Kapish and the wider Citadel Edge company, was selected to work in partnership with the Yoorrook Justice Commission (Yoorrook) based on our innovative Commission as a Service (CaaS) model of integrated services that include; IT as a Service (ITaaS), ISM-PROTECTED cyber security services, vCISO cyber security leadership, records management, AV/VC collaboration technology, and comprehensive building and physical security services.
The security offering included with CaaS provided the necessary mechanisms to ensure Yoorrook’s data was protected to an appropriately managed level. This included access to our virtual Chief Information Security Officer (vCISO) service to provide strategic leadership and guidance to the Commission. Access to advisory support enabled the Commission to understand, apply, and measure security frameworks, reinforcing its commitment to information security.
Need for secure, scalable operations
Yoorrook was established as Victoria’s first and only formal truth-telling process into injustices experienced by First Peoples since colonisation, needed to establish a reliable, secure, high performing operating environment capable of supporting intense workloads, sensitive information management, and rapid organisational scaling.
Compounding this, Yoorrook faced the urgent need to stand up core services within weeks, first in temporary accommodation, followed by a seamless transition to its long-term premises. With a small core team that grew during peak periods, Yoorrook required a fully managed service that could flex without compromising continuity, cyber risks, data protection, or regulatory expectations.
Implementing a commission-as-a-service model
The CaaS model was delivered and managed by Kapish, incorporating integrated services from within Kapish and Citadel Edge. This approach enabled rapid mobilisation and the coordinated delivery of a complete suite of technology and security services through a single, streamlined provider.
This integrated model delivered three key services for Yoorrook:
- Kapish deployed a fully managed IT as a Service (ITaaS) environment to support a high‑functioning office, ensuring reliable, scalable technology across Yoorrook’s lifecycle. This allowed the organisation to operate efficiently during both steady‑state and peak periods.
- To further strengthen the security posture, Kapish and Citadel Edge delivered ISM‑PROTECTED Cyber Security Services designed to help safeguard information, maintain control integrity, and provide continuous visibility across the environment. These services were structured to help identify, protect against, detect, and respond to potential security threats and malicious activity.
- As part of the engagement, Kapish and Citadel Edge provided a virtual Chief Information Security Officer (vCISO) service, giving the organisation access to strategic leadership and guidance. The vCISO function applies our balanced “four-face” model of strategist, advisor, technologist, and guardian, to ensure that security governance, operational priorities, and control alignment were effectively managed throughout Yoorrook’s operations.
The tailored CaaS solution enabled Yoorrook to establish a fully operational, secure, and scalable environment in a short timeframe. The integrated ITaaS, ISM‑PROTECTED security services, and vCISO leadership ensured that technology, governance, and security remained aligned throughout Yoorrook’s lifecycle. The result was a resilient operating environment capable of supporting high‑volume workloads, handling sensitive information, and meeting the heightened expectations of a Royal Commission.
Enhanced security, stronger governance, and organisational agility
With a coordinated, end-to-end managed service in place, Yoorrook operated with confidence, stability, and clear oversight. The approach supported consistent service delivery during peak periods, improved visibility of the security landscape, and provided structured leadership around governance and cyber priorities. Benefits delivered using the CaaS solution:
- Rapid mobilisation of a complete, secure operating environment
- Single provider coordination, simplifying management and reducing overheads
- Scalable services to support workforce expansion during peak activity
- Improved security posture through ISM‑aligned controls and 24/7 security monitoring and alerting
- Incident Response to security anomalies
- Strategic cyber leadership via the vCISO function
- Consistent, reliable operations across the full lifecycle
- Clear governance and oversight, supporting regulatory expectations
