The festive season has arrived: end of year celebrations, lunches, dinners, drinks, gifts. Can you have it all?

Navigating professional relationships and managing conflict of interest, particularly in the public sector, is paramount. Receiving and giving gifts and benefits is a common practice at this time of year, and its intersection with probity issues is of relevant importance.

Probity matters that might arise within this context are:

  • Conflict of Interest [actual or perceived]
  • Impartiality and potential favouritism
  • Bribery and corruption
  • Lack of transparency.

Gifts and benefits policies offer great guidance to staff and stakeholders in relation to the ethical matters to consider in a professional setting, serving as a shield against improper behaviour. The key components of an effective gifts and benefits policy include:

  • Clear definition of acceptable gifts
  • Monetary thresholds
  • Disclosure requirements
  • Gifts & Benefits register
  • Consequences for non-compliance.

Integrating probity principles into your Gifts & Benefits Policy supports ethical and robust decision making.

Does your organisation have a Gifts & Benefits Policy? Is it customized to your work environment and cover all potential scenarios?

Further Information?

If you would like to explore how Centium can help your organisation enhance its probity posture, please reach out to Joan Cavalieri, Director Probity & Ethics on Email:

It’s not uncommon, at the end of a Cyber Audit Cycle, for organisations to be hit with below than expected audit outcomes and maturity levels. At that point, the audit's outcome is locked in, and there is no possible recourse.  

This isn’t a good situation for an organisation to be in. A poor cyber audit outcome can have several negative consequences for organisations, including financial penalties, higher operational costs, compromise of confidentiality, integrity and availability of critical assets, and a loss of trust and reputation from clients and the public. 

That’s why, when it comes to Cyber security compliance audits, the heavy lifting should not be left to the end.  

This can all be avoided with a more proactive approach. In most situations, a timely mock audit can help in identifying shortcomings that, when addressed, can substantially improve an audit outcome.  

What is a mock audit? 

The mock audit is much like an actual audit, whereby the applied methodologies, standards and recommendations reflect the actual audit. Therefore, it unfurls the enigma of a review by identifying compliance gaps and areas requiring improvement and suggesting corrective actions you need to take to succeed in the audit.  

This type of proactive planning has many benefits, such as:  

  • increasing your cyber defence readiness 
  • clarifying where your organisation currently stands 
  • granting better results when the actual audit occurs  

All these benefits enable you to avoid costly fines and penalties, while enhancing stakeholders' trust and reputation in your organisation.   

A mock audit is particularly valuable if your organisation has never been examined, as there may be significant gaps and deficiencies that have not been discovered yet. Even if your organisation has already been examined, a mock audit is worth considering as there may have been significant changes in your business, such as new services or other internal and external rules and regulations, since your last audit.  

How can a mock audit help? 

  • Ensures there are no surprises that turn up during an audit  
  • Identifies gaps and sets expectations early  
  • Helps identify training needs for your key stakeholders 
  • Ensures more positive audit outcomes with higher maturity ratings 
  • Saves valuable time and resources 

Accessing independent, cost-effective mock audit and audit expertise  

An independent, competent, and qualified third-party consultant will bring a fresh perspective and assist in identifying gaps you might not even know existed. 

Centium is an agile management consulting firm that specialises in minimising risk for government organisations. A large part of that is providing independent IT and Cyber Security services that add value and mitigate risks.  

We specialise in audit services and can undertake a Cyber Security Mock Audit against your cyber security requirements, such as the NSW Cyber Security Policy, the ACSC Essential 8, NIST, PCI DSS, SOC1/ISAE3402, SOC2 or ISO27001. We can also follow up with a (cost-effective) formal audit within the defined timelines, ensuring higher audit compliance ratings along with significant time and cost savings.  

For more information about how this approach can add value to your Organisations' Cyber security efforts, please contact our Director, Cyber & IT, for a no-obligation discussion on 0412 562 797 or Alternatively, browse Centium's range of Cyber & IM services.   

Ready to work with us?

If you're a government or not-for-profit organisation that has an interest in our services, you can reach out to us at to discuss your needs, or to find out more about how our alliance could benefit you.

Procurement and contract management are two frequently occurring areas of mismanagement, fraud and corruption, both in and outside of the Government Sector

Centium has applied its many decades of combined auditing experience with the requirements and guidelines of Federal, State and Local Governments to develop an innovative and comprehensive risk maturity model over procurement and contract management.

Centium is now using this model to sharpen its auditing practices and to provide sound and targeted advice to organisations seeking to further improve the effectiveness of their procurements and to better safeguard against fraud and corruption.

The maturity model is a living example of Centium’s innovative and customer-centred approach to helping organisations better manage their risks. A snapshot of the model is copied below:

If you are interested in hearing more about the model, or in engaging Centium to review your procurement and contract management controls, contact Penny Corkill:

Honesty, fairness, impartiality, transparency, and accountability are paramount principles to ensure the probity of process and robust decision-making. Government organisations and staff are trustees of the public interests and money; hence they should be the moral exemplar, held to the highest standards, and have a duty to uphold the values, act with transparency, and accountability, and achieve the best value for money.

Society’s ethical expectations are higher than ever, and doing the right thing is critical to building, maintaining, and fostering a healthy culture, trust, and reputation. It ensures robust and good decision-making, sustainable outcomes, and the best and most efficient allocation of resources.

In upholding integrity and probity, public employees must comply with their public duties whilst ensuring their personal and professional relationships and interests, including indirect interests such as those of their friends and family, do not present a conflict. In upholding integrity and probity, all parties, especially those in senior positions, must set the tone and base their decision on legislation, policies, and ethics.

Robust frameworks and education are paramount to ensure compliance with one’s obligations and ensure accountability of those who fail to observe their duties - intentionally or not. Communication and training are the starting point for providing stakeholders with a clear outline of their roles and responsibilities relating to conflict of interest, record management, transparency, supervision, and accountability.

Recent cases illustrate the consequences of failing to have, implement and or comply with framework and standards:

Sydney Metro

The use and management of some consulting services by Sydney Metro is currently under review by a Parliamentary Inquiry. Sydney Metro is under scrutiny for awarding contracts worth millions of dollars to companies whose Directors were also executives at the organisation. Questions about Sydney Metro mismanagement of conflict of interest have been raised during the inquiry:

Given that you had [employee] sitting within Sydney Metro for ... almost ten years and he is also the Managing Director of [advisory company], what steps did Metro take to make sure the information he was privy to at Sydney Metro was not then used to benefit [advisory company] Bellgrove Advisory in relation to these contracts?

What steps does Metro take to ensure the information obtained by these consultations or contractors sitting within Metro is not then taken and misused in order to benefit their company by getting more work
out of Metro?[1]”.

It is alleged that that consulting firms with links to Sydney Metro executives were awarded contracts estimated worth of $13 million.

NDIA and Synergy360

The procurement and use of consulting firms by Services Australia and the NDIA was referred to the National Anti-Corruption Commission (NACC) for investigation. The recommendation is based on allegations relating to improper relationships and undisclosed conflict of interest and financial misconduct.

A total of 19 contracts amounting to approximately $374 million are at the heart of the allegations of undisclosed conflict of interests by APS executives and suppliers, and inadequate record keeping.

The investigation noted that Mr Stuart Robert, former NDIA Minister, met several times with suppliers during the tender processes. There were no probity advisors or other public servants at those meetings, there were no notes or records of the discussions. The supplier paid significant funds to a consultancy company, in which the Minister and his friend allegedly would have pecuniary interests in and benefited from.

Both cases are recent and follow many others where staff in government agencies failed to comply with established the probity principles, commonly through mismanagement or nondisclosed conflict of interests. This has resulted in significant reputational damage and loss of public confidence.

failure to declare or properly manage any conflict of interest[2]; “undisclosed personal relationship[3]”; “inadequate responses to reported conflict of interests[4]”; “falsely declared that [they] had no actual, perceive of potential conflict of interest[5]; “failure to declare [their] interest in real property[6]”, “failure to make a number of pecuniary interests disclosure[7]”.

Same narrative, different characters - repeatedly. It raises the question: What is the root cause? Generally, the failure to have, maintain, and implement robust probity frameworks and poor organisational culture are at the centre of it. The fix?

How to Build and Enhance Your Organisation's Probity Posture

1. Probity Principles

Live and breathe probity:

Fairness and lack of bias

Transparency and accountability

Confidentiality and security

Value for money

Audit trail

Failure to adhere to probity principles erodes public trust.

2. Good Governance

Compliance with policies and procedures.

Having policies and procedures in place alone is not sufficient. They need to be applicable, relevant and current to the public organisation. Effectively communicating policies and procedures to all staff and ensuring their compliance is imperative.

3. Tone from the Top

An effective the tone from the up is key to ensuring healthy organisational culture. It leads compliance, sets the standard , serves as a moral example and reinforces that undesirable behaviours are unwelcome. It fosters a safe environment whereby people feel free to speak up. Leadership is paramount to ethical culture.

4. Probity Awareness

Government staff must be aware of their roles, responsibilities, and probity principles. They should live and breathe probity in their day-to-day roles. Probity awareness training is vital. Training and education should be continuous.

5. Probity by Design

A robust probity framework designed to meet the public sector organisation’ needs, appetite, and profile will enable the organisation to meet its objectives. Probity is an enabler: it supports the operations and decision-making processes. It produces robust and defensible outcomes. It enhances reputation and community trust levels.

6. Conflict of Interests

Most organisations have a conflict of interest policy in place, yet most policies fail to address full gamut of the risks most organisations face. A conflict of interest policy must have a fit for purpose definition of ‘conflict’, and assist with COI risk assessment and available management strategies. It should also provide that conflict of interests’ declarations should be current and revisited. See here for more information about how to enhance your Conflict of Interests Policies.

7. Confidentiality

Confidentiality of information, particularly in procurement, is crucial to ensure the fairness and equity of major procurement and grants processes. Confidentiality Deeds and policies are effective tools, particularly when managing conflict of interests.

8. Guidelines and Protocols

Guidelines and protocols should be available to provide staff and stakeholders with directions and instructions on how to exercise their role whilst ensuring compliance with the probity principles. These should be part of the probity framework and tailored to the organisation. Protocols and guidelines may cover topics like communication, negotiations, conflict of interest management and any other relevant area.

9. Record Keeping

Recording all activities and decisions made throughout the tendering of grant processes is crucial. Good record keeping is good governance. Communications, including emails and notes of oral conversations should be documented. Notes and minutes of meetings should be taken and kept. It ensures accountability, transparency and support a defensible outcome. It allows an effective audit trail.

10. Reporting Channels

Public sector organisations must have reporting internal channels available and encourage staff and stakeholders to report issues. There should be clear process for the reporting of suspected misconduct , including relevant protections as provided at law, e.g., whistleblower protections and the Public Interest Disclosure Act. See here for further information about Whistleblower disclosures.

Further Information?

If you would like to explore how Centium can help your organisation enhance its probity posture, please do reach out to Joan Cavalieri, Director Probity & Ethics on Email:


[1] Public Accountability and Works Committee, NSW Government’s Use and Management of Consulting Services 5 September 2023 – 915am.

[2] ICAC – Operation Galley

[3] ICAC – Operation Keppel

[4] ICAC – Operation Keppel

[5] ICAC – Operation Ember

[6] ICAC – Operation Witney

[7] ICAC – Operation Witney

As expectations for transparent environmental, social, and governance (ESG) reporting continue to increase across all sectors, stakeholders expect to see better management of carbon emissions, diversity, human rights, corruption, and bribery. We’re now witnessing cyber security rapidly rising to the top of the ESG material topic list for both Boards and Government leaders.

In fact, in a recent survey, cyber security was ranked by 67% of respondents as their top concern1 and is becoming one of the most financially material ESG risks that an organisation may face.

Escalating Threats: The Surge in Cyber-Attacks and Data Breaches

Cyber-attacks and data breaches, similar to those experienced by Optus and Medibank, are increasing in frequency and severity. As the volume of attacks and breaches rises, the financial impact is heightened. A cyber-crime is reported to the Australian Cyber Security Centre every seven minutes, with an average loss of $88,407 for medium-sized businesses2.

But cyber-crimes inflict more than financial loss – they cause reputational damage, loss of data, and significant business disruption. In fact, for many small organisations, a cyber security incident could be terminal once the trust of its customers is lost.

Strategic Collaboration: Centium and ReGen Join Forces

ReGen Strategic (ReGen) is an ESG Advisory whose purpose is to enable projects and services that have a positive social and environmental impact. ReGen has identified cyber security as such a critical issue that it has entered into a strategic partnership with Centium, based on our strong record of helping organisations identify and manage their cyber security risks. We believe that this partnership represents great opportunities for ReGen clients through access to Centium’s experience and expertise. 

Cyber security should not be mistaken as a new term for IT or digital, it is about identifying and managing the risks to the confidentiality, integrity, and availability of your data, information, and systems. These are business risks that require proactive governance from the business and should form an integral part of ESG strategy.

Cyber security risks are considered throughout ReGen’s sustainability and ESG services, and are included as an integral part of their ESG maturity assessments, materiality assessments, strategies and reporting.

Centium Team

Many organisations are now disclosing cybersecurity as a material risk in their sustainability reports and annual reports, providing detailed narratives on their mitigation techniques. This also means adjusting their financial investment forecasts and budget accordingly.

ESG Maturing Assessment: A Key Enabler

ReGen’s ESG maturity assessment plays a key role in enabling organisations to align operations with international frameworks and standards, enhance stakeholder trust and confidence, mitigate risks (including cyber security), and unlock opportunities for long-term value creation.

Organisations demonstrating more advanced ESG maturity in the realm of cyber security point to formalised governance and defined roles such as data owner, data steward and data custodian (often the IT department). The data owner is aware of both the risks and threats that exist and the controls in place to reduce these to an acceptable level (risk appetite). 

Future Trends

In the near future, we expect insurance premiums to be determined by the levels of maturity a business has in place to manage its cyber security risks. For those with little in place, higher premiums will be sure to follow. Models such as the Factor Analysis in Information Risk (FAIR) deliver both qualitative and quantitative analysis of risks and provide an excellent basis for engaging business executives in the meaningful evaluation of the risks and effectiveness of controls.

We believe that Cyber Security is such an integral component of ESG that we are running a special three-part series to explore this critical topic. In upcoming parts of this series, we will explore the key first steps in being more secure, applicable benchmarks and standards, where to start, and where to access free resources. We will close the series with an examination of the supply chain and how to be a trusted supplier to win and maintain business.

*Expert guidance is provided from Scott Thomson, Centium and Colin Davies, ReGen Strategic. 

Further Information?

If you would like to explore how Centium can help your organisation be digital and cyber resilient, whilst driving sustainable growth, please reach out to Scott Thomson, Director of Cyber & IT at

  1. 2019 RBC Global Asset Management Responsible Investing Survey. ↩︎
  2. 2022 ACSC Annual Cyber Threat Report July 2021 to June 2022; accessed 24.03.2023 at: ↩︎

Mishandling complaints and allegations, particularly whistleblower disclosures, can harm the individuals involved in them and damage your organisation’s reputation.

Organisations may also be subject to financial penalties of up to 10% of turnover (capped at $125M), with individual staff being liable to fines of up to $3.15M.

Most of the avoidable mistakes occur in the initial stage of assessing complaints and disclosures made under whistleblower legislation. Here are some best practice steps you should take to avoid the pitfalls.

Your first moves

  • Take all complaints and disclosures seriously, and initially form no opinion about their merits
  • Separate the roles of complaints/disclosure manager, investigator and decision-maker
  • If the complainant is a whistleblower, do not disclose to anyone their identity or the information they provide without their consent, unless that disclosure is specifically authorised by law- find out more here and here
  • Discover and document the outcome the complainant wants or expects

Protecting those involved

  • Conduct a risk assessment, including considering the options to ensure the safety of the parties, witnesses and others, and protect the assets and interests and reputation of the business
  • If you are considering suspending an employee while the complaint is being dealt with, fully consider all other viable options that would have lower impact on the employee and the business  
  • Assess whether the complaint would, if proved, be a serious breach of the standards of behaviour you expect from your employees, i.e., misconduct
  • If the matter involves legal issues, obtain legal advice
  • Deal with the complaint in accordance with any procedures contained in the relevant award, industrial agreement and your organisation’s policy for dealing with complaints and misconduct

Determining severity & urgency

  • If you assess that a complaint is a low-level, low-risk grievance or a performance issue, etc., clearly document this and deal with it by alternative dispute resolution- find out more here
  • If the alleged conduct is notifiable or reportable conduct, notify the relevant authorities
  • Ensure the available physical and electronic evidence is identified and secured
  • Immediately impound and isolate any computers or other electronic devices and storage media to ensure any information they might contain is not intentionally or unintentionally corrupted, removed or overwritten. Maintain a complete record of how and where they are stored and who has access to them

Involving external expertise

  • If you assess the complaint involves alleged misconduct or an inappropriate state of affairs or circumstances (as defined in the whistleblower protection provisions in the Corporations Act), assign or engage a qualified and experienced independent investigator to investigate the matter
  • Provide detailed terms of reference to the investigator
  • Ensure the investigator declares any actual or perceivable conflict of interest or bias, and appropriately addresses any matters disclosed in such declarations
  • Advise the parties to the complaint (complainant and respondent) at the appropriate time that an investigation has commenced and the need for them to maintain confidentiality, having regard to the integrity of the investigation and evidence gathering process
  • Ensure that the respondent is advised of the allegations made about them and that they are given the opportunity to respond to them (procedural fairness)
  • Ensure welfare support is provided to the complainant, any subjects of allegations, and any other parties who may be affected
  • Maintain appropriate confidentiality as to the identities of the parties, the content of the complaint/disclosure, and the fact that an investigation is underway

How Centium can help

Centium’s team of 12 senior Investigators (including the former NSW Deputy Ombudsman) has extensive experience in undertaking confidential and sensitive assessments, reviews and investigations resulting from employee complaints and disclosures that relate to alleged workplace misconduct.

As a result of this collective experience, we are well qualified to guide you through all phases of the complaint handling process. We can also provide training for your internal complaint handlers and investigators.

To discuss your investigation needs, browse Centium's Ethical Conduct & Investigations services. Additionally, for more information about how our learning and development solutions can meet your unique needs and circumstances, please contact us or check out our Learning and Development services.

Unfortunately, another NSW politician was recently asked to step down from the Ministry and referred to ICAC. Allegations suggest he breached his Code of Conduct and its conflict of interest provisions. This incident comes only a month after ICAC’s Operation Keppel uncovered seriously corrupt conduct by the former NSW Premier Gladys Berejiklian. She failed to disclose personal interests that could have influenced the performance of her public duty.

In response to the risks identified during their investigation, Operation Keppel has proposed some corruption prevention recommendations as identified in the ICAC investigation. The first two recommendations are as follows:

  1. Amend the Code of Conduct for Members and the NSW Ministerial Code of Conduct to incorporate seven general principles of conduct developed by the United Kingdom’s Committee on Standards in Public Life; and
  2. Develop a comprehensive framework within the NSW Parliament to provide Members with practical guidance about how to avoid, disclose and manage common conflicts of interest.

Principles of Public Life

Centium plans to include these highly relevant and appropriate principles of public life in our Code of Conduct training program for both elected and professional individuals working in NSW state and local governments:

  1. Selflessness: Public office holders should act solely in terms of the public interest.
  2. Integrity: Public office holders must avoid any obligations that could inappropriately influence their work. They should not make decisions for personal financial or material gains and must disclose and resolve any interests and relationships.
  3. Objectivity: Public office holders must act impartially, fairly and based on merit, without discrimination or bias, using the best evidence available.
  4. Accountability: Public office holders are accountable to the public for their decisions and actions and must subject themselves to scrutiny to ensure this.
  5. Openness: Public office holders should act and decide in an open and transparent manner, with information being withheld only for clear and lawful reasons.
  6. Honesty: Public office holders should be truthful in all their dealings.
  7. Leadership: Public office holders should exhibit these principles in their behaviour, treat others with respect, actively promote and support these principles, and challenge poor behaviour wherever it occurs.

Conflicts of Interest - Teaching with Scenarios

At Centium, our training programs use practical and engaging scenarios to help participants understand and recognise potential conflicts of interest. Here are some examples of scenarios:

Council is considering nominating community members to an advisory panel. One of the candidates contributed $2000 in June 2021 to your last political campaign. Do you have a conflict of interest? If so, what type?

A friend you have known for eight years through your previous workplace recently becomes a supplier to your Workplace. They send you a bunch of flowers to your home. What should you do?

Council is considering a draft Local Environmental Plan. You live in the LGA. Do you have a conflict? If so, what type? What about if you also own three investment properties in the LGA? Do you need to make a disclosure?

Further Information?

If you would like to explore how Centium’s Learning and Development specialists can ensure that your staff and elected members understand how to identify and declare conflicts of interest under your Code of Conduct, please reach out to Sarah Artist, our Senior Manager at

Internal Audits of Integrated Planning and Reporting - Maturing Assessments

Centium has recently been engaged by several NSW Councils to evaluate whether legislative requirements are addressed in their Integrated Planning and Reporting (IP&R) documents.

These evaluation assessments are timely considering that councils are starting to prepare for the next IP&R cycle and provide councils with an opportunity to reflect on and assess their current suite of documents prior to their review for the September 2024 elections.

Our Scope and Approach

The Scope of our value-adding, maturity assessments is to evaluate whether IP&R processes are managed efficiently and accurately and for the benefit of Council and the community.

Our methodology involves an assessment against the Integrated Planning & Reporting Handbook (Office of Local Government, 2021) standards, which includes a checklist for councils in preparing their IP&R documents.

We assess the maturity of each of our clients’ IP&R elements against the Handbook (i.e. good, better, best). 

As our portfolio of engagements builds, we would now offer some reflections on the maturity of each IP&R element (noting of course that every council is different!).

Key Themes from Conducted Audits

Firstly, while the preparation of the overarching 10 year, four year and one year corporate documents are on the whole adequately resourced within councils, the individual elements of the Resourcing Strategy (e.g. Asset Plans, Budgets and Workforce Plans) are often developed in isolation and not well-aligned with other key corporate documents.

For example:

Long-Term Financial PlanKey workforce management strategies are not always reflected in the Delivery Program.
Would benefit from a detailed review of labour needs and gap analysis
Costs associated with delivering the Workforce Management Strategy not reflected in the Long Term Financial Plan.
Not always well aligned and often requires more consultation.
Workforce Management PlanningAsset registers and condition information are not up-to-date and regularly reviewed.
Asset management plans are outdated. 
Asset Management Strategy & PlansAsset registers and condition information are not up-to-date and regularly reviewed.
Asset management plans are outdated. 

All of our recommendations are first shared with council’s management team prior to finalising, and by presenting our agreed recommendations to the Audit, Risk and Improvement Committee we raise awareness and facilitate consideration of resourcing and timing issues.

In all cases, we have appropriately shared better practices and case studies to assist councils to build capacity and inform planning of IP&R processes for the next cycle.  We have also supported the resolution of complex integration and alignment issues by facilitating workshops with Executive teams as and when requested. 

Centium’s integrity, independence, and extensive experience in providing risk and assurance services to a wide range of private and public sector organisations contributes to ensuring that our views are objective, and our analysis is sound and evidence based

How to Contact Centium

For further information on the IP&R Internal Audits, please contact Penny Corkill, Director Risk & Assurance on +61 0409 251 011 or email

Cyber attacks can happen to any business at any time – reports show that in 2022, a cyber crime was reported every seven minutes. Targets vary from SMEs to large government departments and organisations, and they are increasing in both severity and frequency, with the capacity to cost organisations thousands of hours and millions of dollars. The average cost per incident for medium business was $88,000.

A Cyber Incident Response Plan enables the timely, consistent, and appropriate response to suspected and confirmed security incidents. An effective Plan will protect information and assets and minimise harm to individuals/entities that may be affected by the incident. 

Such plans are also intended to promote consistency in the way that an organisation prepares for and responds to a security incident, by documenting roles and responsibilities, risk assessment and escalation procedures, and notification requirements.

The following video discusses the benefits of Cyber Incident Response Plans:

The Benefits of Cyber Incident Response Plans

Testing your plan is essential

The sixth annual Cyber Resilient Organization Study  (conducted by IBM Security and the Ponemon Institute) showed that more than half of organisations with Cybersecurity Incident Response Plans fail to test them or had no timeframe set for testing. This can leave them less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.

Earlier this year, the highly regarded Ponemon Institute released its annual Cost of a Data Breach Report. This year’s report offers insights into cyber breaches from March 2022 and March 2023, alongside recommendations on how to reduce business risk. Within the report there were several key findings, including how testing has played a role in reducing the cost of a data breach:

“Organizations with both an IR [Incident Response] team and IR plan testing identified breaches 54 days faster than those with neither..”

Now, we are presuming that you have a solid cyber security incident response plan in place, and it’s communicated to all required stakeholders. But does it work in the real world?

To quote Mike Tyson, “Everyone has a plan until they get punched in the mouth.” And when a real cybersecurity incident occurs, the punches will be flying. So, you need to regularly test your cybersecurity incident response plan, along with the capacity of the people and technology that will carry it out to make it more effective.

Picking the Right Incident Response Plan Test

If you're not motivated to do regular testing, others may provide the purpose you need. Major third-party compliance frameworks such as NSW Cyber Security Policy (CSP), MAS TRM, SOC 2 and PCI DSS, for example, require an annual test of your incident response plan, even though they don’t specify an exact testing approach. Your organisation's cybersecurity maturity and risk level may also indicate that you need semi-annual or quarterly tests.

By implementing a regular testing regime your testing will become more effective and you will have more frequent opportunities to identify components of the plan that have gone out of date.

Your customers may have more stringent security contractual requirements than the frameworks about the testing approach. We have seen some companies recently tell potential vendors that their testing process is not rigorous enough. This has resulted in the vendor having to decide whether the contract was valuable enough to justify the time and expense of running a thorough simulation test every year to satisfy and hopefully retain the customer.

The National Institute of Standards and Technology (NIST) Special Publication 800-84 defines two types of exercises and tests:


Tabletop Exercise

A tabletop exercise is a discussion-based session where a team discusses their roles and responses during a security incident, walking through one or more example scenarios. The atmosphere is collegial and exploratory. The primary objectives of the tabletop exercise are to:

  • increase security situational awareness;
  • facilitate discussion of appropriate incident responses; and
  • identify gaps and issues in the Incident Response Plan.

In this, a facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. It's only worth starting a tabletop exercise if you already have some form of response plan in place for the scenario you'll be running through. Tabletop exercises are great for testing plans.

Functional Exercise

Functional exercises allow personnel to validate their readiness for emergencies by performing their duties in a simulated environment. These tests not only evaluate what your team would do when confronted with a major incident but also how they would do it. Unlike simulated attacks, which are often still conducted tabletop style, functional exercises are designed to test the roles and responsibilities of specific team members, procedures, and assets involved in one or more practical aspects of a plan (e.g., communications, emergency notifications, IT equipment setup).

Functional exercises vary in complexity and scope, from validating specific elements of a plan to full-scale exercises that address all plan elements. Functional exercises allow staff to execute their roles and responsibilities in an actual emergency situation, albeit in a simulated manner.


Tests are evaluation tools that use quantifiable metrics to validate the operability of an IT system or system component in an operational environment. A test is conducted in as close to an operational environment as possible.

Tests and exercises vary in complexity and level of effort, with functional exercises and tests providing the highest assurance that incident response plans and procedures would operate as intended during a real incident. Tabletop exercises provide a good mechanism to ensure personnel with incident response duties understand their roles, responsibilities, and procedures.

Incident Response Test

Guideline NIST SP 800-61 establishes the incident response life cycle, summarised in the table below. The incident response life cycle should be the basis of the organisation’s incident response policy and procedures, and the policy and procedures should be built to include activities performed at each stage of the life cycle.

IR Lifecycle StageSummary of Incident Activities
Preparation1. Provide training and awareness for all individuals in recognising anomalous behaviour and specific reporting requirements for suspected breaches
2. Gather contact information for incident handlers
3. Gather hardware and software needed for technical analysis; and
4. Perform evaluations, such as tabletop exercises, of the Incident Response (IR) capability.
Detection & Analysis1. Monitor information system protection mechanisms and system logs
2. Investigate reports of suspected breaches
3. Notify Authorities
Containment1. Choose and implement strategy for preventing further loss based on level of risk
2. Gather and preserve technical evidence, if applicable
Eradication1. Eliminate components of the incident, such as deleting malicious code and disabling breached user accounts, if applicable.
Recovery1. Restore systems via appropriate technical actions such as: restoring from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security.
Table 1: Incident Response Lifecycle

Organisations should develop test and exercise material to guide the execution of the test, including a test scenario for a hypothetical breach. The table below provides some example scenarios that can be tailored to meet organisation needs:

Breach ScenarioTabletop Exercise Objectives
Through a routine evaluation of system logs, a system administrator discovers that data has been exfiltrated from the system by an unauthorised user account.1. Determine the actions that would help prevent this type of incident (preparation).

2. Determine the controls in place that would help identify this incident, along with procedures on how to report the incident (detection and analysis).

A remote user has lost his/her laptop. The user’s job function required that organisation data be stored on the laptop.
3. How to prevent further damage (containment),

4. How to clean the system (eradication
After a recent office move, it is discovered that a locked cabinet containing sensitive data is missing. 5. How to restore the system in a secure manner (recovery).
Table 2: Sample Incident Response Evaluation Scenarios

Evaluating your testing exercise

Evaluating the exercise is a critical step to ensuring success of the incident response program. After the test or exercise is complete, the participants should conduct a debriefing to discuss observations for things that worked well and things that could be improved.

The comments and issues that emerge during the debriefing, along with lessons learned documented by the data collector during the exercise, should be captured in the Post Action Report (PAR). The PAR should also document observations made throughout the exercise and participants during the exercise and recommendations for enhancing the IR plan that was exercised.

In general, IR tests and exercises should:

  • Be organised, facilitated undertakings
  • Leverage the facilitator’s guides, participants guide, and PAR templates given in NIST SP 800-84
  • Include individuals with incident response responsibilities, such as business/mission owners, IT management, technical points of contact
  • Include simulating contact to the APRA or OAIC or Authority, or a test contact
  • Test contacts to APRA and the OAIC should be clearly identified as an exercise or test upon contact in all conversations and written submissions
  • Produce documentation that serve as verifiable evidence the exercise took place
  • Produce documentation that captures the actions necessary to identify, report, contain, and remediate the incident at each stage of the incident response lifecycle
  • Produce a PAR describing operational gaps and plans to mitigate those gaps. incident response plans, policies, and procedures need to be updated with results from the PAR

You should regularly review and update the incident response plan (including threat specific plans) and practice them regularly.

Support from security specialists

Centium has extensive experience partnering with clients to raise cyber security awareness, identify and manage cyber and IT risks, and build resilience. Our cybersecurity professionals are highly skilled at translating technical concepts into practical plans and procedures. 

We also have a proven track record creating robust incident response plans (including threat specific playbooks) and facilitating scenario tests that enable organisations to realise and address gaps in existing planning documents quickly.

Our approach allows your staff to actively participate in facilitated scenarios and role plays, while we independently observe proceedings. At the end of the workshop, we will debrief with the team, and provide a report on our findings and opportunities for improvement.

Contact our Director, Cyber, & Information Management for a no-obligation discussion on 0412 562797 or Alternatively, browse Centium's range of Cyber & Information Management services. 

Well, who would have thought that one of the major international talking points this past week (at least amongst the world’s cricket playing nations) would be on the interpretation of Law 38 of the Laws of Cricket!!

The stumping of England batsman Johnny Bairstow and the subsequent furore regarding perceived poor sportsmanship and allegations of “not being in the spirit of the game” have reached into the hallowed Lords Members Stand and the front and sporting pages of hundreds of publications around the world. Even Prime Ministers Rishi Sunak and Anthony Albanese have joined the commentary, which to my recollection is the first time cricket has been elevated to this level since the Bodyline series of the 1930’s.

While the umpires have ruled that the dismissal was entirely within the rules of the game, various sporting dignitaries past and present have expressed the opinion that at times such Laws need to be flexibly applied, including the provision for the fielding captain to have a veto power to reverse invoking such Laws (by withdrawing an appeal).

Flexibility in the Workplace

You may be wondering what is the relevance of this sporting controversy, and how it translates to our workplace? All of us, especially those who work within the Public Sector, operate in organisations whose mandates and operations are governed by a fairly rigid framework of legislation, policies, procedures, rules and guidelines. Such a framework is essential to ensure transparency, accountability, effective use of public monies and acceptable behaviour by staff members, while ensuring the objectives of the organisation are being realised.

However, there are times when emerging issues, human behaviour and/or a lack of precedent places delegated decision makers in the difficult position of having to make a choice between inflexibly applying the “letter of the law”, or adopting a more pragmatic approach to addressing a particular issue.

Practical Examples

A classic example of this was the very effective manner in which most organisations responded to the Covid pandemic, whereby innovative flexible working arrangements and service delivery approaches were rapidly adopted by management and staff, notwithstanding they may have not been consistent with prevailing Industrial Relations rules and policies.  In relation to business continuity and the provision of ongoing quality services to the clients of such organisations, previously unheard of flexible service delivery arrangements were agreed upon by all parties and rapidly implemented.

Another example was the morphing of the fieldwork components of internal audit and risk management reviews from previously being almost entirely on-site to the current, more cost-effective and equally compliant hybrid of remote and onsite components. This hybrid model has proven to be so successful that it is expected to continue well beyond covid.

While governing Legislation and related Departmental Policies must be respected and religiously complied with, recent occurrences have shown there is still scope for flexibility to apply practical and client-centric interpretation of the procedures related to such governance frameworks. When exercising this flexibility it is important to be totally transparent, ensure all key stakeholders are involved and fully informed and that all key decisions and supporting documents are documented and securely stored.

Because after all, no one wants to be caught out or bowled over by an unexpected googly!!

Further Information?

If you would like to explore how Centium’s assurance and transformation specialists can help your organisation flexibly manage the unexpected during periods of change, please contact: Phil O’Toole, Managing Director at

Ensure the Protection of Data and Assets

The NSW Audit Office recently released its 2022 report on local government and highlighted many areas of improvement required of local governments. The audits revealed that 47% of councils lacked a cyber security plan, leaving their data and assets vulnerable. Additionally, deficiencies were found in crucial areas such as policies, procedures, privileged access management, and internal controls. The report warns of potential consequences, including data destruction, theft, denial of service(s), and the financial impacts of repairing affected systems, networks, or devices. Establishing a solid foundation for cyber security requires implementing controls outlined in the NSW Office of Local Government Cyber Security Guideline, as well as technical controls provided by the Australian Cyber Security Centre and their Essential Eight controls.

The Growing Threat to Local Government

The significance of cyber security is increasing as a threat and cannot be underestimated, affecting all organisations, including local government. Data from the Australia Cyber Security Centre indicates that the average cost of a cyber security incident for medium-sized organisations exceeds $80,000 per incident. Safeguarding the confidentiality, integrity, and availability of data and systems is crucial in mitigating both external threats and internal vulnerabilities caused by poor practices and processes. The initial steps to address this issue involve developing a robust cyber security plan and implementing a comprehensive cyber security framework, complete with policies and procedures. These measures help establish clear roles and responsibilities throughout the organisation. Supporting these efforts with regular cyber security training and awareness programs for all staff is essential. Testing incident response plans and conducting simulations of cyber-attacks through techniques like penetration testing and phishing simulations are effective ways of ensuring that plans and playbooks are thorough and well-practiced for when they are really needed.

Centium's Expertise in Local Government Cyber Security

Over the past two years, Centium has conducted health checks and audits on cyber security for more than a dozen councils. As a result, we have gained valuable insights into the level of maturity of these councils in relation to the Office of Local Governments Cyber Security Guidelines. Through this work, we are able to offer our clients benchmark data, enabling them to better understand their level of maturity in comparison to the guidelines set by the State of NSW.  However, it is important to emphasise that the goal should not simply be to achieve the highest level of maturity across the State, but rather to effectively manage the specific risks and threats each Council faces.

We also stress to our clients that building and implementing their cyber security plan is a multi-year journey that requires engagement from all aspects of the organisation. It should not be seen as solely an issue for the IT department or systems. Robust training and awareness programs are necessary to foster a shift change in the culture within councils to identify and manage cyber security risks as part of day-to-day operations.

The approach taken to identify and manage cyber security risks should be consistent with the council’s enterprise risk management framework. Special attention should be given to ensuring that the risk analysis accurately reflects the likelihood and consequences of cyber threats. This may entail a review of their broader risk management framework for some councils. At the very least, it provides an opportunity for councils to refresh their risk registers and ensure they reflect all current and emerging risks.

Partner with Centium for Enhanced Cyber Security

We look forward to opportunities to work with more councils and assist them in understanding their current cyber security posture. Our expertise can help identify areas where improvement is needed and provide recommendations to enhance your Cyber Security maturity, security and overall resilience. If you would like to explore how we can help your organisation, please contact: Scott Thomson, Director of Cyber & IT at

Our Clients

Top phone-handset