Our People


Darren is a Director and National Head of Cyber Security and Privacy Risk Services.

Darren has over 17 years of experience in IT internal audit, technology risk consulting, security advisory and data analytics. A qualified Internal Auditor, IT Internal Auditor, Certified Information Systems Auditor (CISA) and previous Payment Card Industry Data Security Standard Qualified Security Assessor (PCI DSS QSA), Darren combines deep cyber risk knowledge with high-impact communications to c-suite and board levels.

Darren has delivered security and privacy assessments across multiple countries for large multinational corporations, and locally for Australian based organisations in both the public and private sectors across all industries. He has worked on an extensive range of technology risk management projects including technical security assessments, governance, and strategy, cybersecurity, information security, data privacy, digital strategy, data governance, technology risk assessments, application/ERP control effectiveness, cloud security assessments, cloud risk strategy, IT project risk, change management, third-party risk, continuity, IT service delivery and compliance.

Prior to joining RSM, Darren worked for a global internal audit and risk consulting firm for over 12 years in London and Melbourne, where he led the Melbourne office’s IT Internal Audit, Technology Risk and Data Analytics solutions.

Darren Booth is a Partner of RSM Australia Partners and a Director of RSM Australia Pty Ltd.

Significant Projects Darren Booth

  • RSM Australia recently completed the first Consumer Data Right (CDR) information security accreditation for a FinTech (non-ADI Open Banking) and Darren was the lead assurance practitioner for the independent assurance report (ASAE 3150). This involved assessing the design and implementation of controls for Part 1 and Part 2 of Schedule 2 in the CDR Rules.

  • Led the GDPR and Australian Privacy Principles implementation project for an Australian headquartered international cosmetics retailer. The engagement was subsequently expanded to include a new POS risk assessment and a PCI DSS advisory project.
  • Performed a cybersecurity assessment of a diverse conglomerate, benchmarking against a matrix framework based on ISO27000 series and the NIST Cyber Security Framework. The assessment also included the effectiveness of specific controls outlined in the ACSC Essential Eight, ACSC Top 35 and CIS Critical Security Controls Top 20.
  • Assessed the implementation of a Microsoft Azure and AWS multi-cloud environment, using the Cloud Security Alliance (CSA) guidance, CIS Benchmarks, and AWS Security Best Practices and Well Architected Framework.
  • Led multiple cybersecurity engagements for an online private health insurer, including vulnerability assessments and penetration tests (VAPT). These included the implementation of an information security management system to facilitate alignment with ISO27000 and compliance with APRA CPS 234, taking into account unique risks related to their e-commerce environment and organisation size.
  • Evaluated compliance against the Victorian Protective Data Security Standard (VPDSS) and the Australian Government Information Security Manual (ISM). Developed a roadmap to compliance based on gaps identified and remediation of quick wins.


  • Professional Member of Institute of Internal Auditors (IIA)
  • Member of Information Systems Audit and Control Association (ISACA)


  • Certified Information Systems Auditor (CISA)
  • Certified Internal Auditor (CIA)
  • Internal Audit Quality Assessment Reviewer
  • Masters of Engineering and Management (University of Manchester)
News articles

Happy St. Patrick's Day

17 March 2020
We sat down with Darren Booth, National Head of Security and Privacy Risk Services, to discuss all things St. Patrick's Day.  What is the significance of St. Patrick's Day? If I was to sum up Paddy’s Day in a couple of words, it would be a ‘celebration of everything Irish’. I grew up in ‘the troubles’, but I always remember P...

Using the Office of the Australian Information Commissioner (OAIC) CDR Privacy Safeguard Guidelines as a FAQ

30 September 2021
There is a lot of reading to do if you want to receive and use Consumer Data Right (CDR) data for Open Banking or Open Energy. Regardless of whether you are an ADI or non-ADI, unrestricted Accredited Data Recipient (ADR), sponsor, affiliate, representative agent or an outsourced service provider (OSP) you must demonstrate compliance with informa...

Submission to Treasury on Consumer Data Right rules amendments

10 August 2021
RSM's experience in completing Consumer Data Right (CDR) information security accreditation reports and applications has informed a recent submission to Treasury on CDR rules amendments. Overarching approach to information security assurance Based on the experience of APRA for compliance with CPS 234, organisations do not know how to comply w...

Risk Insider Newsletter - Edition #8

8 June 2021
After a slow start, investor and regulator attitudes towards environmental sustainability have started to evolve. It is no longer seen as just a nice to have - changing regulations mean environmental sustainability credentials will have a significant impact on investment decisions. 

Small Business Cyber Security Guide

23 March 2021
In February 2021, the Australian Cyber Security Centre (ACSC) released a Cyber Security Guide tailored for small businesses. The guide has been developed to assist small businesses to protect themselves from falling victim to common cyber security incidents. The guide is part of the Small & Medium Business Cyber Security suite of articles t...

Risk Insider Newsletter - Edition #7

1 March 2021
As cybersecurity continues to affect the bottom line of many companies, the need to continually assess and improve your security posture is paramount. As cybersecurity threats and data security events continue to evolve, understanding the costs and resources necessary to respond to a data breach is essential.

Cybersecurity for farmers and the agricultural industry

27 January 2021
As farmers and rural communities’ transition towards greater reliance upon online technologies, the need to protect both their personal and organisational data is paramount. Farming and agriculture organisations must be aware of and protect themselves against the many cyber risks that come with both the standard organisational aspects (emails ...

Beware of scammers this holiday season

2 December 2020
The run up to Christmas is a lucrative period for retailers, as people look to stock up with promotional offers that coincide with Black Friday and Cyber Monday. AUD $28.09 bn of goods were purchased in 2019. All that money changing hands now puts the scammers back on the horizon, where they target online shoppers with fraudulent emails and fak...

Consumer Data Right Options

4 September 2020
As the CDR ecosystem expands, organisations are asking what models are available to access the Consumer Data Right (CDR) Open Banking data. A summary of options available for product owners is outlined below. Accredited Data Recipient (ADR) Standard approach to CDR Rules and accreditation, with the ADR enabling consumers to access Open Bankin...

RSM's Consumer Data Right (CDR) submission

30 July 2020
As the Consumer Data Right (CDR) Rules continue to evolve, RSM submitted a response to the request for submissions related to the draft ‘intermediary’ Rules, which were published in June 2020. Given significant changes to the Rules are unlikely to occur prior to a tiered accredited data recipient (ADR) model being implemented, we focuse...

Risk Insider Newsletter - Edition #5

29 July 2020
Audit Committees, Senior Executives and Boards need to understand the impact of the coronavirus pandemic on internal controls. The pandemic has caused many to transition to a work-from-home arrangement, and your most important internal controls may not have kept pace with these rapid process changes. Now is the time to ensure that any issues with underlying transactions, data or controls are identified and corrected, to prevent misappropriation or fraudulent activities.

Consumer Data Right (CDR) information security accreditation

23 June 2020
Obtaining assurance on the security of your CDR data environment. With CDR going live on 1 July 2020, Accredited Data Recipient (ADR) applicants must demonstrate the security effectiveness of their people, processes and technology. The key is to demonstrate security, whilst minimising the cost. What security controls are needed? The Cons...

Cyber security - what's old is new again

11 June 2020
User credentials of millions of users have been compromised over the years as a result of cyber incidents. Yahoo, LinkedIn, Facebook and eBay are just some of the breaches that are commonly known. There are millions of user names and passwords available on public forums as well as the deep and dark web for criminals to harvest and use, and the mali...

Real estate organisations are a new target as cyberthreats continue to grow

25 May 2020
With the magnitude of security and data breach cases highlighted regularly in the media, most executives of real estate companies are aware that they will likely become a victim of a cyberattack. The First National Real Estate group suffered a data breach in January 2019 when their recruiting company, Sales Inventory Profile, failed to sec...

Which security framework is right for you?

1 May 2020
With significant data breaches and cyberattacks making headlines almost on a daily basis, many organisations have realised the need for more effective security measures. Any breach or attack can result in significant harm to an organisation’s reputation and their customers, as well as resulting in regulatory fines, lawsuits and lost business. ...

COVID-19 and a remote workforce - steps to securing your organisation against cyber-attacks

24 March 2020
The global fear surrounding COVID-19 has forced many organisations to develop ‘Coronavirus Plans’ and consider alternate working methods. In an effort to protect the health of employees during this uncertain time, it is also critical to consider the cyber security health of your organisation.   Malicious attackers across the world ...

Fundamental considerations for digital assets

29 January 2020
Digital assets like cryptocurrencies are a new asset class with a volatility and global availability that excites the investment community. However, the ownership of digital assets comes with risks and its own set of compliance responsibilities. Organisations using cryptocurrencies must ensure their holdings are taxed appropriately, are complian...

How secure is your Managed Service Provider (MSP)?

13 January 2020
Many organisations currently outsource their information technology services to a Managed Service Provider (MSP), with the uptake of organisations engaging an MSP increasing significantly over time. No longer are organisations able to effectively manage their technology infrastructures in-house due to insufficient resources, increasing costs an...

Cyberthreats: More about people than IT

19 December 2019
Health care companies must train staff to be vigilant around security.  When cyber security fails in a health care setting, the outcomes can be catastrophic. Patients can become a victim of identity theft and insurance fraud, two of the many forms of crime that can occur when health care IT systems are compromised by malicious attackers. ...

Cyber Liability Insurance for small to medium enterprises

13 December 2019
To insure, or not to insure? Cyber Liability Insurance, that is the question. Cyber-attacks are becoming increasingly more sophisticated and organisations are struggling to stay ahead of the latest threats to their business operations. Malicious attackers are persistent in seeking out vulnerabilities in the IT environments of small to me...

15 Ways to Improve Cyber Security - Ebook

12 December 2019
Experts predict that worldwide, cybercrimes of all kinds will cause losses of $6 trillion annually by 2021. The biggest cyber security threats to the middle market currently include ransomware, social engineering, business email compromise and data loss from advanced persistent threats. We all know from experience that cyber security is chan...

Cyber Security Tips for SME Technology Enterprises

4 December 2019
Five ways Technology, Media and Telecommunication (TMT) Organisations Can Protect Their Information. Cyberthreats continue to manifest and present a constant risk to all organisations, particularly small to medium enterprises. Obtaining personal and organisational information is a prize for malicious attackers to sell on the black market, o...

CPS 234 - Opportunity for third parties with strong information security controls

13 November 2019
Information security under CPS 234 From 1 July 2019, the boards of the Australian Prudential Regulation Authority (APRA) and regulated entities will be held accountable in the event of a cyber security incident by the new Information Security Prudential Standard (CPS 234).  It is important to minimise the likelihood and impact of informa...

Risk Insider Newsletter - Edition #2

31 October 2019
Middle market businesses, government and the not-for-profit sector need to proactively leverage technology and data to achieve business and strategic goals. Failure to do this could lead to falling behind the competition or not meeting stakeholder expectations. 

Articulating security issues in business language

25 October 2019
The essential art of articulating security issues in business language. Business leaders who aren’t thinking about cybersecurity as a key business risk could be setting their organisations up to suffer the potentially devastating consequences of a cyber attack.  With both human error and malicious actors posing a significant threa...

Risk Insider Newsletter - Edition #1

31 July 2019
Welcome to our first edition of Risk Insider. Recently we have seen some interesting developments around the world that have redefined how companies and government entities view risks. It has been a busy period for risk and compliance professionals. There have been a significant number of changes that Boards, Chief Executive Officers and Chief Risk Officers have had to deal with which has accelerated change and the need to access the right risk and compliance advisors has never been as strong. 

Webinar | TechTalk - The latest news in Cyber Security

Thursday 2 July 2020 | 12.30pm - 1.30pm AEST
The Institute of Internal Auditors - Australia (IIA) will host a TechTalk on The latest news in cybersecurity to be presented by Darren Booth, Partner at RSM Australia and the National Head of Cyber Security and Resilience. Topics to be covered include: Overview of the current and emerging trends in cybersecurity risks ...

Online Event | IIA-Australia's Financial Services Assurance Forum

Thursday 26 November | 8:30am - 6:00pm AEDT
RSM Australia is proud to be a major sponsor at the upcoming Financial Services Assurance Forum, which will be delivered in an interactive online format on Thursday 26 November 2020. Hosted by The Institute of Internal Auditors - Australia (IIA-Australia), the forum is designed for internal audit, risk, compliance and governance professionals wo...