In the realm of cyber security, frameworks serve as the backbone for creating, enhancing, and maintaining security protocols. For Australian security managers, navigating the landscape of these frameworks is crucial. The Australian Cyber Security Centre's (ACSC) Essential Eight, the US-based National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF), and the International Organization for Standardization's ISO 27001, although originating from different corners of the world, are pivotal in shaping robust security postures. This article explores the role each of these frameworks plays and how they can be cohesively applied in the Australian context.
The ACSC Essential Eight
The ACSC's Essential Eight is a prescriptive set of strategies to mitigate cyber security incidents tailored to Australian organisations. It is designed as a baseline from which security managers can develop a defence-in-depth approach, addressing various vectors of cyber-attacks. The Eight includes strategies for application whitelisting, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and daily backup of important data.
The role of the Essential Eight is twofold. Firstly, it serves as a practical starting point for organisations that are developing or reviewing their security measures. Secondly, it provides a targeted approach for protecting against common threats faced by Australian businesses, such as malware and unauthorised access.
In terms of obligations, the Essential Eight is the defacto Australian cyber security standard, with recent court cases referencing the Essential Eight as the foundational security expectations for Australian businesses.
NIST Cybersecurity Framework (CSF)
The NIST CSF is a voluntary framework primarily intended for critical infrastructure organisations but has been widely adopted across various sectors due to its flexibility and comprehensive nature. It consists of five core functions: Identify, Protect, Detect, Respond, and Recover. While it is a US-developed framework, it holds global relevance due to its adaptable and outcome-driven approach.
Australian security managers can leverage the NIST CSF for its risk management processes and its emphasis on continuous improvement. It aligns well with the Australian government's emphasis on resilience and offers an overarching structure within which the Essential Eight can be positioned.
ISO 27001
ISO 27001 is an international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It adopts a risk-based approach and is technology-agnostic, making it applicable to any size of organisation in any industry.
For Australian security managers, ISO 27001's role is to provide an internationally recognised certification that demonstrates an organisation's commitment to information security. When integrated with the Essential Eight, it can elevate an organisation's security practices to meet international business expectations and compliance requirements.
Applying and harmonising the Frameworks
Understanding these frameworks is one thing; applying them in harmony is another. Australian security managers must navigate the nuances of each to create a synergistic security strategy. The Essential Eight provides specific technical strategies, the NIST CSF offers a risk-based approach to managing cybersecurity risk, and ISO 27001 sets out the criteria for an ISMS.
The Essential Eight is the recommended initial approach for Australian SMEs – gaining ‘Maturity Level 1’ compliance will significantly increase your company’s cyber security resiliency with practical (and specific) IT security controls.
The NIST CSF offers a risk-based approach to subjectively evaluate and measure the risk posed by the current security maturity. Due to its origins in critical infrastructure it is ideally suited to the Security of Critical Infrastructure Act (SOCI Act) regulated organisations and industries, as well as more broadly larger organisations wishing to evaluate their risk position and likely financial exposure – which often provides the context and budget justification for security programme investments.
ISO 27001 is the international gold standard in terms of information security management. It is a considerable program of work to establish the necessary policies and procedures, undergo auditor certification and subsequently maintain operations within the parameters set in the policies. While intensive, ISO 27001 is the internationally accepted ‘ticket to the dance’ in terms of security maturity attestation to be an accepted supplier to larger corporations. There also are efficiencies in being able to provide an ISO certification rather than completing extensive and labour intensive security questionnaires from insurers and customers.
By integrating the frameworks, security managers can benefit from Essential Eight's specific controls, the NIST CSF's flexible risk management practices, and the global best practices and recognition of ISO 27001. For example, the NIST CSF can guide the identification and prioritisation of assets and risks, while the Essential Eight can serve as the control implementation layer, all within the overarching governance structure of an ISO 27001-compliant ISMS.
For Australian security managers, the ACSC Essential Eight, NIST CSF, and ISO 27001 are not mutually exclusive frameworks but are rather complementary tools that, when used collectively, can lead to a robust and resilient cyber security posture. Understanding and applying these frameworks in unison can help Australian organisations not only to defend against cyber threats but also to align with international standards and best practices, fostering trust and confidence among stakeholders and across borders.
This series of articles will focus on the Essential Eight as the convenient starting point to a compliance journey, we welcome you to follow along. If you would like to organise a meeting to discuss our compliance expertise, please contact us today.
