How Kloudify’s Essential Eight audit gave Thrive House’s internal IT team a clear roadmap to uplift security controls – strengthening resilience and supporting NDIS audit readiness.
| Organisation | Thrive House – NDIS-registered disability support |
| Audit & Advisory | Kloudify – Essential Eight assessment & remediation roadmap |
| Implementation | Thrive House’s internal IT team – in-house delivery of recommended controls |
| Framework | ACSC Essential Eight |
| Business Driver | NDIS Mid-Term Quality and Safeguards Audit |
| Focus | Security control maturity across identity, devices, applications & data |
The Insight
A credible security uplift starts with an independent view of where you are. Kloudify’s Essential Eight audit gave Thrive House’s internal IT team something no internal review alone could produce: an evidenced, prioritised roadmap – and the confidence to execute it.
A Collaborative Uplift
This is a collaboration between Kloudify and Thrive House’s internal IT team. Kloudify led the independent audit, assessed maturity against the Essential Eight, and produced a prioritised roadmap of controls to implement. Thrive House’s internal IT team took ownership of delivery – translating the recommendations into operational changes across identity, devices, applications, and data, with deep knowledge of the environment and minimal disruption to frontline services.
The result is a joint body of work neither team could have produced alone – an externally-evidenced audit paired with in-house implementation that sticks.
About the Essential Eight
The Essential Eight is a set of baseline mitigation strategies developed by the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC). It is widely adopted across Australian government and regulated industries as a practical framework for improving cyber resilience. Maturity is assessed across eight control areas, from application control and patching to multi-factor authentication, administrative privilege restriction, and backups.
The Challenge
With the Mid-Term NDIS Audit approaching, Thrive House needed to demonstrate that its information systems were protected to a recognised, measurable standard. Thrive House engaged Kloudify to conduct an independent audit against the ACSC Essential Eight and deliver a prioritised set of recommendations for Thrive House’s internal IT team to implement.
Kloudify’s audit identified four areas where control maturity needed to improve before the external audit:
- Identity controls – multi-factor authentication was not consistently enforced across all accounts, and administrative privileges had accumulated over time.
- Device and application controls – endpoint compliance, application control, and patching cadence varied across the environment.
- Logging and visibility – event logging was not centralised or consistently retained, limiting the ability to detect or investigate incidents.
- Resilience – backup configuration and restoration testing did not yet meet Essential Eight maturity expectations.
None of these findings were unusual for a growing multi-site provider – but each represented a measurable gap against a recognised baseline, and each needed to be closed before the external audit.
The Approach
Kloudify assessed current maturity against each Essential Eight control area and produced a prioritised remediation roadmap – sequenced to uplift the lowest-maturity controls first. Thrive House’s internal IT team then implemented the controls in waves, drawing on deep knowledge of the environment to roll changes out without disrupting frontline services. Kloudify remained available throughout delivery for technical guidance and validation, with each completed control documented in a form suitable for both internal assurance and external audit evidence.
The Solution – Eight Controls, Measurable Uplift
Each Essential Eight area was addressed with specific, evidenced security controls identified in Kloudify’s audit and implemented by Thrive House’s internal IT team.
| Essential Eight control area | Security controls implemented |
| Multi-factor authentication | MFA enforced for all user and privileged accounts accessing corporate systems |
| Restrict administrative privileges | Role-based access model, least-privilege baseline, and quarterly access reviews |
| Application control | Allow-listing of approved applications on managed endpoints |
| Patch applications & operating systems | Automated patching cadence with reporting against SLA targets |
| User application hardening | Hardened baseline configuration for browsers, Office macros, and productivity apps |
| Configure Microsoft Office macro settings | Macros disabled by default; exceptions controlled and logged |
| Regular backups | Immutable, offsite backups with tested restore procedures |
| Logging & monitoring (supporting control) | Centralised logging, retention aligned to audit expectations, and alerting on high-risk events |
Supporting Security Controls
Alongside the Essential Eight uplift, several reinforcing controls were put in place:
- Conditional access policies restricting sign-ins to trusted locations and compliant devices
- Endpoint Detection and Response (EDR) deployed consistently across all managed devices
- Email security hardened against phishing and impersonation targeting staff
- Incident-response runbook and documented escalation pathways
“Kloudify’s audit gave us something we couldn’t produce from the inside: an independent, prioritised view of where our gaps were. That clarity made the implementation straightforward – our team knew exactly what good looked like.”
— Jayanth Ienapudi, IT Manager, Thrive House
The Outcomes
- A measurable, defensible security posture
- Thrive House can now demonstrate its security posture against a recognised Australian baseline, with documented controls and evidence of operation across each Essential Eight area.
- Audit readiness, both internal and external
- The same controls and evidence pack support NDIS audit requirements and internal assurance reviews. One body of work satisfies multiple reporting obligations.
- A sustainable uplift, not a point-in-time fix
- Quarterly access reviews, automated patching, centralised logging, and tested backups mean that maturity holds between audits. The controls are designed to be operated, not just implemented.
Impact at a Glance
| Security control indicator | Shift |
| Multi-factor authentication coverage | Partial → 100% of user & privileged accounts |
| Administrative privileges | Ad hoc → Role-based, least-privilege, reviewed quarterly |
| Application control on managed endpoints | Not enforced → Allow-listing active across fleet |
| Patching cadence (applications & OS) | Manual / inconsistent → Automated, SLA-reported |
| Device compliance & EDR coverage | Inconsistent → Enforced across all managed devices |
| Centralised logging & retention | Limited → Centralised, retained, and alerted |
| Backup & restore verification | Untested → Immutable, offsite, regularly tested |
| Essential Eight maturity evidence | Not established → Documented & audit-ready |
The Takeaway
An independent Essential Eight audit turns a broad cybersecurity goal into a measurable program of work. Pairing Kloudify’s external assessment with Thrive House’s internal IT team’s delivery proved that the fastest path to a defensible security posture is clarity from the outside and execution from the inside.
About Kloudify
Kloudify helps Australian organisations assess and uplift their security posture against recognised standards – including the ACSC Essential Eight. We conduct independent audits to identify gaps and produce prioritised, practical roadmaps, and we can either hand those findings over to your in-house team (as we did for Thrive House) or implement the controls end-to-end ourselves. Either way, the outcome is the same: a defensible, measurable security posture, delivered without disruption.
We work with NDIS providers, healthcare organisations, and other regulated sectors where security maturity is both a business need and a compliance obligation. To discuss an Essential Eight assessment – or a full audit-plus-implementation engagement contact us below.
