The big cyber question – Which framework is best?
 
			The challenge of selecting the best and most appropriate cybersecurity framework for your business, especially in Australia, is complex and often confusing. There appears to be a vast selection of frameworks, guidelines, and standards, each with unique strengths, weaknesses, and focus areas. Let’s dissect this and see how you can appropriately select for your business.
The Essential 8
It makes sense to start with the Essential 8, as it’s an Australian guideline many organisations follow. It works like a cybersecurity multivitamin tablet, perfect for a baseline health regimen. Crafted by the Australian Cyber Security Centre (ACSC), the Essential 8 focuses on eight crucial strategies to bolster cyber defences. These technical strategies provide clear guidance for systems hardening, mainly if you use Microsoft technology. Critical controls include application whitelisting to block unauthorised programs, patching applications and operating systems to close vulnerabilities, and restricting administrative privileges to those who really need them. It also emphasises the importance of multi-factor authentication, which most organisations now utilise in one way or another as a critical defence layer. For businesses, as we said, especially those invested in Microsoft infrastructure, it’s a practical baseline set of controls for safeguarding your business. However, while Essential 8 excels in establishing fundamental defences, especially against malware and external attackers, it may fall short for organisations targeting comprehensive certifications like ISO 27001 or PCI-DSS. These standards demand an expansive security framework encompassing technical controls, organisational policies, and continuous risk assessment.
ISO 27001
Turning our focus to ISO 27001, consider it the Swiss Army knife of cybersecurity. This globally recognised framework offers a comprehensive method for managing information security. ISO 27001 extends beyond technological controls, covering an entire Information Security Management System (ISMS) and integrating policies, processes, people, and IT systems. This standard necessitates a risk-based approach to security, requiring organisations to perform risk assessments and implement controls tailored to their specific risks. These controls are technical and organisational, such as employee training, regular audits, and a commitment to continuous improvement. Suppose you are already doing well on your technical controls or have hit the Essential 8 maturity level target across the board. In that case, ISO 27001 is a significant next step on your road to cyber resilience.
PCI-DSS
Next, we’ll take a quick look at PCI-DSS, the Payment Card Industry Data Security Standard. For businesses that handle card payments, PCI-DSS is indispensable. It acts like a gatekeeper, rigorously safeguarding cardholder data and mandating technical and operational requirements designed to protect card transactions and prevent credit card fraud. Requirements include encrypting cardholder data, maintaining a secure network through firewalls and regular testing, and implementing strong access control measures. Regular compliance assessments ensure the business environment adheres to these stringent standards.
SOC 1 and SOC 2
Also, don’t overlook SOC 1 and SOC 2, which offer stakeholders an insightful view into your organisation’s data management practices. Think of them as an attestation to external parties that you do things properly, which is a valuable way to demonstrate your commitment to cybersecurity. SOC 1 is tailored to service organisations that impact their clients’ financial reporting. It’s divided into two types: Type 1, which evaluates the suitability of the design of controls at a specific point in time, and Type 2, which examines the operational effectiveness of these controls over some time. This standard is crucial for any service provider whose actions can affect clients’ financial statements, ensuring the integrity and confidentiality of the data involved in these processes.
SOC 2, on the other hand, is centred around trust services criteria, focusing on five fundamental principles: security, availability, processing integrity, confidentiality, and privacy. Like SOC 1, it also has two types. Type 1 reviews the design of controls related to these principles at a specific moment. In contrast, Type 2 assesses how effectively these controls operate over a defined period. SOC 2 is particularly relevant for technology and cloud computing companies, where these principles are vital for maintaining client trust and ensuring regulatory compliance. SOC 1 and SOC 2 provide a comprehensive view of an organisation’s control landscape. SOC 2’s broader scope makes it essential for businesses that handle sensitive or personal data beyond financial information.
NIST’s Cyber Security Framework
NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) warrants a highlighted mention in our cybersecurity toolkit, as while it’s not an Australian standard, many cybersecurity practitioners and organisations in Australia follow its advice. It’s more of a meta-framework – the GPS of cyber – helping you navigate the complex terrain of cybersecurity, methodically guiding you through its five core functions: Identify, Protect, Detect, Respond, and Recover by recommending controls from various other standards and guidelines. The Identify function involves understanding and managing cybersecurity risks to systems, assets, data, and capabilities. Protect focuses on safeguards to ensure the delivery of critical services, including access control and awareness training. Detect is about implementing appropriate activities to identify the occurrence of a cybersecurity event. Respond encompasses actions to contain the impact of an event, and Recover is about maintaining plans for resilience and restoring any capabilities or services impaired due to a cybersecurity event.
The CSF is incredibly versatile, making it suitable for any sector, from small businesses to large corporations and government agencies. It’s particularly beneficial for organisations that align with U.S. standards, as it provides a flexible and cost-effective approach to bolstering cybersecurity without prescribing specific technologies or processes. This adaptability allows organisations to tailor their cybersecurity strategies to their unique needs and risk profiles, promoting continuous improvement and innovation in their security practices.
Making Your Choice
But let’s cut to the chase. The most crucial factor in picking a cybersecurity framework isn’t the framework itself – it’s your business goals. What do you need to achieve to bolster your business? Align your cybersecurity program with these goals. That’s the real secret sauce for getting a return on investment from your security efforts. It’s not about shooting in the dark; it’s about targeted, goal-oriented action. So, when you’re weighing up these frameworks, ask yourself: “Which of these aligns best with where my business is going?” That’s your north star.
Reach out to us today to talk about how we can help you develop and execute your cyber maturity improvement program.