SKSagar KamraIndependent vCISO · SydneyContact

Sydney · Independent Advisory · Est. 2006

Independent vCISO.
ISO 27001 specialist.
Cyber governance for serious organisations.

Executive-grade information security advisory for DEWR providers, not-for-profits and mid-market organisations who need defensible governance, audit-ready controls and a trusted advisor at the table — without retaining a Big Four engagement.

Book a Security Advisory CallDiscuss ISO 27001 Readiness
ISO 27001 Lead Implementer ISO 27001 Lead Auditor ACSC Essential Eight Certified in Cybersecurity

By the numbers

19+

Years in IT & Security

6

Consecutive ISO 27001 audits, zero non-conformities

18

Subcontractor RFFR assessments led

ML3

Essential Eight, 5 years sustained

Advisory services

Eight focused engagements.
One trusted advisor.

All services

Virtual CISO Services

Executive-level security leadership on a fractional basis — board reporting, strategy, risk posture and program ownership.

Learn more

ISO 27001 Advisory & Audit Readiness

Implementation, gap assessment and certification readiness designed to pass external audit and operate sustainably.

Learn more

RFFR / DEWR Security Readiness

Right Fit For Risk uplift for DEWR providers and their subcontractors, aligned to ACSC ISM and Essential Eight.

Learn more

Essential Eight Assessments

Independent maturity assessments and pragmatic roadmaps to ML2 / ML3 — no over-engineering, no vendor agenda.

Learn more

Microsoft 365 Security Governance

Tenant hardening, Purview, Defender, Entra ID and conditional access aligned to your control framework.

Learn more

SharePoint & Cloud Transformation

Governance, classification and information architecture for cloud and SharePoint migrations done properly.

Learn more

Security Risk Management

Enterprise risk frameworks, third-party risk, and risk treatment plans your board and auditors can rely on.

Learn more

Technical Governance & Compliance

Bridge the gap between engineering reality and compliance obligations — practical controls, evidence and reporting.

Learn more

Why clients engage me

A trusted advisor, not a vendor.

CEOs, CIOs, boards and risk committees engage me for clarity, accountability and audit-ready outcomes — without the bloat of a tier-one consultancy.

  • 01

    Independent, not reselling

    No product quotas, no vendor incentives. Advice is calibrated to your risk and budget — not a partner programme.

  • 02

    Operator-grade experience

    Acting CISO and Information Security Manager engagements — I've owned the program, not just audited it.

  • 03

    Audit-tested outcomes

    Six consecutive ISO 27001 surveillance and recertification audits delivered with zero non-conformities.

  • 04

    Government-aligned fluency

    ACSC ISM, Essential Eight, RFFR and DEWR expectations — translated into controls your team can actually run.

Frameworks & expertise

Fluent across the frameworks that matter in Australia.

Deep working knowledge of ACSC, ISO, NIST and Microsoft control sets — translated into pragmatic, auditable programs for organisations operating under government and regulator scrutiny.

ISO/IEC 27001 & 27002ACSC Essential EightACSC ISMRFFR / DEWRNIST CSFZero Trust ArchitectureMicrosoft 365 & Entra IDSharePoint GovernanceThird-Party RiskPrivacy Act / APPSOC 2 ConceptsITIL Service Management

Selected engagements

Outcomes that hold up under audit and scrutiny.

Zero

Non-conformities across 6 ISO 27001 audits

Designed and led the ISMS through six consecutive surveillance and recertification cycles without a single non-conformity.

18

RFFR subcontractor assessments delivered

Led Right Fit For Risk readiness for a DEWR provider and its subcontractor network — uplifted to government expectations.

ML3

Essential Eight sustained for 5 years

Took an organisation from baseline to Maturity Level 3 and held it through hybrid Microsoft and SaaS environments.

Certifications

Credentialed across security, governance and IT.

  • Microsoft Certified Technology Specialist
    Microsoft Certified Technology Specialist
  • Microsoft Certified IT Professional
    Microsoft Certified IT Professional
  • ISO 27001 Lead Auditor
    ISO 27001 Lead Auditor
  • ITIL V3 Certified
    ITIL V3 Certified
  • ISO 27001 Lead Implementer
    ISO 27001 Lead Implementer
  • ISO 27001 Internal Auditor
    ISO 27001 Internal Auditor
  • ISO 27001 Risk Manager
    ISO 27001 Risk Manager
  • Certified in Cybersecurity (CC)
    Certified in Cybersecurity (CC)
  • Info Security Lead Professional
    Info Security Lead Professional
  • ISO 27001 Security Executive
    ISO 27001 Security Executive
  • Microsoft Certified Technology Specialist
    Microsoft Certified Technology Specialist
  • Microsoft Certified IT Professional
    Microsoft Certified IT Professional
  • ISO 27001 Lead Auditor
    ISO 27001 Lead Auditor
  • ITIL V3 Certified
    ITIL V3 Certified
  • ISO 27001 Lead Implementer
    ISO 27001 Lead Implementer
  • ISO 27001 Internal Auditor
    ISO 27001 Internal Auditor
  • ISO 27001 Risk Manager
    ISO 27001 Risk Manager
  • Certified in Cybersecurity (CC)
    Certified in Cybersecurity (CC)
  • Info Security Lead Professional
    Info Security Lead Professional
  • ISO 27001 Security Executive
    ISO 27001 Security Executive

How we work together

A measured, four-stage advisory engagement.

  1. 01

    Discovery

    A confidential conversation to understand context, drivers, regulators and the outcome that matters.

  2. 02

    Assessment

    Structured review of current state against the relevant framework — ISO 27001, Essential Eight, RFFR or ISM.

  3. 03

    Roadmap

    A prioritised, costed plan calibrated to your risk appetite, change capacity and certification timeline.

  4. 04

    Execution & Assurance

    Hands-on advisory through implementation, audit and continuous improvement.

Client perspectives

Trusted by leaders who carry the risk.

Names withheld · scroll to read

I had the pleasure of working with him on an IRAP assessment and can recommend him without reservation. His depth of knowledge in Australian Government security frameworks and best practices was invaluable — he guided us through the assessment requirements and helped us implement meaningful security improvements.
ITS Project Manager · Government-contracted provider
He has a remarkable ability to break down complex compliance standards into practical, understandable steps. He worked seamlessly with both technical and non-technical stakeholders, ensuring everyone understood the rationale behind the controls and the value they brought to our security posture.
Project Manager · Employment services sector
Thanks to his meticulous attention to detail, proactive communication, and strategic insights, we achieved IRAP certification with greater confidence in our long-term security capabilities. Beyond IRAP, his expertise in Zero Trust Architecture, ISO 27001 and RFFR further cemented his value as a trusted partner.
Technology Lead · DEWR-aligned organisation
For anyone seeking expert guidance in navigating IRAP assessments or strengthening their overall cybersecurity framework, I can wholeheartedly recommend him. His technical knowledge, dedication and professionalism are second to none.
Senior Manager · Not-for-profit sector

Identities of clients and organisations withheld. Full references available on request under NDA.

Begin the conversation

A confidential discussion about your security posture.

A 30-minute advisory call — no pitch, no scripted discovery. Just a candid conversation about the outcome you need and whether I'm the right person to help you get there.

Book a Security Advisory CallReview services
Sagar Kamra — Independent vCISO, Sydney

All initial conversations are confidential. Engagements operate under NDA where required.