Cyber security standards and frameworks:

Cyber Standards and Frameworks in Australian Organisations provide a common language and set of standards for security leaders across industries to understand their security postures and those of their vendors.

ISO27001 and ISO27002

ISO27001 and ISO27002 provide a comprehensive approach to information security management. Standard ISO27001 outlines the requirements for implementing an Information Security Management System (ISMS). ISO27002 provides guidance on specific security controls.

These are NOT mandatory for the implementation of ISO27001 but are controls organisations can select on the basis of their own risk assessment as to which controls are appropriate. Organisations opting for ISO27001 certification must undergo regular audits to assess compliance with the standard’s requirements.

Compliance obligations include conducting risk assessments, developing and implementing security policies, managing access controls, ensuring incident response capabilities. Those organisations not requiring formal certification may opt for less stringent ‘compliance’ or ‘alignment’ with ISO27001. Most Australian State Governments are required to carry out yearly maturity audits against ISO27001.

International Standard for Information Security ISO27001

Australian Signals Directorate Essential Eight (ASD8)

The ASD Essential Eight is a prioritised list of security controls developed by the Australian Signals Directorate (ASD). Compliance with the Essential Eight is not mandatory. It is, however, highly recommended for organisations aiming to enhance their cyber security posture.

Audits in relation to ASD Essential Eight compliance involve evaluating the implementation of each control. Controls include application whitelisting, patching applications and systems, multi-factor authentication, and regular backups. Organisations should demonstrate their adherence to these controls to ensure compliance with the ASD’s recommendations.

Australian Signals Directorate Essential Eight (ASD8)

National Institute for Standards and Technology Cyber Security Framework (NIST CSP)

The NIST CSP provides a comprehensive framework to manage cyber security risks effectively. Although not mandated by Australian regulations, many organisations voluntarily adopt the NIST CSP as a best practice. Compliance audits involve assessing an organisation’s alignment with the framework’s five core functions. These are Identify, Protect, Detect, Respond, and Recover.

At the time of writing NIST was consulting on a revision to the framework. Organisations should demonstrate adherence to the recommended security controls and implement risk management strategies outlined in the framework.

National Institute for Standards and Technology Cyber Security Framework (NIST CSP)

Australian Energy Sector Cyber Security Framework (AESCSP)

The AESCSP is a sector-specific framework designed to protect critical infrastructure within the energy sector. Compliance with the AESCSP is vital for organisations operating in this sector to safeguard their systems and ensure uninterrupted energy supply. Audits related to AESCSP compliance evaluate an organisation’s implementation of security controls specific to the energy sector.

This include access control, incident response, and vulnerability management. Demonstrating compliance with the AESCSP reinforces an organisation’s commitment to securing critical energy infrastructure.

Australian Government Protective Security Policy Framework (PSPF)

The PSPF sets out the mandatory requirements for protecting Australian government resources, including information and systems. Compliance with the PSPF is obligatory for organisations handling classified information or providing services to government agencies.

Audit obligations in relation to the PSPF include assessing compliance with security governance, risk management, personnel security, physical security, information security. Organisations must undergo periodic audits to ensure continued compliance with the framework.

Australian Government Protective Security Policy Framework (PSPF)

The Australian Security of Critical Infrastructure Act 2018 (SOCI)

Under the SOCI Act, organisations identified as critical infrastructure assets must adhere to prescribed cyber security obligations. Compliance with the Act entails conducting regular audits to assess the effectiveness of security measures implemented to protect critical infrastructure assets.

Audits focus on evaluating an organisation’s compliance with the specific obligations outlined in the Act. These may include risk management, incident response, information sharing, and supply chain security.

Cyber security standards and frameworks play a key role in providing a common set of languages and controls for security leaders. They are an excellent way for businesses to understand what they need to do to be more secure online.