Case Study: Applying the Cyber NSW Cyber Security Guidelines for Local Government

THE CHALLENGE

A NSW Local Government agency serving more than 40,000 residents within a high-density region wanted independent assurance over its cyber posture and a clear, evidence-based path to reach its targeted Essential Eight (E8) Maturity Level One as set out in its Information Security Strategy. The agency needed an audit aligned to the Cyber Security NSW – Cyber Security Guidelines for Local Government and to be assessed against the Australian Signals Directorate (ASD) Essential Eight assessment guidelines, so executives and auditors could rely on the results for planning and reporting.

For the Local Government agency, this was the first ever comprehensive E8 audit that would reveal any potential shortfalls after many months of uplift and late nights.

OUR APPROACH

InConsult delivered a structured audit and assessment program combining workshops, technical validation and comprehensive documentation:

• Scoping & Alignment: Defined the audit scope against the Cyber Security NSW – Local Government Guideline control set and mapped each control to the ASD Essential Eight maturity criteria and assessment methods.

• Facilitated Multi-Hour Workshops: Ran detailed, multi-hour workshops with IT Operations to:

  • Validate current state for the eight mitigation strategies (application control, patching applications/OS, Microsoft Office macro settings, user application hardening, restricting admin privileges, MFA, and backups).

  • Elicit evidence paths, data sources and system configurations for each target control.

  • Agree on required evidence, sampling volumes and special terms for review of highly sensitive content.

• Evidence-Based Testing & Workpapers: Executed ASD-aligned assessment procedures (configuration reviews, sample-based testing, artifact walkthroughs and spot checks). Produced complete audit workpapers directly aligned to ASD’s Essential Eight Assessment Process Guide, including test steps, results, screenshots and residual risk notes, creating a robust audit trail from requirement to evidence.

• Findings, Ratings & Roadmap: Issued an audit report with clear control ratings, maturity mapping, and remediation recommendations prioritised by risk, effort and dependencies.

OUTCOMES & BENEFITS

As a result of our engagement:

• Target Achieved: Essential Eight Maturity Level One: The agency achieved E8 Maturity Level One, meeting its strategic target with documented, repeatable evidence aligned to ASD guidance, providing confidence to executives, audit & risk committee members and external stakeholders.
• Assurance Over Guideline Alignment: Verified alignment to the Cyber Security NSW – Local Government Guideline, strengthening their policy-to-control traceability and reporting confidence.
• Clear, Actionable Remediation: Prioritised remediations sharpened focus on near-term controls (e.g., admin privilege management, MFA coverage and backup processes).
• Strengthened Partnership: The quality of our workpapers, facilitation and practical recommendations enhanced our standing as a trusted provider, setting the foundation for ongoing advisory and periodic reassessments.

Would you like to know more about our cyber resilience services? Contact us today.

This case study is drawn from a real-life engagement/project between InConsult and our client. While client details are not disclosed for commercial and confidentiality reasons, this case study is based on a real engagement and reflects genuine results and outcomes. Specific client references and project details can be shared with prospective clients during the proposal process.