Cyber Security Standards and Frameworks - overview 2023 update

A solid foundation for cyber security is found in several standards and frameworks. Certification bodies, governments and industries have developed a set of rules, procedures and structures to build, implement and maintain a strong information security posture. Popular standards are ISO 27001 (ISMS) from ISO International, the Information Security Manual and Essential Eight from the Australian Cyber Security Centre (ACSC), and SOC2 from the American Institute of CPAs (AICPA).

Frameworks vs standards

A framework refers to the overall structure to support a system. A framework is less prescriptive than a standard and more flexible in adopting them. It is possible to make amendments to frameworks (within the framework’s requirements) to suit the organisation’s needs.

As the name implies, standards are a structured set of procedures, rules, and other controls that a certification body recognises. Standards are typically globally recognised and provide an industry-aligned level of protection. Often, they are required to tender or partner with government, healthcare, banks or other organisations that require an added level of information security.

Considerations when choosing a model

When selecting the framework or standard to implement in your organisation, consider factors such as your business requirements, the adoption rate and acceptance of standard, regulatory and contractual requirements and the cost and effort of certification vs its benefits. The information below is a simplified but accurate representation of the frameworks and standards. It provides an overview of commonly used models.

ISO 27001 Information Security Management

ISO/IEC 27001 Information Security Management
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS). The standard was updated to the ISO 27001:2022 version last year, and it now includes 11 clauses and 93 controls in the Annex. It is a mature standard with a holistic approach, including management commitment and focusing on training, awareness, and technical controls. To achieve compliance, conducting a risk assessment is the first step, to then identify and implement security controls, and regularly review their effectiveness.

The standard is risk-based and offers flexibility through its Statement of Applicability (SOA) and the principle of Confidentiality, Integrity and Availability of data. It is supplemented by several supplemental standards, such as ISO 27002 Information Security Controls, guiding the 93 controls in the Annex, and ISO 27005 for the Information Security Risk Management. The standard is thorough and pragmatic in its approach.

Developed by: International Organization for Standardization
Industries: All
Type: Standard, conformity model
Certification method: Certification by a recognised ISO 27001-accredited certification body. After the initial ISO certification audit, an annual surveillance audit and recertification audit every three years.
Benefits: Widely accepted standard, suitable for any industry and organisations of various sizes.

Service Organization Control 2 (SOC2)

SOC 2 is intended to prove the security level of systems against static principles and criteria. It comprises five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy, but only the first of those is mandatory. In comparison, a standard such as ISO 27001 is developed to define, implement, operate, control, and improve overall security and is more risk-based and dynamic.

There are two types of SOC 2 reports. Type 1 reports cover the description of the services’ systems and show if the proposed controls support the organisation’s objectives. Type 2 reports also cover the description of the services’ systems and indicate if the proposed controls support the security objectives the organisation wants to achieve and whether these controls operate as expected over a period of time (generally between six months and one year).

Developed by:  American Institute of CPAs (AICPA)
Industries: For service organisations in any industry, typically in the United States
Type: Standard, conformity model
Certification method:  Documented with a formal attestation by a licenced CPA (Certified Public Accountant).
Benefits: Easier and less expensive than other models, but also less thorough with a limited scope.

Information Security Manual (ISM)

The Information Security Manual represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). It is commonly used in Australia since it is mandatory to follow this model if you work or want to work with Australian Government PROTECTED data, Implementing and certification. 

The principles are grouped into four key activities; Govern, Protect, Detect and respond. The objective of the ISM is to lay a foundation for a cyber security framework that organisations can apply to protect their data and systems from cyber threats.

Developed by: Australian Signals Directorate (ASD) / Australian Cyber Security Centre ACSC
Industries: Australian standard for government agencies, suppliers and service providers to these who work with PROTECTED information
Type: Standard, conformity model.
Certification method: compliance certification can be done via the ASD Information Security Registered Assessors Program (IRAP).
Benefits: Comprehensive set of controls and aligned with the Attorney-Generals’ Protective Security Policy Framework (PSPF).

Essential Eight

The Essential Eight are designed to protect Microsoft Windows-based internet-connected networks and are recommendations by the Australian Signals Directorate. The Top 4 are mandatory for federal government agencies. They consist of application whitelisting, patching operating system (OS), patching applications, and restricting administration privileges based on user duties. The Essential 8 complements the Top 4 with additional recommendations – appropriately configuring Microsoft Office macro settings, user application hardening, implementing multi-factor authentication, daily backups of critical data, software and settings data.

Developed by: Australian Signals Directorate (ASD) / Australian Cyber Security Centre ACSC
Industries: Australian standard for government agencies, suppliers and service providers to these
Type: Maturity model, tier 0 - 4
Certification method: No formal certification is available; maturity levels requirements are set and audited by government organisations.
Benefits: An compact standard which, when operating effectively, mitigates 85% of targeted cyber-attacks

NIST Cyber Security Framework

The NIST Cyber Security Framework (CSF) was created to acknowledge and standardise specific controls and processes. It covers five functions; identity, protect, detect, respond and recover. NIST CSF builds on but does not replace security standards like NIST 800-53 or ISO 27001. NIST has an extensive set of information security standards and best practices. The SP 800-30 Guide for Conducting Risk Assessments is commonly used to complement the ISO 27001 and 27005 standards.

Developed by: U.S. National Institute of Standards and Technology
Industries: All, typically in the United States
Type: Self-assessed standard, maturity model
Certification method: None
Benefits: Elaborate set of framework documents.

South Australian Cyber Security Framework (SACSF)

The framework contains 21 policy statements grouped into four principles; Governance, Information, Personnel and Physical. The framework has a risk-based approach to cyber security management and replaces the Information Security Management Framework (ISMF).

Developed by: South Australia Attorney-General’s Department
Industries: Mandatory for all South Australian Government public sector agencies, suppliers and service providers to government agencies
Type: Framework
Certification method: Yearly attestation (self-assessed), maturity model.
Benefits: Follows the structure of the Protective Security Framework and is aligned with the ISM.