Skip to main content
Modern 42 Logo
Advisory & Strategy

A roadmap that connects identity security to business outcomes.

Most identity strategies fail because they are technology shopping lists, not business plans. We build roadmaps that start with what your organisation needs to achieve, then work backwards to the right controls.

Talk to our team View all advisory services
Our approach

What makes a good IAM strategy

The difference between a strategy that drives change and one that sits on a shelf.

Effective strategy
Typical strategy
Starting point
Business objectives and risk posture
Technology wish list
Roadmap
Phased, costed, aligned to budget cycles
Aspirational slide deck
Stakeholder buy-in
Board-ready business case included
Technical document only
Framework alignment
Mapped to ASD Essential Eight, APRA CPS 234, ISM
Generic best practices
Actionability
90-day quick wins with clear owners
Long-term goals with no accountability
Follow-through
Engineering team available to execute
Strategy ends at the PDF
Industry Research
200+

identity and privilege security projects delivered for Australian organisations across six industries

Start your roadmap
What we deliver

Six deliverables, one coherent strategy

Each component of the strategy engagement builds on the last.

Current state assessment

Documented inventory of your existing identity and privilege controls, gaps, and technical debt.

Gap analysis

Structured gap analysis against the frameworks relevant to your organisation (ASD Essential Eight, APRA CPS 234, ISO 27001, NIST).

Target architecture

A defined target state for IAM and PAM, including platform choices, integration patterns, and identity governance model.

Prioritised roadmap

A 90-day, 6-month, and 12-month roadmap with clear priorities, dependencies, and effort estimates.

Business case support

Supporting materials for securing budget and executive sponsorship for identity investments.

Framework alignment

Documentation mapping your target state to regulatory and compliance requirements.

Who this is for

Common starting points

Strategy engagements are right for a range of situations.

  • New CISOs establishing a security baseline for their first 90 days
  • Organisations preparing for an APRA, IRAP, or ISO 27001 audit
  • Boards or executives requesting a structured security posture report
  • Organisations planning a major platform migration (Entra ID, BeyondTrust)
  • Post-incident reviews requiring a thorough identity control assessment
  • Mergers or acquisitions requiring identity consolidation planning
Team planning an identity security roadmap
FAQ

Common questions

Typically four to six weeks from kickoff to final roadmap delivery, depending on the scope and complexity of your environment.
We align to the frameworks most relevant to your organisation. For Australian government: the ASD Essential Eight, IRAP, ISM, and PSPF. For financial services: APRA CPS 234. For critical infrastructure: SOCI Act obligations. For broader enterprise: ISO 27001, NIST CSF, and NIST SP 800-53. We can also align to SOC 2 for organisations with US market requirements.
IAM (Identity and Access Management) covers how all users authenticate and what they can access. PAM (Privileged Access Management) focuses specifically on controlling, monitoring, and auditing elevated access. Most organisations need both, and the strategies should be aligned. We deliver them as a single, integrated roadmap.
Several Essential Eight controls directly relate to identity: restricting administrative privileges, multi-factor authentication, and application control. An IAM and PAM strategy maps your current maturity against these controls and provides a roadmap to reach your target maturity level.
Yes. We review any existing security policies, architecture documents, audit findings, and risk registers as part of the current state assessment. We build on what you have rather than starting from scratch.
Yes. The strategy engagement includes business case support materials that map identity investments to risk reduction, compliance requirements, and operational efficiency. These are designed to be presented to executive leadership and board-level stakeholders.
A strategy engagement often precedes an engineering delivery. The roadmap defines what should be built and in what order. Our engineering team is available to execute against the roadmap, including privileged access management and workforce IAM and identity governance, so there is no gap between strategy and implementation.
Zero Trust is a security model that assumes no user or device should be trusted by default, regardless of their location. Identity is the foundation of Zero Trust. An IAM strategy defines how your organisation implements Zero Trust principles through Conditional Access, privileged access controls, device trust, and continuous verification.

Build a roadmap that actually gets delivered

Start with a conversation about where you are and where you need to be.

Get in touchAll advisory services

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.