Latest News

Compliance standards for cyber security are new territory for many Australian businesses. To help demystify what can be a confusing space, we’ve taken the time to look at three different standards, what benefits they offer and how they might be used by different sized businesses.

ISO27001

ISO 27001 is related to the CIA of information. In this context, CIA refers to an organisation maintaining the Confidentiality, Integrity, and Availability of information that it holds.

ISO 27001 is the recognised global standard for putting in place an Information Security Management System (ISMS) that applies to a whole organisation and the totality of its processes. It’s also a reasonably practical framework because it begins with how to build a strong ISMS, then moves logically to the next steps of implementation and maintenance once the system is in place.

The framework is made up of 14 subdomains that can be grouped into six areas:

1. Company security policy
2. Asset management
3. Physical and environmental security
4. Access control
5. Incident management
6. Regulatory compliance

Essential 8

More often than not, when those who don’t specialise in cyber security think about it, they imagine that implementing a strong cyber defence will mean that there is zero chance that they will suffer a cyber breach. But that’s not the reality. It’s becoming better accepted that cyber security is a lot like physical security: it acts a strong deterrent and mitigates risk, but it isn’t a total guarantee.

That’s why meeting what is recognised as a ‘minimum baseline’ level of protection is important. And Essential 8 is a grouping of mitigation strategies that raises your baseline level of defence and acts like a locked door and dog would in the physical world: it makes your deterrence stronger. 

The Essential 8 is published and maintained by the Australian Cyber Security Centre (ACSC), the Australian Government’s lead agency for cyber security. 

NIST

The National Institute of Standards and Technology (NIST) is a US Government agency that has been set up to help US businesses and other government agencies lift their standards. The NIST Cybersecurity Framework brings together a range of highly researched and ‘real world tested’ strategies and plans under one umbrella. 

The NIST framework is helpful for organisations that are pursuing other certifications from external standards agencies because it puts in place the procedures and processes that a business needs to provide evidence for. These include an audit of the data you hold, the risk assessments you currently have for that data, your current and proposed security controls and ongoing monitoring processes. 

What do these standards have in common?

These cyber security standards all have one thing in common: they require organisations to conduct a thorough in-house review of what digital information they currently gather, hold and store, and how they handle, protect and delete it. 

Despite the internet, email and ecommerce being part of the business landscape for decades now, many businesses have never sat down and considered these factors.

Engaging with any one of these standards requires that process to begin, and that alone is a valuable feature of any of them. 

Where do these standards differ?

The standards differ in some important ways. To begin with, both the NIST Cybersecurity Framework and the Essential 8 are guidance frameworks. They do not come with an external certification. Organisations are free to use the resources published by the NIST and the ACSC as they see fit, but those bodies do not provide validation of those actions. In addition, The NIST framework is prepared for a US audience, which might mean that some of the features in it are less applicable to Australian businesses that do not provide any products or services to international clients.

On the other hand the ISO27001 certification is a global certification that provides an external accreditation. It can be quoted by a business in its dealings if they achieve compliance with those standards after an external audit by an accredited reviewer. 

Which should I choose?

Like many business processes, that really depends on the specific features of your organisation. It helps to think of the Essential 8 as a strong starting point and minimum baseline of things to consider. The ISO27001 confers the benefits of a rigorous examination, and can help you stand out from competitors in your field, especially if doing business in a sector where sensitive information is held (e.g. defence, government services, healthcare).

If you are unsure about the best place to start or have questions about any of the standards we’ve outlined here and how they might apply to your business, CyberUnlocked can provide professional, tailored advice from an expert source.