Free tool · 5 minutes · Compliance
Under the NDB scheme you have 30 days from awareness to assess whether a breach is notifiable. Score whether your Microsoft 365 tenant can detect, scope, notify, remediate and improve fast enough to meet the clock.
10 questions · 5 domains
Under the NDB scheme you have 30 days from awareness to assess whether a breach is notifiable, and you must then notify OAIC and affected individuals as soon as practicable. Score whether your Microsoft 365 tenant can detect, scope, notify, remediate and improve fast enough to meet the clock. Pick the option closest to your tenant today.
Domain 1
Mean time to detect a personal information breach. Without detection, the 30-day clock never starts and the breach gets discovered when an affected individual raises it.
What's your estimated mean time to detect a personal-information breach in your M365 tenant?
Source: OAIC Notifiable Data Breaches Report (median discovery times); Microsoft Learn: Microsoft Defender XDR.
What's your Purview Audit log retention?
Source: Microsoft Learn: Microsoft Purview Audit (Premium); Audit log retention policies.
Domain 2
How quickly you can determine which individuals' personal information was accessed, exfiltrated or modified. The scoping work is what feeds the OAIC notification.
Can you reconstruct the scope of a data exposure (which files accessed, by whom, exfiltrated where) within 7 business days?
Source: Microsoft Learn: Microsoft Purview eDiscovery (Premium); Microsoft Defender for Cloud Apps file investigation.
Can you determine which categories of personal information were involved (health, financial, government identifier) without a manual file-by-file review?
Source: Microsoft Learn: Microsoft Purview sensitive information types; Trainable classifiers in Microsoft Purview.
Domain 3
Whether you have a documented notification flow, OAIC contact established, communications templates ready, and legal review pre-arranged.
Do you have a documented notifiable data breach response runbook covering OAIC notification, individual notification and stakeholder communications?
Source: OAIC Notifiable Data Breaches scheme — entity guidance; Privacy Act 1988 s 26WK (notification timing).
Are individual notification templates pre-drafted and legally reviewed?
Source: OAIC: Notifying individuals about an eligible data breach; Privacy Act 1988 s 26WL.
Domain 4
Whether the organisation can contain the breach (rotate credentials, revoke tokens, disable accounts, isolate devices) within hours, and preserve evidence for forensic analysis.
Do you have containment runbooks for the common breach patterns (compromised user, compromised service principal, compromised endpoint)?
Source: Microsoft Learn: Investigate and respond to incidents in Microsoft Defender XDR; Microsoft Sentinel automation rules and playbooks.
How is evidence preserved during containment to support OAIC investigation and post-incident review?
Source: Microsoft Learn: Microsoft Purview Audit; Microsoft Defender for Endpoint live response; ISO 27037 digital evidence handling.
Domain 5
Whether tabletop exercises run, post-incident reviews update controls, and OAIC published trends inform internal control updates.
When did you last run a tabletop exercise for a notifiable data breach scenario?
Source: OAIC Notifiable Data Breaches Report (sectoral trends); ASD Cyber Incident Response Plan guidance.
After a real or simulated incident, how are control updates tracked through to closure?
Source: ASD Cyber Incident Response Plan guidance; ISO 27035 information security incident management.
This is an indicative self-assessment. It is not a substitute for an incident readiness exercise or legal advice. Frontrow Technology offers a Notifiable Data Breach readiness review with a tabletop exercise.
What the check covers
Area 1
OAIC reports that the median time from breach to discovery is 60+ days for organisations without managed detection. Detection requires logging (Purview Audit, Defender XDR, Sentinel), tuned alerts on credential abuse and data exfiltration, and a 24/7 escalation path. Detection capability under-investment is the most common single failure point in NDB cases.
Area 2
Scoping requires Purview Audit Premium retention (1 year vs 90 days standard), eDiscovery Premium for content reconstruction, and Defender for Cloud Apps file activity timelines. Most AU mid-market tenants run Purview Audit Standard, which limits investigation to events within the last 90 days. By the time a breach is discovered, the relevant logs have aged out.
Area 3
The NDB scheme requires notification 'as soon as practicable' after assessment. In practice, organisations that haven't pre-built notification templates and legal review processes burn 7–14 of their 30 days drafting communications. Mature organisations have OAIC online form fields pre-mapped, individual notification templates by data type, and a legal review SLA of 24 hours for breach communications.
Area 4
Containment requires runbooks for the common attack patterns: credential compromise (rotate, revoke refresh tokens, force re-MFA), service principal compromise (rotate secrets, audit recent activity), endpoint compromise (Defender for Endpoint isolate). Without runbooks, remediation actions either don't happen or destroy evidence by overwriting logs and re-enabling accounts before forensic capture.
Area 5
Mature organisations run a tabletop exercise annually using a recent OAIC-published breach as the scenario. Post-incident reviews update detection rules, runbooks and training. The NDB scheme is iterative: every quarter OAIC publishes the breach pattern data; mature organisations use it to recalibrate.
Frequently asked questions
Australia's Notifiable Data Breaches scheme (introduced 2018, expanded by Privacy Act amendments through 2026) requires entities covered by the Privacy Act to notify the OAIC and affected individuals when an eligible data breach occurs. An eligible breach is one where there is unauthorised access, disclosure or loss of personal information that is likely to result in serious harm. Assessment must occur within 30 days of becoming aware. Notification must occur as soon as practicable after assessment.
Privacy Act s 26WH gives entities 30 days from awareness of a suspected eligible breach to assess whether it is in fact a notifiable breach. The clock runs against the entity even if the investigation is hard. Most AU mid-market organisations cannot meet this — discovery often happens via the affected individual, scoping requires audit logs that have aged out, and the notification flow has never been rehearsed. The first time an organisation tries to do this for real is typically the breach itself.
The Board Risk Briefing tool covers the strategic position across Copilot governance, Essential Eight, Privacy Act 2026 and AI vendor risk — it's pitched at directors. The NDB Readiness Check is the operational layer underneath: can your IT and security operations actually detect, scope, notify, remediate and learn within the regulatory window. A board can be aware of the risk and still be exposed if the operational readiness isn't there. Most organisations need both views.
The minimum useful baseline is Business Premium for SMB or M365 E3 + Defender add-ons for enterprise — gives you Defender XDR, basic Purview Audit, Sentinel-ready logs. To meet the scoping clock comfortably you need Purview Audit Premium (1-year retention) and eDiscovery Premium for content reconstruction, both of which sit in E5 / E5 Compliance. For 24/7 detection you need either an in-house SOC, an MSSP, or a managed detection service. Frontrow's standard recommendation is E5 Compliance plus a managed detection partner for organisations handling significant personal information.
OAIC's quarterly reports show consistent patterns: (1) discovery through the affected individual rather than internal detection — often months after the breach; (2) scoping unable to determine which individuals were affected because audit logs aged out; (3) notification delayed because templates and OAIC submission flow weren't pre-built; (4) remediation actions overwriting evidence needed for investigation; (5) recurrence because post-incident reviews didn't update controls. The five domains in this tool map directly to these failure points.
Yes, if configured correctly. OAIC notifications require describing the kind of breach, the kinds of information involved, and the steps taken. Microsoft Purview Audit (with 1-year retention) gives you the access log evidence. eDiscovery Premium reconstructs the content involved. Defender XDR shows the attack pattern. Defender for Cloud Apps gives the cross-app file activity timeline. Without these, you are explaining the breach to OAIC with no evidence — which is itself a finding.
Every scoring threshold cites a primary source: Privacy Act 1988 (as amended through 2026 reforms); OAIC NDB scheme guidance and quarterly NDB reports; Microsoft Learn for the underlying technical controls (Purview Audit, eDiscovery, Defender XDR, Sentinel). Methodology authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
Quarterly NDB readiness review with an annual tabletop exercise based on the latest OAIC-published breach pattern. Audit log retention configured and rehearsed. eDiscovery investigation playbooks. Notification templates kept current. Containment runbooks for the common patterns. Post-incident control updates tracked through to closure. Monthly delta report for the IT lead, quarterly board-grade summary.
