone.
Maturity takes time.
ACE is a tiered programme, so organisations can start where they are and build toward a stronger security posture over time.
Enterprises are under growing pressure to demonstrate that cyber risk across their suppliers and third parties is being actively governed.
A completed questionnaire is no longer sufficient.
ACE is designed to give suppliers a credible, independently certified answer to that question, and to give enterprises something more robust than self-declaration to rely on.
Common Questions
Why isn't completing a supplier questionnaire sufficient any more?
Questionnaire-based approaches rely on self-declaration. There is no independent verification that the controls described are actually in place. Enterprises are under growing regulatory and board-level pressure to demonstrate that cyber risk across their supply chain is actively governed, and a completed questionnaire does not satisfy that standard. ACE requires evidence review by Bureau Veritas, giving enterprises something independently certified to rely on rather than a supplier's own assessment of their own posture
How is ACE different from ISO/IEC 27001, the Essential Eight, or SMB1001?
ACE is not a replacement for these frameworks. It is purpose-built for supply chain assurance and synthesises controls from ISO/IEC 27001, the Essential Eight, SMB1001, and Australian regulatory expectations into a single programme calibrated for businesses of all sizes. If your organisation already holds one of these certifications, you can often draw on existing artefacts to reduce the evidence effort required. The key difference is that ACE combines independent Bureau Veritas certification with ongoing assurance status, so the organisations that rely on you have a current view of your posture, not just a historical one.
Why does ongoing assurance matter, not just point-in-time certification?
A certificate issued twelve months ago reflects your security posture twelve months ago. Threats evolve, environments change, and controls drift. ACE introduces ongoing assurance status through defined activities, including periodic confirmation that key controls remain in operation and renewal at defined intervals. This gives the enterprises and customers that rely on your organisation a current picture, which is increasingly what regulators, insurers, and procurement teams expect to see.
We're a small business. Is ACE realistic for us?
Yes. ACE is specifically designed to be practical for small and medium-sized businesses without large internal security teams. The programme includes twelve guided workshops so organisations are supported through the process rather than left to navigate a framework alone. The tiered structure also means you can begin at a level appropriate to your current maturity and build from there, rather than being required to meet a single fixed standard from day one.
Interested in ACE for your organisation or supply chain?
Register your interest and the ACE programme team will review your enquiry and respond.