AutoGuru ISMS Progress Report

Executive Scorecard

SOC 2 Readiness

43.1%

87 of 202 controls fully ready · monitors: 133 passing, 15 failing

ISO 27001 Readiness

74.5%

146 of 196 controls fully ready · +56pp from January

Devices Under MDM

25

of 74 managed devices · 33.8% fleet coverage

Device Compliance Rate

96.0%

24 of 25 enrolled devices fully compliant

Microsoft Secure Score

51.8%

638.3 of 1,233 points · Target: 70%

Risk Register

41

Risks documented · 1 Critical, 17 High, 23 other

Compliance Progress - Planned vs Achieved

SOC 2 Readiness Trajectory

Controls with owner + evidence + monitor all passing · Q1 target: 75%

ISO 27001 Readiness Trajectory

Controls with owner + evidence + monitor all passing · Target: 100% by July 2026 (Stage 1 audit)

ISO 27001 and SOC 2 Controls Status

314 controls total · 53.2% overall readiness · April 30, 2026

Drata Monitor Status

15 failing · 133 passing · 57 not yet configured (live Apr 30)

Risk Register Distribution

41 risks by severity level

ISO 27001 Controls: Work Remaining by Category

147 controls not yet fully ready - key category breakdown

Category 3 - Approver sign-off in Drata (done, needs review)~57 monitors: READY (not yet configured)

Category 1 - AWS / GitHub technical fixes required~26 monitors: FAILED (need fixing)

Category 2 - Manual evidence upload needed~200 controls: missing evidence upload

Regulatory & Compliance Posture - Certification Roadmap

114

Controls Tracked

+38

QoQ Control Uplift

0

Major Findings

Jul 26

Surveillance Audit

Dec 26

SOC 2 Type 1 Target

Certification Roadmap - FY26 → FY27

Quarterly-gated track to ISO 27001 surveillance and SOC 2 Type 2

Q1 2026 · DONE

ISO 27001 - Stage 1 Audit

Passed with zero major non-conformities

COMPLETE

Q2 2026 · DONE

ISO 27001 - Stage 2 Audit

Certification achieved

COMPLETE

JUL 2026

ISO 27001 - Surveillance Audit

Evidence package complete · External auditor booked

SCHEDULED

DEC 2026

SOC 2 - Type 1

Readiness assessment commences August 2026

IN PROGRESS

2027

SOC 2 - Type 2

Operating effectiveness certification · industry gold standard

PLANNED

Regulatory Framework Coverage

5 of 5 frameworks current - all obligations tracked and active

Privacy Act 1988

Australian Privacy Principles - APPs 1–13 mapped

ACTIVE

NDB Scheme

Notifiable Data Breaches - IRP aligned, DCF-131 published

ACTIVE

GDPR Awareness

Monitored for EU data subjects via Privacy Policy coverage

ACTIVE

ACSC Essential Eight

Gap analysis complete · Maturity Level 1 aligned, ML2 in progress

ALIGNED

IS Policy Annual Review

v1.4 reviewed April 2026

COMPLETE

Security Maturity - Baseline, Current & Q1 Target

Maturity Radar - 11 Security Domains

Baseline March 2026 · April 2026 current · Q1 Target July 2026 · Scale 0–3.5

Industry Benchmark Baseline (Mar 2026) Current (Apr 2026) Q1 Target (Jul 2026)

Industry Benchmark source: Composite of the 2024 Verizon DBIR security maturity self-assessments, SANS 2024 Security Awareness Report domain averages, and the CIS Controls v8 implementation tier distributions for SMB/mid-market organisations (100–500 employees, SaaS/tech sector). Scores represent the median maturity level reported across surveyed organisations at a comparable stage of ISMS implementation. Cloud Security and Identity benchmarks are elevated (2.5) reflecting accelerated adoption; GRC, Vendor Management and User Awareness remain lower (1.8) across the peer group due to resourcing constraints typical at this scale.

Domain-by-Domain Maturity Scores

Baseline (Mar) → Current (Apr) → Q1 Target (Jul 2026)

Endpoint Security

1.0 → 2.2 → 2.5

Incident Management

1.5 → 2.5 → 2.5

Application Security

1.5 → 1.6 → 2.0

Vendor Management

1.5 → 2.3 → 2.5

Data Security

2.0 → 2.1 → 2.5

User Awareness

2.0 → 2.0 → 2.5

GRC & Compliance

2.0 → 2.5 → 2.5

Cloud Security

2.5 → 2.6 → 3.0

Identity & Access

2.5 → 2.7 → 3.0

Network Security

2.5 → 2.5 → 3.0

Business Continuity

2.5 → 2.5 → 3.0

Baseline 1.9 Mar 2026 → Current 2.4 Apr 2026 → Q1 Target 2.6 Jul 2026 → Year-end 3.2 Mar 2027

Endpoint Security - Intune + Defender + Action1

25

Intune Enrolled

24

Compliant Devices

1

Non-Compliant

22

Windows MDM

3

macOS MDM

49

Devices Remaining

8.1/10

POC Score

0

CA Policies Enforced

Fleet Enrollment Progress

25 of 74 managed devices enrolled in Intune MDM

Device Compliance Status

Of 24 enrolled devices

Intune Deployment Phases

POC done · Wave 1 in progress

POC (5 devices)✓ Complete

Pre-work Enrollment (13 additional)✓ Done

Wave 1 - 25–30 devices (May 2026)In Progress

Wave 2 - Full fleet ~74 devices (Jun–Jul)Planned

Key Configurations Deployed

✓ 10 Intune configuration profiles · ✓ 3 compliance policies
✓ Defender for Endpoint on all enrolled · ✓ Action1 on Windows
✓ Apple Business Manager (ABM) connected · ✓ Dell Command Update
CA01 & CA02 in report-only mode (not yet enforced)
ASR rules in Audit mode (Block mode planned Q2)

Action1 RMM - Deployed Capabilities (Windows)

Action1 fills the operational gaps Intune does not cover natively

Patch Management

300+ apps · automated deployment · rollback

Vulnerability Scanning

NVD CVE scanning · CVSS scoring · one-click fix

Asset Inventory

Full HW + SW inventory · serial numbers · BIOS

Remote Scripting

Real-time PS + Bash · ad-hoc remediation

Security Posture - Microsoft Defender & Identity

Microsoft Secure Score

638.3 / 1,233 points · 51.8% · As of 30 April 2026

Active Security Alerts & Identity Risks

Live from Microsoft Defender / Entra ID Protection

Active Alerts (7 total)

Password Spray attack detected

HIGH

Authentication from known attacker infrastructure

HIGH

Unfamiliar sign-in properties (×2 users)

HIGH

Password Spray attack (second instance)

HIGH

'Multiverze' malware - prevented by Defender

BLOCKED

'Redirector' malware - prevented by Defender

BLOCKED

Risky Users (15 identified)

1 user - High risk · atRisk state

HIGH

1 user - Medium risk · atRisk state

MEDIUM

11 users - Remediated or dismissed

RESOLVED

2 users - Low risk · atRisk state

LOW

Business Continuity & Resilience - BCP / DR

24hr

Tier 1 RTO

24hr

Tier 1 RPO

72hr

Tier 2 RTO

48hr

Tier 2 RPO

QTR

DR Test Cadence

Backup & Recovery Infrastructure

Multi-region AWS architecture · all customer data encrypted at rest and in transit

AWS S3, RDS & Redshift

All customer data - automated, encrypted at rest

DAILY

GitHub Source Control

Versioned code backup - encrypted in transit

CONTINUOUS

Sydney → Melbourne Replication

Cross-region DR - data sovereignty maintained (ap-southeast-2 / ap-southeast-4)

LIVE

CloudWatch Monitoring

Automated alerting on all backup jobs - failures page on-call

LIVE

Recovery Validation Testing

Full restoration tested quarterly - results logged and reviewed

QUARTERLY

Operational Resilience Programme

ISO 22301-aligned BCP with tested recovery objectives and exec-level exercises

Tier 1 - Critical

24hr

RTO & RPO

Tier 2 - Operational

72 / 48hr

RTO / RPO

Quarterly DR Tests

Failover · Restore · Validate - results reviewed by CISO

Annual Tabletop Exercises

Cross-functional · Executive level · scenario-based

Public Status Page

status.autoguru.com.au - real-time availability for customers

Remote Work Capability

100% remote-ready · Zero Trust access model enforced

Automation Platform - N8N Workflows

N8N Workflow Library

4 key security automation workflows · 2 now active

Built Workflow Capabilities

2 active · 2 ready for activation · 1 new workflow added

Defender ↔ Action1 Vulnerability Cross-Reference

ACTIVE

SOC RAG Analyst Agent (AI-assisted triage)

ACTIVE

JML Automation POC (Employment Hero → IT platforms)

BUILT

ACL Review - Google WS, AWS SSO, GitHub

BUILT

SOC Weekly Executive Report (new - Apr 14)

NEW

12-Month Programme Timeline

ISMS Certification Journey - May 2026 to March 2027

Frameworks: ISO 27001:2022 + SOC 2 Type II · Currently in Pre-work Phase (April 2026)

APR
Pre-work

MAY
Q1 Start

JUN
Q1 Mid

JUL
Q1 End

AUG
Q2 Start

OCT
Q2 End

DEC
Q3 End

MAR
Q4 End

✓ Pre-work

Q1: Foundation

Q2: Build

Q3: Evidence

Q4: Certify

Q1 - Foundation (May–Jul)

ISO 27001 → 65% full readiness
SOC 2 → 75% full readiness
0 failing monitors
74 devices in Intune
CA policies enforced
IRP updated
Cert body booked (Jul)

Q2 - Build (Aug–Oct)

Full fleet enrolled
ASR rules → Block mode
8 CA policies enforced
ISO 27001 → 85%
SOC 2 evidence sprint
Pen test complete

Q3 - Evidence (Nov–Dec)

ISO 27001 → 95%
SOC 2 obs. starts Q4
Internal audit complete
Management review
Maturity score → 3.0+
Pre-cert gap review

Q4 - Certify (Jan–Mar 27)

ISO 27001 Stage 2 audit
SOC 2 obs. complete
Certification achieved
Maturity score → 3.2
Sustainable ISMS ops
AI-augmented running

What We Have Achieved vs What Remains

Achieved to Date

SOC 2 monitors: 17% → 64% passing · Full readiness (owner+evidence+monitor): 43.1% (87/202)Drata Live
ISO 27001 full readiness: 74.5% (146/196 controls) · Evidence coverage: 36.6%
Risk register: 41 risks documented with owners and treatment plans and signed off
MDM/EDR POC: 8.1/10 score, GO decision madeMar 2026
25 devices in Intune MDM (Wave 1 enrollment in progress)
Defender for Endpoint onboarded on all 25 enrolled devices
Action1 RMM deployed (Windows) - patch mgmt, vuln scanning, inventory
Apple Business Manager connected - macOS ADE enrollment ready
Dell Command Update compliance policy deployed via Intune
ENTRA ID + Google Workspace federation established (SAML)
Defender ↔ Action1 and SOC RAG Analyst Agent both live and active
SOC Weekly Executive Report workflow launched (Apr 14)
5 HIGH security alerts detected and investigated (Defender) - intentionally initiated to test
2 malware events blocked by Defender for Endpoint - intentional test
15 risky users identified; 11 remediated or dismissed via Entra (4 remain at risk)
Incident Security Incident Management Program (ISIMP) v1.0 published APR 2026

Still To Complete (Q1 May–July 2026)

🟠
Intune Wave 1: expand to 26–30 devices (May 2026) - 25 done, 5 remaining
🟠
Intune Wave 2: full fleet ~74 devices (Jun–Jul 2026)
🟠
Conditional Access enforcement (currently report-only)
🟡
Security awareness training refresh (100% completion target)
🟡
First phishing simulation campaign
🟡
Penetration test evidence (or new pen test scheduled)
🟡
Policy consolidation: 32 → 15–18 policies
🟡
Internal ISO 27001 audit (Clauses 4–10 and Annex A)
🟡
Management review (ISO 27001 Clause 9.3)
🟡
Vendor SOC 2 reports collected for 5 critical vendors
🔵
PowerBI federated to Entra ID (SOD violation resolved)
🔵
N8N automation workflows activated (JML, ACL, identity monitoring)

Priority Actions - Next 30 Days

01

Complete Wave 1 Device Rollout

25 devices enrolled - 5 more to reach Wave 1 target of 30. Wave 1 is underway; coordinate remaining enrollments with team leads this week.

02

Enforce Conditional Access

CA01 (Block Legacy Auth) and CA02 (Require MFA) are in report-only. Switch CA01 to enforcement first - lowest disruption, highest security gain.

03

Drata Category 3 Approvals

25 controls are fully implemented with passing monitors but need sign-off in Drata. This is the fastest path to improving ISO readiness - ~2 hours of review work.

04

High Risky Users - Remediation

1 high + 5 medium risk users remain at risk in Entra ID. Password reset + MFA re-enrolment required. Identity team to action this week.

Information Security Management System

Achieved to Date

Still To Complete (Q1 May–July 2026)