Have a Question?
We have provided answers for some of the most common questions we receive about the Australian Cyber Essentials.
You can use the buttons below to jump to questions relevant to you.
Questions for Suppliers
ISO/IEC 27001 is an excellent comprehensive information security management system certification. ACE doesn’t replace it, it complements it for supply chain assurance. Many of your customers may not require ISO/IEC 27001, or may struggle to assess what your ISO/IEC 27001 certification means for their specific risk context. ACE provides a consistent, supply-chain-focused certification that’s easier for customers to evaluate and compare. Additionally, if you already have ISO/IEC 27001, you can often reuse existing artefacts and evidence, significantly reducing the effort required for ACE certification.
SMB1001 Gold is a strong achievement and demonstrates your commitment to cyber security. ACE builds on this foundation by focusing specifically on supply chain assurance with evidence-based verification. Whilst SMB1001 provides a practical baseline, ACE reflects current threat landscape requirements (such as endpoint detection and response rather than traditional antivirus, and modern authentication practices) and includes independent Bureau Veritas certification that provides additional credibility with enterprise customers. Your SMB1001 work will significantly accelerate your ACE journey.
We understand the frustration. That’s precisely why ACE exists, to reduce your compliance burden, not add to it. Instead of responding to 10+ different customer questionnaires per year, you build your evidence pack once, achieve Bureau Veritas certification, and reuse it across all customer relationships. ACE is designed to consolidate your compliance effort, not duplicate it. The 12 guided workshops help you work efficiently, and any existing certifications or frameworks you’ve implemented can be leveraged to reduce effort.
The 12 guided workshops are specifically designed to fit around your business operations, 1 hour sessions that can be scheduled flexibly over 12 months or accelerated based on your availability. You’re not expected to become cyber security experts overnight. Cyber Audit Team guides you through each step, helping you focus on what matters and avoid wasting time on irrelevant activities. Many suppliers find that the structured approach saves time compared to responding to ad-hoc customer questionnaires throughout the year.
ACE is not a pass/fail exam, it’s a maturity journey. If your initial evidence submission doesn’t meet requirements, you’ll receive clear feedback on what gaps need to be addressed. You can then implement the necessary controls (with support from Cyber Audit Team if needed) and resubmit evidence. Certification is issued when requirements are met. The goal is to help you succeed, not to create barriers.
They might not today, but the regulatory and commercial landscape is shifting rapidly. ASIC cyber resilience expectations, Privacy Act obligations, and cyber insurance requirements are driving enterprises to demonstrate defensible third-party risk oversight. Boards are asking questions. Auditors are scrutinising supply chains. Being ahead of this curve positions you as a trusted, forward-thinking partner. ACE certification can be the differentiator that wins you the next tender.
That’s exactly why ACE includes 12 guided workshops as part of the programme. You’re not left to figure this out alone or forced to hire expensive consultants. Cyber Audit Team provides structured support to help you understand requirements, prepare evidence, and achieve certification. If you do need additional hands-on implementation support for specific controls, that’s available separately, but many suppliers achieve certification with just the included workshop support.
It depends on your current maturity and how quickly you can implement required controls and submit evidence. The programme includes 12 guided workshops which can be delivered over 12 months or accelerated based on your readiness and availability. You control the pace.
The ACE programme includes 12 guided workshops delivered by Cyber Audit Team to help you understand requirements and prepare evidence. However, if you identify controls or mechanisms you need to implement but lack the internal capability, Cyber Audit Team can provide additional hands-on implementation support separate to the certification engagement. This might include technical implementations (MFA, EDR, patch management), policy development, or governance framework establishment. Contact Bureau Veritas to discuss your specific implementation needs.
Evidence consists of practical artefacts that demonstrate a control or mechanism is in place. Depending on the requirement, this may include documents, screenshots, configuration exports, policies, and other supporting materials. The workshops will guide you on exactly what’s needed.
Yes. The programme is specifically designed to be practical for small and medium-sized businesses. The 12 guided workshops provide structured support so you can focus effort on the controls that matter, rather than navigating vague questionnaires alone.
Questions for Enterprises
They might initially, until they realise ACE reduces their burden. Suppliers currently face questionnaire overload, with each customer asking similar questions in different ways. ACE provides them with a reusable certification they can leverage across all customer relationships. Position ACE as a benefit to your suppliers: “Get ACE certified once, and you won’t need to complete our lengthy questionnaire every year.” You’re offering them a more efficient path, not adding bureaucracy.
Position ACE as an enablement programme, not a compliance hammer. Communicate that you’re providing structured support (through the workshops) and a reusable certification that benefits them across all their customer relationships. Consider a phased approach: start with critical suppliers, demonstrate the value, then expand. You might also consider subsidising or co-funding certification for strategic suppliers as part of your supplier development programme.
Yes. ACE is designed so suppliers build a reusable evidence pack and use their certification across multiple customer relationships, reducing duplicated questionnaires. You may still request additional assurance depending on the criticality of the service and your specific risk context.
ACE provides a consistent baseline and reduces duplication, but you may still request additional assurance depending on the criticality of the service and your specific risk context. That flexibility makes the approach defensible and risk-appropriate.
General Questions
ACE exists because the current approach to supply chain cyber security assurance is broken. Enterprises can’t get defensible assurance. Suppliers are drowning in inconsistent questionnaires. ACE provides a practical, evidence-based solution that benefits both parties. Certification is issued by Bureau Veritas, a globally recognised certification body, based on independent evidence review. This isn’t about creating paperwork, it’s about creating genuine, defensible cyber security maturity.
No. Suppliers submit evidence, and Bureau Veritas independently reviews it. Certification is issued only when requirements are met. This is the key difference from questionnaire-based approaches.
No. ACE certification reflects independent review of evidence at the time of certification. It does not guarantee an organisation will not experience a cyber security incident. It demonstrates that essential controls are in place and evidenced.
ACE is not a replacement for these frameworks, it’s purpose-built for supply chain assurance. ACE curates practical, evidence-ready controls from ISO/IEC 27001, Essential Eight (including Maturity Level 1), SMB1001, and ASIC cyber resilience expectations into a supplier-friendly pathway with independent Bureau Veritas certification. Organisations with existing certifications can often reuse existing artefacts to reduce duplicated effort.
Still Have a Question?
If you haven’t been able to find the answer to your question already here, please reach out so we can provide you with the information.