Governance & Maturity: make the program provable

Where Stages 1 to 3 left you

You have the preventive baseline (Foundation), an identity layer (Identity & Access), and eyes on the environment with a plan for bad days (Detection & Response). What's missing is the connective tissue: who owns all this, how decisions get made, and how anyone outside your head can verify it. Same format as every stage - What, Why, roughly What it costs - and the same honesty rule on figures: list prices by name, everything else clearly-labelled rough ranges, current as of June 2026. Stage 4 is the cheapest stage in dollars and the most expensive in discipline.

1. Put a name on it - including upstairs

Governance starts embarrassingly simply: a named person accountable for security, and a named person at ownership or board level who receives reports about it. Not a committee, not "IT generally" - names. Without them, every control you've built is an orphan that decays.

What to do. Appoint a security owner - in most small businesses this is a hat worn by the IT manager, the operations lead, or a founder, and that's fine as long as it's explicit and they have time carved out for it. Then connect it upstairs: a standing item on the board or leadership agenda, owned by a named director or the owner, with the reporting from step 6 feeding it. Write both names down in the policy from step 3. If you have no internal candidate, this is also the legitimate slot a fractional or virtual CISO fills.

Why it matters. NIST CSF 2.0 elevated governance to its own function (Govern) precisely because programs without ownership fail, and GV.RR is explicitly about roles and accountability. ISO 27001 requires defined security roles (A.5.2) and, at the management-system level, leadership commitment. In Australia the legal layer is real: ASIC's case against RI Advice established that inadequate cyber risk management can breach directors' and licensees' obligations - accountability exists whether or not you assign it, so assign it.

Roughly what it costs. Free in cash; honest in hours. Budget a real fraction of someone's week (even half a day, protected) plus a recurring leadership agenda slot. A fractional CISO, if you go that way, is typically a per-day or monthly retainer arrangement - get quotes; shapes vary too much for a useful number here.

2. Keep a risk register that actually drives decisions

A risk register sounds like enterprise theatre, but the small-business version is one page and it answers the most valuable question in security: what should we do next, and what are we consciously accepting? Without it, spending follows the loudest vendor; with it, spending follows your risks.

What to do. List your top risks in plain business language - "invoice fraud redirects a large supplier payment", "ransomware stops the warehouse", "the file server dies and backups don't restore", "our biggest customer's data leaks from a supplier portal". For each: rough likelihood and impact (high/medium/low is plenty), a named owner, and the decision - treat it (a control, with a date), accept it (in writing, by someone entitled to), or transfer it (insurance). Review it quarterly in the leadership slot from step 1, and let it drive the next stage of spending. Ten to fifteen risks is a healthy size; fifty is a filing cabinet.

Why it matters. Risk assessment is the engine of ISO 27001 (clause 6 - it's what the whole management system runs on) and of CSF 2.0's GV.RM. It's also your best legal artefact: a register showing risks identified, decisions made, and actions dated is exactly the "demonstrable diligence" regulators and courts look for - and the difference between "we never thought about it" and "we assessed it and made a defensible call."

Roughly what it costs. Free - a spreadsheet, an afternoon to draft, an hour a quarter to keep honest. GRC software exists and is unnecessary at this size; the register's value is the thinking, not the tool.

3. Write policies that fit on a page

The failure mode of small-business policy isn't absence - it's the 40-page template bought or downloaded, never read, and contradicted by daily practice. A policy nobody follows is worse than no policy: it's documented evidence you knew and didn't do.

What to do. Write a handful of short documents that describe what you actually do: an acceptable-use policy (what staff may do with company systems), an access policy (the Stage 2 joiner-mover-leaver and admin rules, now official), a backup policy (what's backed up, how often, the restore-test cadence from Stage 1), the incident response plan from Stage 3, and a short top-level security policy naming the owner from step 1 and committing leadership to the program. One page each is a feature, not a compromise. Date them, review them annually, and - critically - when practice and policy disagree, change one of them.

Why it matters. Policies are how the program survives staff turnover and how it gets verified by anyone external: ISO 27001 A.5.1 requires them, CSF 2.0 GV.PO expects them, and every customer security questionnaire and cyber-insurance proposal asks for them by name. Short ones get read, which is the entire point.

Roughly what it costs. Free if you write them yourself from what you already do (the honest order: practice first, then the policy describing it). Template packs and policy services exist at modest cost, but a bought policy that doesn't match reality fails audits and helps lawyers - the expensive way.

4. Treat supplier security as your security

Your accountant, your managed IT provider, your payroll platform, and your industry-specific SaaS all hold your data or your access. When one of them is breached, your obligations - notification, customer conversations, the lot - are triggered just the same. Supply chain is now where a large share of small-business incidents actually start.

What to do. Start from the Stage 1 inventory: list the suppliers that hold sensitive data or privileged access, and rank them by blast radius. For the important ones, ask the short questions: do they support SSO and MFA (Stage 2 says new tools must), where is the data, what's their breach-notification commitment to you, and do they hold any recognised attestation? Put breach-notification and data-handling expectations into new contracts as they renew. Give supplier access the Stage 2 treatment - least privilege, expiry dates, and removal when the engagement ends. And add your top suppliers to the risk register, because that's where the decision about trusting them belongs.

Why it matters. CSF 2.0 added supply-chain risk to the Govern function (GV.SC) because this is now a primary attack path; ISO 27001 A.5.19-A.5.22 cover supplier relationships and their monitoring. It's also a two-way street you benefit from: as your customers mature, you are their supplier risk - the questionnaire you can answer well in step 7 is the deal you don't lose.

Roughly what it costs. Free to do at this scale - questions, contract clauses at renewal, and register entries. Third-party risk platforms exist for when you have hundreds of vendors; at a dozen that matter, a spreadsheet and a recurring review beat any tool.

5. Climb the Essential Eight ladder - ML2 and the return of application control

Foundation got you to roughly Essential Eight Maturity Level 1 and deliberately deferred one strategy: application control. Stage 4 is where the climb to Maturity Level 2 happens - and where that deferred step comes due.

What to do. Self-assess honestly against the Essential Eight Maturity Model (ASD publishes the model and assessment guidance free) - strategy by strategy, evidence required, no generous rounding. Then close the ML2 gaps on a plan: faster patching windows, phishing-resistant MFA coverage (Stage 2 started this), privileged-access hardening, and the logging requirements Stage 3 started. Application control - only approved software runs - arrives now, and the pragmatic path on Microsoft estates is to pilot in audit mode first (WDAC or AppLocker), learn what actually runs from the inventory, then enforce on the highest-risk machines before going wide. Expect this to be a multi-month project, not a setting.

Why it matters. ML2 is the level ASD pegs against attackers willing to invest somewhat more in a target - a fair description of who attacks an established, growing business. It's increasingly the level government and large-enterprise tenders ask suppliers about, which makes the climb a commercial asset, not just a defensive one. And application control specifically is one of the strongest anti-ransomware controls that exists - it was deferred for difficulty, not for value.

Roughly what it costs. The tooling is largely already yours (WDAC/AppLocker ship with Windows; the management plane is your existing device management). The honest cost is sustained effort: the assessment is days, the ML2 climb is months of part-time project work, and application control needs an ongoing exception process - which is why it lives in the stage where someone owns the program.

6. Measure a little, report on a schedule

"Are we secure?" is unanswerable. "Patch latency is nine days, MFA coverage is 100%, the March restore test passed, two incidents this quarter, both closed" is a security program a non-technical owner can govern. A few honest numbers, reported on a rhythm, beat any dashboard.

What to do. Pick a handful of metrics you can produce without heroics, each tied to a stage of this guide: patch latency against your own policy (Stage 1), MFA and EDR coverage as percentages with the gaps named (Stages 2-3), backup restore tests passed (Stage 1), alerts triaged and median response time (Stage 3 - whether in-house or your MDR's report), and risk-register actions closed versus overdue (this stage). Report them quarterly to the leadership slot from step 1, on one page, including the bad news - the metric that's allowed to look bad is the one that gets budget.

Why it matters. CSF 2.0's GV.OV is oversight: leadership reviewing whether the strategy is working and adjusting. Metrics are also what boards and directors need to discharge the oversight duty the regulators keep pointing at - a director who receives and engages with quarterly security reporting is in a defensibly different position from one who never asked. And internally, measurement is what stops the program decaying back to Stage 0 the moment attention moves on.

Roughly what it costs. Free - the data already exists in the platforms you configured in Stages 1-3. The cost is an hour a quarter to compile and the discipline not to skip the quarter where the numbers look bad. That quarter is the one the process exists for.

7. Decide on certification deliberately

At some point a customer, tender, or insurer will ask not "do you do this?" but "can someone else vouch that you do?" That's certification - and the right answer is a business decision about your sales pipeline, not a security reflex.

What to do. Work out what your market actually asks for, then match the instrument to it. ISO 27001 certification is the international gold standard and increasingly appears in enterprise and government supply chains - if your growth depends on those deals, the work you've done in Stages 1-4 is most of the management system it requires. SOC 2 matters mainly if you're a software/SaaS business selling to North American customers. Essential Eight maturity claims (self-assessed or independently assessed) carry weight in Australian government-adjacent work. Emerging Australian options like SMB1001 offer a cheaper, tiered entry point worth checking against what your buyers recognise. And if nobody is asking yet: don't certify - keep the program honest and describe it as exactly what it is, "aligned to ISO 27001 and the Essential Eight, not certified." True and free beats certified and premature.

Why it matters. Certification converts your security program into a sales asset - it shortcuts the 200-question form and gets you past procurement gates competitors fail. But it's audit overhead and recurring cost forever after, which is why the decision belongs in the risk register with a named owner and a business case, like every other spend in this guide.

Roughly what it costs. Rough order of magnitude only, quote-driven: ISO 27001 certification for a small organisation typically runs to tens of thousands of dollars over the three-year certification cycle once audit fees and preparation effort are counted - materially less if Stages 1-4 are genuinely done, materially more if a consultant has to build it for you. Tiered schemes like SMB1001 start far cheaper. Self-assessed Essential Eight claims cost only the honesty of the assessment.

Where this maps

The E8 column thickens again at step 5 and stays thin elsewhere - governance is exactly what the Essential Eight delegates to ISO 27001 and CSF 2.0, which is why this guide uses all three. International readers: CIS Controls v8.1 covers this stage primarily in Controls 14 (awareness), 15 (service providers), and 17 (incident response management); the governance frame itself is CSF GV.

End of the ladder - not the end of the work

That's the journey: close the easy doors, harden the logins, watch and rehearse, then govern it so it survives contact with growth, turnover, and time. From here the program runs as a loop, not a ladder: the risk register feeds the plan, the metrics feed the register, the tabletop findings feed both, and the annual policy review keeps the paper matching reality. Threats will shift; a business that can see itself clearly adjusts. That's what "defensible" means - not that nothing will ever go wrong, but that you can show you saw your risks and met them like a business that takes them seriously. Because by Stage 4, you are one.