Top 11 Cybersecurity Frameworks for Australian Businesses in 2023

If you are an Australian business, you can be excused for being confused about your responsibilities in what cyber security programs you should be implementing to protect your business and customers.  Unlike the USA, Australia’s minimum cyber security mandates can be confusing.

In 2022, the ACSC issued an alert urgently urging businesses to adopt an enhanced cyber security posture.  We recently covered what this means to your business in our recent blog.

Related:  ACSC issues alert to Australian Businesses to adopt a cyber security strategy

In January 2023, the ASCS released an Essential Eight Assessment Process Guide which details the steps for undertaking an assessment against the Essential
Eight (January 2023 release), including methods for testing the implementation of each of the mitigation strategies.

The Australian government is moving towards a national security reform which will mean that industry-specific regulatory standards will likely be introduced to strengthen the vulnerabilities unique to each sector.

To assist in the effort of strengthening our cyber threat resilience, we’ve compiled a list of cybersecurity frameworks that are available and could be referenced to improve security postures to protect Australian businesses from cyberattacks and cyber threats.

If you are an Australian business, you can be excused for being confused about your responsibilities in what cyber security programs you should be implementing to protect your business and customers.  Unlike the USA, Australia’s minimum cyber security mandates can be confusing.

In 2022 the ACSC issued an alert urgently urging businesses to adopt an enhanced cyber security posture.  We recently covered what this means to your business in our recent blog.

Related:  ACSC issues alert to Australian Businesses to adopt a cyber security strategy

In January 2023, the ASCS released an Essential Eight Assessment Process Guide which details the steps for undertaking an assessment against the Essential
Eight (November 2022 release), including methods for testing the implementation of each of the mitigation strategies.

The Australian government is moving towards a national security reform which will mean that industry-specific regulatory standards will likely be introduced to strengthen the vulnerabilities unique to each sector.

To assist in the effort of strengthening our cyber threat resilience, we’ve compiled a list of cybersecurity frameworks that are available and could be referenced to improve security postures to protect Australian businesses from cyberattacks and cyber threats.

A cyber security framework is a set of guidelines or a template that outlines policies and procedures you can use in your business.  These frameworks will help you establish and maintain your cyber security posture. When a framework is applied, your cyber security resilience should improve and the risk of a cyber event minimised.

Most of the listed IT security frameworks focus on a risk-management approach. Consequently, they’re easily adaptable to match your needs and can be applied to target the specific risks that threaten your IT security.

The Essential Eight was developed by the Australian Cyber Security Centre (ACSC) in 2017 to assist businesses to mitigate cyber security threats and data breaches.  In March 2022, the ACSC issued an alert for all Australian Businesses to implement the Essential Eight considering the maturity model as a minimum.

The Essential Eight comprises eight mitigation strategies or security controls divided across three primary objectives. When implementing the Essential Eight, organisations should first identify a target maturity level that is suitable for their environment. Organisations should then progressively implement each maturity level until that target is achieved.

Objective 1:  Prevent Cyberattacks

The initial strategy aims to protect internal systems from malicious software such as malware, ransomware and other cyber threats.

• Patch Application
• Application Control
• User Application Hardening
• Configuring MS Office Macro settings

Objective 2:  Limit the Extent of Cyberattacks

This strategy aims to limit the depth of penetration of the attack.  This is achieved by remediating all security vulnerabilities so hackers cannot exploit them.

• Restrict Administration Privileges
• Patch Operating Systems
• MFA or Multifactor Authentication

Objective 3:  Data Recovery and System Availablity

The final strategy aims to cover the final stage of a cyber threat.  Sensitive data must be continuously backed up to support the system’s availability through immediate data recovery.

• Daily Backups

ACSC Essential Eight Maturity Model

To guide you in the implementation the ACSC has published a maturity scale that helps measure your business’ alignment with each strategy.

• Level 0 (Immature) – Not aligned with the mitigation strategy (no compliance)
• Level 1 (Intermittent) – Party aligned with the mitigation strategy (low compliance)
• Level 2 (Committed)– Mostly aligned with the mitigation strategy (medium compliance)
• Level 3 (Advanced)– Fully aligned (highly protected) (2)

The minimum recommended baseline is Maturity Level 3.

What industries does the Essential Eight apply to?

The Australian Signals Directorate recommends all Australian Government entities and businesses implement the Essential Eight framework for best cybersecurity practice.

Is the Essential Eight Mandatory for Australian Businesses?

This is rapidly evolving, so here are the links to the most recent information:

• The Australian Department of Home Affairs has recently made amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act).  On 2 December 2021, the SOCI Act was amended to apply obligations to certain assets, including new assets defined in the SOCI Act and the Asset Definition Rules.  Learn More.
• The Security of Critical Infrastructure Act 2018 mandates cyber incident reporting for critical infrastructure assets. Critical Infrastructure owners and operators are required to report a cyber security incident if you are captured by the critical infrastructure asset definitions.  Fact Sheet.
• The Protective Security Policy Framework (PSPF), administered by AGD, mandates that all non-corporate Commonwealth entities implement four specific Essential Eight mitigation strategies (known as the Top Four) and strongly recommends the adoption of the entire Essential Eight. Learn more:  ACSC Essential Eight Cyber Security Guidelines the Maturity Model and ACSC Strategies to mitigate cyber security incidents
• Since 2018, it has become mandatory for all businesses with an annual turnover of at least $3 million, to report data breaches to the OAIC – whether or not they’ve embraced the Essential Eight framework.

The Australian Energy Sector Cyber Security Framework (AESCSF) program provides a tool for assessing cyber security maturity across Australia’s energy sector.  Protecting Australia’s energy sector from cyber threats is of national importance. These protections maintain secure and reliable energy supplies thereby supporting our economic stability and national security.

The program applies to the following sectors:

• Gas markets and non-Australian Energy Market Operator (AEMO)
• Australian Energy Sector
• Electricity grids and markets
• Liquid fuels

The AESCSF assesses cyber security maturity and uplift capability, which strengthens the energy sector’s cyber resilience. The AESCSF was developed in 2018 by AEMO, the industry and the Australian Government.  Learn More.

The Protective Security Policy Framework (PSPF) empowers Australian Government entities, to protect their people, information and assets.

Its goal is to cultivate a positive security culture across all entities. This protection is valid on Australian soil and overseas.

The PSPF aims to implement the following policies. Each policy links to core requirements guidelines.

• Security governance
• Information security
• Personnel security
• Physical security

There are 5 PSPF principles that represent desired security outcomes:

1. Security is everyone’s responsibility –  A positive security culture supports the achievement of security outcomes.
2. Security enables the business of government – It supports the efficient and effective delivery of services.
3. Security measures applied proportionately protect entities, people, information and assets in line with their assessed risks
4. Accountable authorities own the security risks of their entity and the entity’s impact on shared risks
5. A cycle of action, evaluation and learning are evident in response to security incidents

Learn more.

Is the PSPF mandatory for Australian Businesses?

The PSPF must be applied to all Government entities and non-corporate government entities in accordance with their risk profiles.

The PSPF is considered the best cyber security practice for all Australian state and territory agencies.

What industries is ISM applicable to?

A variety of industries where cyber security measures need to be implemented can use the ISM. This IT security framework focuses on minimising risks and exposure as a general rule.

Is the ISM mandatory for Australian Businesses?

These are not mandatory for all Australian Businesses.

Learn More

The Security of Critical Infrastructure Act 2018 (the Act) seeks to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure.

There are three primary directives of the Australian Security of Critical Infrastructure Act:

1. Owners and operators of critical infrastructures must register all relevant assets.
2. Owners and operators of critical infrastructures must supply the Department of Home Affairs with all required information that could support the security efforts of the centre.
3. Owners and operators of critical infrastructures must comply with all instructions from the Minister of Home Affairs that support the mitigation of national security risks where all other risk mitigation efforts have been exhausted.

The Act applies to 22 asset classes across 11 sectors including:

• communications
• data storage or processing
• defence
• energy
• financial services and markets
• food and grocery
• health care and medical
• higher education and research
• space technology
• transport
• water and sewerage

Is the Security of Critical Infrastructure Act 2018 mandatory for Australian Businesses?

Currently, there are no announcements enforcing compliance.

The COBIT business orientation includes linking business goals with its IT infrastructure by providing various maturity models and metrics that measure the achievement while identifying associated business responsibilities of IT processes.

The main focus of COBIT 4.1 was illustrated with a process-based model subdivided into four specific domains, including:

• Planning & Organization
• Delivering & Support
• Acquiring & Implementation
• Monitoring & Evaluating

What industries does COBIT apply to?

COBIT supports all businesses that depend on the reliable distribution of relevant information.

How to be compliant with COBIT

Some of the protocols that support this effort include:

• Ensuring the correct information security policies are in place
• Implementing safeguards to detect and remediate data leaks
• Remediating vulnerabilities placing sensitive data at risk.

Learn More

Is the Security of Critical Infrastructure Act 2018 mandatory for Australian Businesses?

Currently, there are no announcements enforcing compliance.

What industries does CIS apply to?

CIS controls are not industry-specific but can assist industries that store a lot of sensitive data such as finance, healthcare etc…

Is the CIS mandatory for Australian Businesses?

Currently, there are no announcements enforcing compliance.

But is recommended for the superior sensitive data protection offered.

Learn More

What industries does NIST apply to?

NIST is intended to be used to protect critical infrastructure like power plants and dams from cyber attacks.  However, it can apply to any business that seeks better security.

Is the NIST mandatory for Australian Businesses?

Currently, there are no announcements enforcing compliance.

Learn More

1. Information security policies
2. Organisation of information security
3. Human resource security
4. Asset management
5. Access control
6. Cryptography
7. Physical and environmental security
8. Operations security
9. Communications security
10. System acquisition, development and maintenance
11. Supplier relationships
12. Incident management
13. Information security aspects of business continuity management
14. Compliance

Who can implement ISO 27002?

There is no limit to the organisations that can successfully implement and benefit from ISO27002.

Is the ISO27002 mandatory for Australian Businesses?

Australian governments should adopt ISO and/or IEC standards as a baseline. For information classified as “PROTECTED”,  Australian governments should mandate ISO/IEC 27001, SOC 2 and potentially FedRAMP (which is a US Government program).

Learn More

Is the GDPR mandatory for Australian Businesses?

All Australian businesses, regardless of their size, must be GDPR compliant if they either:

• Have an establishment in the European Union.
• Offer goods and services in the European Union.

Learn More

Your IT security framework is what safeguards your data, networks and business from cyberattack.  These frameworks provide you with everything you need to be compliant with cyber security standards. Whether you choose to implement one or choose to mix and match protocols and policies to make your own personalised IT security framework is up to you, but either way you are making the choice to protect your business in the best way possible.