When the headlines fade after the latest mega data breach, the ripple effects are still keenly felt across enterprise and government supply chains. Many suppliers are now faced with meeting strict mandates such as ISO 27001 certification to continue doing business. When added to the demands of the new Privacy Act and Essential Eight cybersecurity framework, the compliance challenge is becoming enormous.

A new breed of companies offering Compliance Automation Platforms has emerged to meet this challenge. Global players such as Vanta, Drata and Secureframe promise an expedited path to SOC 2 and ISO 27001 compliance, reducing certification timelines from months to weeks. Australian contender 6clicks secured $A10 million investment from a venture capital firm in 2022.

These platforms offer automated evidence collection, risk management modules, continuous monitoring capabilities, integration with existing security tools, and centralized policy and procedure management.

Australia's de.iterate, a Queensland startup founded by experienced CIO and cybersecurity professional Andrew Lawrence, offers its own framework to demystify and streamline data privacy and cybersecurity compliance. The platform promises to make compliance with standards such as ISO 27001 (information security management), the Privacy Act, and the Australian Cyber Security Centre's Essential Eight stress-free and accessible.

de.iterate has recently launched a new AI capability designed to support a range of compliance standards, with particular focus on the needs of Australian organizations operating under local regulatory requirements. Integrated directly into the de.iterate platform at no additional cost to users, this AI capability brings intelligent automation and realtime insights directly into workflows.

Four Key AI Functions

The AI capability offers four primary functions:

Documentation Intelligence scans uploaded documents to extract key commitments and identify policy inconsistencies;

Risk and Control Mapping suggests consistent risk wording and control recommendations;

Audit Readiness Tools review evidence before submission to certification bodies; and

Realtime Compliance Answers provide framework-specific guidance for immediate questions.

The platform supports multiple compliance standards relevant to Australian organizations, including ISO 27001, ISO 9001, ISO 45001, ISO 14001, SOC 2, Essential Eight, Defence Industry Security Program (DISP), and the reformed Australian Privacy Act effective in 2025. The solution also streamlines certification to global information security and data privacy standards like ISO 27701, SOC 2 and NIST.

The solution uses both Claude and GPT models from OpenAI, although Lawrence emphasizes that the AI capability is an opt-in feature for de.iterate customers.

"It's not enabled by default, so customers will enable the feature. We want to make sure they're happy with it," Lawrence explains. "Then they can upload their compliance documentation and we have the models run through it to see if there's any commitments they've made that might have been missed."

Lawrence describes the core challenge: "Policies and procedures are all about businesses committing to doing things. A lot of the time, businesses don't necessarily read that documentation because it's boring and horrible. So, the de.iterate platform is built around extracting those tasks that you have to do to demonstrate you've implemented the concept, making sure they're getting done and don't slip through the cracks."

The AI automation identifies additional commitments that customers might have overlooked. "It's providing suggestions and the customer can say 'Yes please, I want that done' or 'No thank you, I'm fine to not have that,'" Lawrence says.

"There's still the human in the loop who's reviewing the extract and deciding whether it's a good idea. In early trials we've had customers come through and say, 'Oh, I thought I deleted that from my policies. I'll go back and delete it, and then we'll reupload it again.'"

This approach acts as a quality assurance check that businesses would typically obtain through expensive professional services.

"What we're doing is enabling the customer to have that functionality without paying for professional services, which in cybersecurity is quite expensive. This helps reduce costs while still getting the outcome they want and keeping them informed each step of the way."

Lawrence is careful to position AI as a tool rather than a silver bullet. "AI is just another tool in the toolchest. We are not promoting it as an all-seeing, all-doing solution that you can hand over to AI and let it go. I don't advocate for automating compliance completely."

Market Drivers and Growth

Since founding the company in 2021, Lawrence has made a conscious decision to employ, host and develop locally while focusing on the SME market. However, big business incidents like the Qantas breach are driving demand for compliance certification from suppliers throughout the supply chain.

"Certainly, we have people reaching out after these big events because they either are conscious that they don't want to be the next headline, or perhaps they're in the supply chain to some of these businesses and they know that post-data breach, most of the supply chain will get heavy-handed compliance requirements," Lawrence explains.

"But we're also seeing supply chain across Australia getting compliance requirements driven to them anyway. For instance, local and state governments are pushing compliance as a barrier for getting access to vendors and contracts. Insurance companies have started to mandate their supply chain is ISO 27001 compliant. I think we're already seeing that evolution happen."

de.iterate's local focus extends to prioritizing Australian-relevant standards.

"We don't see a lot of demand for SOC 2 in Australia. It is an American standard actually run by the American Institute of Certified Public Accountants (AICPA), and to assess somebody's compliance with SOC 2, you need to be a Certified Public Accountant. From that perspective, having somebody in Australia engage an American CPA to assess their compliance doesn't seem like a logical choice."

Scaling Beyond SMEs

While solving compliance complexity for the SME market has fuelled de.iterate's early growth, the company is now moving up-market. It recently completed a rollout to a Queensland state government agency.

"That was really nice to get de.iterate into a government department, and we've got a couple of enterprises who've picked it up recently," said Lawrence. "It's not to say we're pivoting into enterprise, but I guess we can bridge both sides of that market now."

"We were under the distinct impression we would need to be a bigger company to support them, but as we've grown over the years, we've started to see that we do have the capability."

The company maintains democratic pricing. "We actually have a flat pricing model, so we don't charge extra for enterprise. We charge what we charge, and the idea is it doesn't matter if you're a mining company or a fish and chip shop – you should still get access to a solution to make compliance simpler."

The company is offering early access to the AI features for organizations interested in providing feedback before the full launch. Interested parties can register by contacting hello@deiterate.com.

Future development plans include expanding the AI's capabilities to take autonomous actions such as fetching integration data, completing assurance tasks, and automatically building compliance frameworks.

https://deiterate.com/