A repeatable, evidence-based transition methodology.

Built on hundreds of cryptographic engagements across government and critical infrastructure. Every phase produces a discrete artefact. Nothing is left as a slide deck.

How we work.

Our methodology is designed for complex, multi-stakeholder environments. Each phase concludes with a reviewable artefact — there are no black boxes, and no dependencies on QSA after the engagement concludes.

The standard engagement runs eight weeks. Organisations with larger estates or more complex governance structures may extend the discovery phase; the remaining phases are consistent in duration.

Scoping

Week 1

Define organisational boundary, asset scope, stakeholder map, and access requirements. Agree on success criteria and governance for the engagement.

Discovery

Weeks 2–5

Systematic, tool-assisted cryptographic inventory across on-premise, cloud, and hybrid environments. Interview programme with system owners, architects, and procurement leads.

Assessment

Week 6

Risk-score every identified dependency against data sensitivity, data lifetime, and migration cost. Map findings to PSPF, ISM, and ASD milestone requirements.

Roadmap

Week 7

Translate the risk register into a sequenced, phase-gated transition plan. Align phases to ASD milestones. Produce effort estimates and vendor engagement guidance.

Governance

Week 7–8

Design the ownership model: RACI, review cadences, procurement policy, and exception-handling protocol. Ensure continuity after the engagement concludes.

Handover

Week 8

Final artefact review, board briefing delivery, PMO transition. All artefacts are format-agnostic and designed for long-term reference — not just the immediate programme.

Artefact-first

Every phase concludes with a standalone, reviewable artefact. Our clients leave with documents — not dependencies on ongoing retainer relationships.

Regulator-aware

Every deliverable is structured to anticipate ASD, APRA, and PSPF inquiries. We write for the regulator in the room, not just the internal audience.

Engineer-executable

Transition plans include the technical specificity engineers need. Artefacts bridge the board narrative and the backlog ticket — deliberately.

Evidence-based sequencing

Migration priorities are derived from risk data, not assumptions. We do not prescribe a standard order — we derive the right one for your estate.

Governance continuity

The ownership model we design is built to persist without QSA. We explicitly hand accountability to named internal owners before we leave.

Crypto-agile by default

Every architecture recommendation is evaluated against future algorithm agility, not just the current FIPS standards. The next transition should cost less.

In practice.

FEDERAL GOVERNMENT

PQC readiness for national health data infrastructure

Context

A major federal health agency responsible for sensitive citizen health records across a hybrid cloud and on-premise estate needed to understand its cryptographic exposure ahead of the ASD 2026 planning milestone.

Challenge

The agency had no consolidated cryptographic inventory. Dependencies spanned 14 internal systems, 6 cloud SaaS providers, and 3 shared services arrangements. Several systems had been in continuous operation for over a decade.

Our approach

QSA deployed its discovery sprint methodology over five weeks, combining automated scanning with structured system-owner interviews. A bespoke classification framework was co-designed with the agency's data governance team to align inventory output to PSPF sensitivity tiers.

Outcomes

2,847 cryptographic artefacts catalogued across the estate

34 high-risk RSA-2048 dependencies identified in critical systems

Board-ready risk summary delivered in week 8

ASD 2026 planning milestone met ahead of schedule

"We had no idea how deep the cryptographic dependencies ran. QSA's inventory gave us our first clear picture — and a plan to act on it."

Deputy Secretary, Digital & Technology

Discuss a similar engagement