How Securitribe’s Sheep Dog vCISO helped a growing Brisbane MedTech firm regain control during a governance crisis and lay the groundwork for ISO 27001 — over a 12-month engagement.
Governance investigation · M365 hardening · ISO 27001 foundations
Ipcium engaged Securitribe during a period of pressure and change, needing support on two fronts at once: an internal governance and access issue that required independent investigation, and a broader uplift of their corporate security posture as the company matured. Growing fast and cloud-reliant, they were also planning ahead for ISO 27001-aligned assurance.
This wasn’t a single technical fix. It required security leadership, governance and practical execution across people, process and technology.
Governance and access risk. An independent, evidence-based investigation was needed to support a Fair Work dispute — and it exposed a deeper issue: scattered critical credentials, with no centralised vault or break-glass process.
Corporate platform gaps. The Office 365 tenancy had only baseline settings, inconsistent backups and limited controls for a growing business.
Immature ISMS foundations. With ISO 27001 on the horizon, the business needed to move from informal practices to documented, repeatable management — missing policies, no information asset register.
A pattern we often see in fast-moving startups:
In short: Ipcium didn’t just need more tools. They needed a security function.
We delivered an independent investigation report underpinning Ipcium’s Fair Work matter — a clear, evidence-based foundation for decisions that helped avoid significant financial impact.
We recovered and validated access to business-critical systems, implemented break-glass accounts, improved control over privileged credentials, and set clear ownership for key platforms.
We tightened Conditional Access, enforced MFA, applied stronger M365 baseline settings, and improved administrative access discipline and review.
We established regular backups across the corporate platform and improved confidence that business data could be recovered when needed.
Continuous security awareness training was rolled out to 100% of staff — technology controls alone aren’t enough.
A practical operating rhythm: reviewing priorities and open actions, tracking control improvements, coordinating with technical teams, and preparing for future assurance. This is where Sheep Dog vCISO made the difference — ongoing leadership, not a one-off review.
We delivered a core Information Security Policy, supporting policies (Access Control, Change Management, Acceptable Use), and an Information Asset Register — practical, usable artefacts aligned to how the business actually operates.
In parallel, we provided security review and architecture guidance for Ipcium’s MedTech SaaS product — strengthening security thinking beyond corporate IT.
Over the engagement, Ipcium moved from a reactive position to a controlled, security-led operating model:
Ipcium gained structure and confidence at a stage of growth where security could easily have become fragmented or reactive.
Many startups and scale-ups have great technical people and strong product momentum but limited security leadership — cloud tools with weak governance, informally managed admin access, no operating rhythm, and compliance ambitions (ISO 27001, SOC 2, customer due diligence) without the internal structure to support them. That’s where Sheep Dog vCISO fits: practical leadership, the right controls, and a repeatable security function that supports growth.
If you’re growing quickly and need stronger governance, platform security and compliance readiness, Sheep Dog vCISO can help. Call 1300 271 407 or book a security review.
