A repeatable, evidence-based transition methodology.

Built to standardise across government and critical infrastructure. Every phase produces a discrete artefact. Nothing is left as a slide deck.

How we work.

Our methodology is designed for complex, multi-stakeholder environments. Each phase concludes with a reviewable artefact — there are no black boxes, and no dependencies on QSA after the engagement concludes.

The standard engagement runs eight to ten weeks. Organisations with larger estates or more complex governance structures may extend the discovery phase; the remaining phases are consistent in duration.

01
Scoping
Week 1
Define organisational boundary, asset scope, stakeholder map, and access arrangements. Agree on success criteria and governance for the engagement.
02
Familiarisation
Weeks 2–5
Workshops and artefact review to understand your estate. This context shapes the guidelines, taxonomy and templates your teams will apply — we do not operate tooling inside your environment.
03
Risk framework
Weeks 6–7
Tailor the scoring methodology, classification guide and governance patterns to your environment. Map to PSPF, ISM and ASD milestone requirements.
04
Roadmap
Weeks 8–9
Shape a phase-gated transition planning framework aligned to ASD 2026 and 2030 milestones. Includes vendor engagement guidance and effort-estimation patterns.
05
Governance
Weeks 8–9
Design the ownership model: RACI templates, review cadences, procurement policy patterns, and exception-handling protocol — so accountability continues after the engagement concludes.
06
Handover
Week 10
Final artefact review, board briefing delivery, PMO transition. All artefacts are format-agnostic and designed for long-term reference — not just the immediate programme.
01
Artefact-first

Every phase concludes with a standalone, reviewable artefact. Our clients leave with documents — not dependencies on ongoing retainer relationships.

02
Regulator-aware

Every deliverable is structured to anticipate ASD, APRA, and PSPF inquiries. We write for the regulator in the room, not just the internal audience.

03
Engineer-executable

Transition plans include the technical specificity engineers need. Artefacts bridge the board narrative and the backlog ticket — deliberately.

04
Evidence-based sequencing

Migration priorities are derived from risk data, not assumptions. We do not prescribe a standard order — we derive the right one for your estate.

05
Governance continuity

The ownership model we design is built to persist without QSA. We explicitly hand accountability to named internal owners before we leave.

06
Crypto-agile by default

Every architecture recommendation is evaluated against future algorithm agility, not just the current FIPS standards. The next transition should cost less.

In practice.

CRITICAL INFRASTRUCTURE

Crypto-agility strategy for OT/IT convergence

Context

An ASX-listed energy company operating transmission infrastructure across eastern Australia was undergoing a major OT/IT convergence programme when leadership identified PQC migration as an unaddressed risk.

Challenge

Operational technology environments presented unique constraints: long asset lifetimes (15–25 years), limited vendor PQC roadmaps, and safety-critical systems where cryptographic changes required rigorous change management protocols.

Our approach

QSA conducted a dual-track engagement — standard IT discovery running in parallel with a specialist OT assessment. A hybrid classical-PQC transition strategy was designed to allow phased migration without disrupting operational continuity, with vendor engagement templates to accelerate supplier PQC commitments.

Outcomes
01
Complete OT and IT cryptographic inventory — a first for the organisation
02
Hybrid transition strategy aligned to AESCSF v2.0 requirements
03
Vendor engagement framework deployed with 12 critical suppliers
04
Crypto-agility architecture adopted as enterprise standard
The OT environment made everything harder. QSA understood the constraints and designed a strategy we could actually implement.
CISO, Critical Infrastructure Operations