GovIQ provides a structured self-assessment methodology for evaluating organisational maturity across five Australian and international regulatory frameworks. The methodology is designed to be repeatable, transparent, and anchored to publicly available legislation, standards, and regulatory guidance.
This page explains how scores are calculated, how frameworks are mapped, how benchmarks are derived, and the limitations of the approach. It is intended to support informed use of the tool and to enable independent review of the assessment methodology.
Each control is scored on a five-point maturity scale (0–4). The scale is adapted from established capability maturity models used in information security and governance assessments, including the approach used in ISO/IEC 33001 process assessment and CMMI.
Not in place
No capability exists. The organisation has not addressed this control area.
Ad hoc
Informal or reactive. Some awareness exists but no documented process or consistent practice.
Developing
Developing. A documented approach exists but is not yet fully implemented or consistently followed.
Established
Established. A documented, implemented, and regularly reviewed process is in place.
Leading
Leading. Optimised, measurable, and continuously improved. Integrated into enterprise risk management.
Domain scores are calculated as the arithmetic mean of all control scores within that domain. For example, if a domain contains four controls scored 2, 3, 1, and 3, the domain score is (2 + 3 + 1 + 3) ÷ 4 = 2.25.
Overall score is the arithmetic mean of all scored domain averages. All domains are weighted equally — no domain is given preferential weighting. This is a deliberate design choice to avoid embedding subjective risk judgements into the scoring engine. Organisations should apply their own risk-based weighting when interpreting results.
Progress tracking shows the number of controls scored versus the total available controls for the selected assessment mode. Unscored controls are excluded from domain and overall averages — they do not count as zero.
GovIQ offers multiple assessment modes to accommodate different organisational needs. Each mode determines which controls are presented for scoring.
| Mode | Scope | Controls |
|---|---|---|
| ADM Transparency | 11 domains covering Privacy Act ADM obligations | 44 controls |
| Single Framework | One selected framework (e.g., AML/CTF or ISO 27001) | 12–20 controls per framework |
| Pick & Mix | ADM + selected frameworks combined | 56–110 controls (varies by selection) |
| Full Suite | All 11 ADM domains + all five frameworks | ~110 controls |
GovIQ covers five distinct regulatory frameworks. Each framework's controls are derived from the actual legislation, prudential standard, or international standard — not from secondary summaries. The primary sources are cited below.
The Privacy and Other Legislation Amendment Act 2024 introduces mandatory ADM transparency, a Children's Online Privacy Code, enhanced enforcement powers, and a statutory tort for serious privacy invasions. APP entities must update privacy policies to disclose ADM use by 10 December 2026.
Australia's AML/CTF Act 2006 (as amended) requires reporting entities to identify, mitigate, and manage money laundering and terrorism financing risks. The tranche-two reforms (passed November 2024, Royal Assent December 2024) expand the regime to cover lawyers, accountants, real estate agents, and dealers in precious metals. Automated transaction monitoring and customer due diligence are key ADM intersections.
CPS 230 is APRA's prudential standard on operational risk management, in force since 1 July 2025. It requires APRA-regulated entities to manage operational risk, ensure business continuity, and manage material service providers. ADM systems are operational assets subject to CPS 230 requirements.
ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive information through risk assessment, security controls, and continuous improvement. ISO 27001 certification is widely recognised and increasingly expected by regulators and customers.
ISO 42001 is the international standard for AI management systems (AIMS). It provides a framework for organisations to responsibly develop, provide, or use AI systems. It covers AI governance, risk management, data management, transparency, and continuous improvement — directly complementing ADM transparency obligations.
How mappings work: Each control in each framework is tagged with IDs of controls in other frameworks that address substantially similar requirements. For example, an ISO 27001 control for information security policy (A5.1) maps to the Privacy Act governance control (PA-G1), CPS 230 governance (CPS-G1), and ISO 42001 governance (ISO42-G1).
Gap analysis calculation: When you select a "source" framework and a "target" framework, GovIQ counts how many target controls are already mapped to (i.e., substantially addressed by) your source framework controls. The resulting percentage represents estimated control overlap — not compliance coverage. A 36% overlap between ISO 27001 and ISO 42001 means that approximately 36% of ISO 42001's controls have a substantially similar control in ISO 27001, reducing the incremental effort to address both.
Mapping limitations: Control mappings are based on the assessment team's analysis of control intent and scope. They represent reasonable professional judgement, not regulatory or legal equivalence. Organisations should validate mappings against their own control environments and seek independent advice where material decisions depend on overlap estimates.
Industry benchmarks in GovIQ are indicative estimates, not empirical survey data. They are derived from the following sources:
Regulatory enforcement patterns
OAIC determinations, APRA enforcement actions, and AUSTRAC civil penalty proceedings provide insight into common compliance gaps across industries.
Industry surveys and reports
Publicly available maturity surveys from professional bodies, consulting firms, and industry associations (e.g., OAIC Australian Community Attitudes to Privacy Survey, APRA information security insights).
Regulatory guidance and expectations
OAIC APP Guidelines, APRA CPG 230 (June 2024), AUSTRAC AML/CTF programme guidance, and ISO implementation guidance set baseline expectations that inform estimated maturity levels.
Professional judgement
Where empirical data is unavailable, scores reflect professional judgement informed by regulatory practice, consulting experience, and published compliance benchmarking literature.
Benchmarks are provided for contextual comparison only. They are not based on a controlled survey sample and should not be cited as empirical data. Your organisation's actual maturity may differ significantly from these indicative estimates.
The Quick Scan is a condensed 10-question assessment designed to provide an indicative maturity snapshot in approximately two minutes. Questions are selected to cover the highest-priority control areas across all five frameworks, with each question mapped to specific legal anchors.
Quick Scan scores use the same 0–4 maturity scale as the full assessment. The overall Quick Scan score is the arithmetic mean of all 10 responses. Because the Quick Scan covers a subset of controls, scores may differ from a full assessment — the Quick Scan is intended as a screening tool, not a substitute for the comprehensive assessment.
PDF reports are generated client-side in the browser. Reports include domain scores, individual control scores, prioritised remediation guidance, authoritative references, and applicable disclaimers. Reports can be white-labelled with an organisation logo.
Remediation guidance is structured into three phases: quick wins (immediate actions), medium-term improvements (3–9 months), and strategic initiatives (9+ months). Guidance is anchored to specific regulatory requirements and industry best practices, with citations to primary sources.
GovIQ is a client-side application. All assessment data — including scores, organisation profile, and selected frameworks — is stored exclusively in your browser's local storage. No data is transmitted to any server, database, or third party.
Share links encode assessment data directly in the URL using base64 encoding. Anyone with the link can view the results. Share links do not expire but may become incompatible with future versions of the tool. Clearing your browser data will remove all locally stored assessment data.
Self-assessment bias
Scores are based on self-reported responses. Organisations may over- or under-estimate their maturity. Independent verification is recommended for material decisions.
Point-in-time snapshot
Results reflect the state of controls at the time of assessment. Regulatory requirements, organisational controls, and threat landscapes change over time.
No regulatory endorsement
GovIQ is not endorsed by, affiliated with, or approved by any regulatory body including the OAIC, APRA, AUSTRAC, ISO, or any government agency.
Control mapping is indicative
Cross-framework control mappings represent professional judgement about control overlap. They do not constitute legal or regulatory equivalence and should be validated against your specific control environment.
Benchmarks are estimates
Industry benchmarks are indicative estimates derived from public sources and professional judgement. They are not based on a controlled empirical survey and should not be cited as statistical data.
Not a substitute for professional advice
This tool does not replace legal, regulatory, or professional compliance advice. Organisations should engage qualified advisors for compliance programme design and regulatory reporting.
Legal disclaimer: This tool is provided for guidance purposes only and does not constitute legal, regulatory, or professional advice. GovIQ is not endorsed by or affiliated with any regulatory body including the OAIC, APRA, AUSTRAC, or ISO. Results are based on self-reported responses and should not be relied upon for regulatory reporting without independent verification. Organisations should seek independent legal and professional advice regarding their specific obligations.
GovIQ
Multi-framework governance intelligence
© 2026 GovIQ. Methodology documentation v1.0.