If you're an Australian business and confused about which cybersecurity frameworks you should be complying with, you're not alone. Unlike the United States, Australia currently doesn't have clear mandatory minimum cybersecurity standards for businesses.
When this national security reform is complete, industry-specific regulatory standards will likely be introduced to strengthen the specific vulnerabilities that are unique to each sector.
In the interim, Australian businesses are critically exposed to Nation-State threat actors, and so, must take ownership of their cyber threat resilience now.
According to the 2020 Australian Digital Trust Report, a 4-week disruption to critical digital infrastructures caused by a cyberattack would cost the Australian economy AU$30 billion (1.5% of GDP) or 163,000 jobs.
To assist in the effort of strengthening the Nation's cyber threat resilience, we've compiled a list of cybersecurity frameworks that could protect Australian businesses from cyberattacks and cyber threats.
1. Essential Eight - Australian Signals Directorate (ASD)
Essential Eight was developed by the Australian Cyber Security Centre (ASCS) in 2017 to help Australian businesses mitigate cybersecurity threats. This framework is recommended by the Australian Signals Directorate (ASD) for all Australian organizations.
Essential Eight (also knows as the ASD Essential Eight) is comprised of eight basic mitigation strategies, or security controls, that are divided across three primary objectives.
Each of the listed strategies under each objective links to an implementation guideline post by the Australian Government.
Objective 1: Prevent cyberattacks
This initial strategy aims to protect internal systems from malicious software such as, malware, ransomware, and other cyber threats.
Objective 1 includes 4 security controls.
- Patch application vulnerabilities
- Application control
- User application hardening
- Configuring MS Office Macro settings
Objective 2: Limit extend of cyberattacks
This objective aims to limit the penetration depth of all malicious injections. This is achieved by discovering and remediating all security vulnerabilities so that threat actors cannot exploit them.
Objective 1 includes 3 security controls:
- Patch operating system vulnerabilities
- Restrict Admin access
- Implement Multi-Factor Authentication (MFA)
Objective 3: Data recovery and system availability
This objective covers the final stage of a cyber threat incident. Sensitive data resources must be continuously backed up to support system availability through immediate data recovery.
This objective includes the 8th and final security control - Daily backups.
For each mitigation strategy, the Australian SIgnals DIrectorate recommends for the Essential EIght framework to be implemented in three phases:
- Maturity Level One - Partily aligned with the mitigation strategy objectives
- Maturity Level Two - Mostly aligned with the mitigation strategy objectives
- Maturity Level Three - Fully aligned with the mitigation strategy objectives
The minimal recommended baseline for cyber threat protection is Maturity Level Three.
Which industries does the Essential Eight apply to?
The Australian Signals Directorate recommends all Australian Government entities and businesses implement the Essential Eight framework for best cybersecurity practice.
Is the Essential Eight Mandatory for Australian businesses?
The Australian Federal government will mandate the Essential Eight framework for all 98 non-corporate Commonwealth entities. Compliance with this framework is expected for both corporate and non-corporate Commercial entities (NCCEs). To evaluate compliance, these entities will undergo a comprehensive audit every 5 years commencing on June 2022
Previously, Government entities were expected to comply with only the top 4 Essential Eight strategies. But after an audit revealed abysmal cyber resilience across multiple government departments, compliance expectations have expanded to all eight strategies with the inclusion of NCCEs.
How to be compliant with Essential Eight
UpGuard empowers Australian businesses to achieve compliance with Essential Eight security controls. UpGuard's comprehensive attack surface monitoring engine provides vulnerability analytics to support application hardening efforts and audits the complete threat landscape to keep patch applications up to date.
2. Australian Energy Sector Cyber Security Framework (AESCSF)
The Australian Energy Sector Cyber Security Framework (AESCSF) is an annual assessment of cybersecurity resilience across the Australian energy sector.
The AESCSF was developed in 2018 as a collaborative effort between:
- The Australian Energy Market Operator (AEMO)
- The Australian Government
- The Cyber Security Industry Working Group (CSIWG)
- Critical Infrastructure Centre (CIC)
- Australian Cyber Security Centre (ACSC)
In an effort to apply the highest level of cyber threat protection to Australian energy infrastructures, the AESCSF combines aspects of recognized security frameworks such as:
- NIST Cyber Security Framework (CSF)
- Cybersecurity Capability Maturity Model (C2M2)
- NIST SP 800-53
- Essential Eight
- Notifiable Data Breaches scheme (NDB)
- ISO/IEC 27001
- The Australian Privacy Principles
To access resources for the latest AESCSF 2020-21 program, refer to the Australian Energy Market Operator website.
Which industries does the Australian Energy Sector CyberSecurity Framework (AESCSF) apply to?
The AESCSF has been designed for the Australian Energy sector.
Is the Australian Energy Sector CyberSecurity Framework (AESCSF) mandatory for Australian businesses?
The AESCSF is not a mandatory security framework for the Australian Energy Sector. However, because critical infrastructures are currently being targeted by cybercriminals, this framework is recommended for its clear maturity pathway programs.
How to be compliant with AESCSF
UpGuard supports many of popular the risk assessments and cybersecurity frameworks being leveraged by AESCSF.
3. Center for Internet Security (CIS) Controls
Center for Internet Security (CIS) Controls are a set of different security efforts designed to protect systems from common cyber-attacks. These mitigation strategies have been designed to disrupt the cyberattack lifecycle.
The CIS framework has been recently updated from version 7.1 to version 8. Version 8 is more aligned with the latest digital transformation trends that are expanding the threat landscape. These include:
- The prevalence of work-from-home arrangements
- Increased reliance on cloud-based solutions
- Increased mobile endpoints
- Increased adoption of virtualization
- The transition to hybrid workforces that deviate between office and home environments
Another obvious change in CIS version 8 is the reduction of controls - they've dropped from 20 to 18.
The updated list of CIS controls are outlined below:
- CIS Control 1: Inventory and Control of Enterprise Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Data Protection
- CIS Control 4: Secure Configuration of Enterprise Assets and Software
- CIS Control 5: Account Management
- CIS Control 6: Access Control Management
- CIS Control 7: Continuous Vulnerability Management
- CIS Control 8: Audit Log Management
- CIS Control 9: Email Web Browser and Protections
- CIS Control 10: Malware Defenses
- CIS Control 11: Data Recovery
- CIS Control 12: Network Infrastructure Management
- CIS Control 13: Network Monitoring and Defense
- CIS Control 14: Security Awareness and Skills Training
- CIS Control 15: Service Provider Management
- CIS Control 16: Application Software Security
- CIS Control 17: Incident Response Management
- CIS Control 18: Penetration Testing
Difference between CIS controls and CIS benchmarks
CIS controls are a list of recommended strategies for securing systems and devices. CIS Benchmarks are hardening strategies for specific vendor products.
The range of CIS Benchmarks includes 100+ security best practices across 25+ vendors. To access this list
For more details, see the complete list of CIS Benchmarks
Which industries does the CIS framework apply to?
CIS controls are not industry-specific, any organization can strengthen its security posture by implementing CIS controls.
CIS controls are especially beneficial to industries that store copious amounts of sensitive end-user information such as finance, healthcare, education, and law.
Are CIS controls mandatory for Australian businesses?
At the time of writing this, adopting the CIS controls framework is not a mandatory requirement for Australian businesses.
CIS controls are not mandatory, by they're recommended for the superior sensitive data protection they offer. Because this framework is industry agnostic, it can be readily confirmed to most security requirements.
How to be compliant with CIS controls
UpGuard offers a CIS controls security standard questionnaire to assess compliance against the best practice guidelines for cybersecurity outlined in the 18 CIS Controls.
4. Cloud Controls Matrix (CCM)
This Cloud Control Matrix (CCM) is a cybersecurity framework for cloud computing environments. This control framework was created by the Cloud Security Alliance (CSA) - a not-for-profit dedicated to promoting best practices for cloud computing security.
The CCM covers the primary components of cloud technology across 16 domains which branch out into 133 control objectives. This framework can be used to surface security deficiencies in cloud implementation efforts and provide guidance on security controls that could remediate them.
The CCM is particularly effective because it maps its controls to prominent security standards and regulations such as:
- BITS Shared Assessments
- German BSI C5
- PIPEDA Canada
- CIS AWS Foundation
- ENISA IAF
- 95/46/EC EU Data Protection Directive
- HIPAA/HITECH Act
- HITRUST CSF
- ISO/IEC 27001
- ISO/IEC 27002
- ISO/IEC 27017
- ISO/IEC 27018
- Mexico Federal Law
- NERC CIP
- NIST SP800-53
- ODCA UM: PA
- PCI DSS
- IEC 62443-3-3
CCM caters to all parties in a cloud computing relationship - cloud customers and cloud solution providers.
The CCM offers the Consensus Assessments Initiative Questionnaire (CAIQ) for customers that wish to scrutinize the security efforts of their cloud providers, namely which security controls are implemented for PaaS, IaaS, and SaaS products. The CAIQ has recently been updated to version 4 which can be accessed here.
Cloud Solution Providers (CSPs)
Vendors offering cloud products can submit self-assessments with the CAIQ to demonstrate their compliance with CMS standards. This proof of compliance can be sent to clients or used to apply for the Security, Trust, Assurance, and Risk Registry (STAR).
There are two benefits to being included in this registry. The first is that compliance with the CCM matrix is verified by CSA which strengthens the appeal of vendor relationship. The second is that vendors included in the registry have all of their security control documentation publically available, which reduces the complexity of vendor assessments.
For more details about the Cloud Control Matrics, refer to the Cloud Security Alliance website.
Is the Cloud Control Matrix Mandatory for Australian businesses?
The CCM matrix is not a mandatory requirement in Australia. However, this framework is designed to map to mandatory regulations and frameworks.
The Cloud Security Alliance has created a series of mappings to the Cloud Control Matrix (CCM) that can be accessed here.
CSA is regularly updating this list, so if your required cybersecurity framework mapping is not included in this list, contact CSA to confirm whether it will be in the future.
How to be compliant with the Cloud Controls Matrix (CCM)
UpGuard supports compliance with each of the CCM control objectives by offering security questionnaires associated with the standards the CCM maps to. UpGuard offers a custom questionnaire builder to empower organizations to contextualize their CCM compliance.
5. Control Objectives for Information Technology (COBIT)
COBIT was developed by the IT Governance Institute (ITGI) and the Information Systems Audit and Control Association (ISACA). This IT management framework is designed to support the development, organization, and implementation of processes that improve IT governance and cybersecurity best practices.
The COBIT framework is commonly used to achieve compliance with the Sarbanes-Oxley Act (SOX). But for general use-cases, COBIT allows organizations to evaluate the effectiveness of their IT investments in light of their business goals.
COBIT 2019 is the latest version of the framework, upgraded from COBIT 5. COBIT 5 was the most celebrated framework because it enforced accountability, which prevented stakeholder
The COBIT 2019 framework consists of 6 principles, outlined below. The 5 principles that governed the COBIT 5 framework are also listed for comparison.
COBIT 2019 Principles:
- Principle 1: Provide stakeholder value
- Principle 2: Holistic approach
- Principle 3: Dynamic governance system
- Principle 4: Governance distinct from management
- Principle 5: Tailored to enterprise needs
- Principle 6: End-to-end governance system
COBIT 5 Principles:
- Principle 1: Meeting stakeholder needs
- Principle 2: Covering the enterprise end to end
- Principle 3: Applying a single integrated framework
- Principle 4: Enabling a holistic approach
- Principle 5: Separating governance from management
To contextualize a potential COBIT implementation, refer to these case studies.
Which industries does COBIT apply to?
COBIT supports all organizations that depend on the reliable distribution of relevant information. This broad categorization includes both government entities and private sector organizations.
Is the COBIT Framework Mandatory for Australian businesses?
COBIT is not a mandatory cybersecurity framework in Australia. However, because Australian businesses issuing and registering securities in the United States need to be compliant with SOX, this group would do well to implement COBIT since it supports SOX compliance.
How to be compliant with COBIT
UpGuard makes it easier for Australian businesses to achieve SOX compliance, which in turn, supports the progression to COBIT compliance.
Some of the protocols that support this effort include:
- Ensuring the correct information security policies are in place
- Implementing safeguards to detect and remediate data leaks
- Remediating vulnerabilities placing sensitive data at risk.
6. Australian Government Protective Security Policy Framework (PSPF)
The Protective Security Policy Framework (PSPF) empowers Australian Government entities, to protect their people, information, and assets. Its goal is to cultivate a positive security culture across all entities. This protection is valid on Australian soil and overseas.
The PSPF aims to implement the following policies. Each policy links to core requirements guidelines.
There are 5 PSPF principles that represent desired security outcomes:
- Security is everyone's responsibility - A positive security culture supports the achievement of security outcomes.
- Security enables the business of government - Services can be delivered more efficiently if they're secure.
- Security measures protect assets and people from their associated cyber risks.
- Each department takes ownership of its inherent and residual risks.
- Security incident responses should be continuously reviewed and improved.
Which industries does the PSPF apply to?
The Protective Security Policy Framework (PSPF) applies to all Australian government entities and non-corporate Commonwealth entities.
Is the Protective Security Policy Framework (PSPF) mandatory for Australian businesses?
The PSPF must be applied to Australian Government entities and non-corporate government entities in accordance with their risk profiles.
The PSPF became a critical requirement for government bodies in 2018 when the Attorney-General established the framework as an Australian Government Policy.
The PSPF is also considered a best cybersecurity practice for all Australian state and territory agencies.
How to be compliant with the Protective Security Policy Framework (PSPF)
UpGuard supports compliance with the Protective Security Policy Framework (PSPF) by offering a single pain of visibility into the entire attack surface to help all departments take ownership of their security posture
7. The Australian Security of Critical Infrastructure Act 2018
The Australian Security of Critical Infrastructure Act 2018 (SOCI Act) seeks to protect Australian Infrastructures from foreign cyberattacks. The range of powers, functions, and obligations in this Act applies to specific critical infrastructure assets in the electricity, gas, water, and ports sectors.
There are three primary directives of the Australian Security of Critical Infrastructure Act:
- Owners and operators of critical infrastructures must register all relevant assets.
- Owners and operators of critical infrastructures must supply the Department of Home Affairs with all required information that could support the security efforts of the center.
- Owners and operators of critical infrastructures must comply with all instructions from the Minister of Home Affairs that support the mitigation of national security risks where all other risk mitigation efforts have. been exhausted.
On 10 December 2020, the Australian government introduced the Security Legislation Amendment Bill to broaden the definition of critical infrastructures in the SOCI Act.
This amendment broadens the application of the SOCI Act to 11 classes of critical infrastructures including:
- Data storage and processing
- Financial services and markets
- Food and grocery
- Health care and medical
- Higher education and research
- Space technology
- Water and Sewerage
More information about the Act can be accessed via the resources below:
- Overview of the Security of Critical Infrastructure Act 2018
- Coverage of critical infrastructures
- Reporting entity obligations
Which industries does the Australian Security of Critical Infrastructure Act apply to?
Australian Security of Critical Infrastructure Act 2018 applies to the electricity, gas, water, and ports sectors that possess a specific range of critical assets.
Is the Security of Critical Infrastructure Act 2018 Mandatory for Australian businesses?
At the time of writing this, there are no announcements enforcing compliance with SOCI 2018.
How to be compliant with the Australian Security of Critical Infrastructure Act 2018
UpGuard supports compliance with SOCI 2018 and its reformed security controls by helping critical infrastructures discover and remediate data leaks and vulnerabilities exposing critical assets and third-party vendors in the supply chain.
8. Prudential Standard CPS 234
The CPS 234 is a regulation by the Australian Prudential Regulatory Authority (APRA) that requires APRA-regulated organizations to implement defense measures against cyberattacks and other information security incidents.
CPS is a response to the proliferation of attack vectors created by enhanced digital transformation.
APRA introduced CPS 234 to enforce organizations to strengthen their third-party risk mitigation efforts and improve their data breach notifications. These requirements are included in the 6 key domains of information security:
- Cyber Security Framework - A resilient framework supported by relevant security controls is required. All information security roles and responsibilities must be clearly defined.
- Information asset identification and classification - All information assets must be sorted by criticality and sensitivity.
- Third-party compliance - The protection of sensitive data resources must extend to the third-party vendor network.
- Systematic assurance - A commitment to the cyclical review and iteration for security processes to contend with the evolving threat landscape.
- Security incident response - The design and implementation of formal Incident Response Plans that keeps APRA notified of all information security incidents.
- Internal audit - A commitment to the continued review of the effectiveness of all information security controls.
Which industries does the Prudential Standard CPS 234 apply to?
CPS 234 compliance is mandatory for all APRA-regulated industries.
- Credit unions
- Building societies
- Insurance and reinsurance companies
- Private health insurers
- Life insurance
- Members of the superannuation industry
How to be compliant with CPS 234
APRA-regulated industries should have met all of the new CPS 234 standards by July 2019, and all third-party compliance standards by July 2020.
For compliance assistance, read our guide on how to comply with CPS 234.
9. EU General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) was put into effect on March 25 2018 by the European Union. The regulation aims to protect the personal data of all people residing in the European Union.
There are many commonalities between the GDPR and the Australian Privacy Act 1988. The key differentiator between the two is the GDPR's Right to Erasure.
Is GDPR compliance mandatory for Australian businesses?
All Australian businesses, regardless of their size, must be GDPR compliant if they either:
- Have an establishment in the European Union.
- Offer goods and services in the European Union.
At the time of writing this, it's inconclusive whether Australian government entities need to be compliant with the GDPR.
How to be compliant with the General Data Protection Regulation (GDPR)
UpGuard supports GDPR compliance by discovering and remediating all vulnerabilities and data leaks that could expose sensitive customer information - both internally and throughout the vendor network.
10. ISO/IEC 38500
The ISO?IEC 38500 is an international standard for an IT governance framework. It ensures the security of all management processes and decisions that impact the current and future use of Information Technology.
ISO?IEC 38500 empowers multiple parties to take ownership of a company's security posture including:
- Executive managers
- Users with access to all of the organization's resources.
- Third-party vendors
- Technical specialists
This framework is supported by six principles:
- Establish clear responsibilities
- Support the objectives of the organization
- Make strategic acquisitions
- Ensure KPIs are exceeded
- Ensure conformance with rules
- Consider all human factors
For more information, refer to the official ISO/IEC 38500 2015 standard document.
Is the IEC/ISO 38500 mandatory for Australian businesses?
ISO 38500 is an international standard for IT security, so Australian businesses are expected to be compliant with this framework.
All types of businesses should strive to be ISO 38500 compliant including:
- Public and private companies
- Government entities
- Businesses of all sizes, regardless of their IT usage.
How to be compliant with IEC/ISO 38500
UpGuard helps organizations align their IT security with their business objective by seamlessly augmenting attack surface monitoring with IT processes and supporting the efficient scaling of cybersecurity programs.
UpGuard helps Australian businesses significantly strengthen their security posture through comprehensive attack surface management. This includes data leak detection and remediation for both the internal and third-party threat landscape to mitigate data breaches and third-party breaches.
UpGuard also supports compliance across a myriad of security frameworks, including the new requirements set by Biden's Cybersecurity Executive Order.