Australian and New Zealand Cyber Security Frameworks

Australian Cyber Security Centre (ACSC) Essential Eight

The ACSC designed the Essential Eight as the most effective strategies to mitigate cyber security incidents. The strategies have been designed to protect Microsoft Windows based, internet connected networks.

These are the strategies which should be prioritised when protecting your office networks, or other networks which are Windows based and connected to the internet.

The Essential Eight are

• application control
• patch applications
• configuration of Microsoft Office Macro settings
• user application hardening
• restrict administration privileges
• patching of operating systems
• multi-factor authentication
• regular backups

The Essential Eight is a way of promoting awareness of cyber threats and providing some basic controls on how companies can mitigate the threat to their data. These threats are relevant for all companies, not only those who are technology or internet based, and aim to protect systems and data which are common to all, including HR systems, organisation data storage and access, communication systems.

Australian Cyber Security Centre Information Security Manual (ISM)

The Australian Cyber Security Centre’s Information Security Manual (ISM) outlines a cyber security framework that can be used to secure business’ systems and data from cyber threats. It outlines a list of controls, which can be applied by a business in conjunction with their risk management framework to protect their systems.

Controls outlined in the ISM can be assessed and included within a Statement of Applicability, showing that they have been assessed, and implemented based on the risk to data they protect.

Updates to the ISM are published approximately every 3 months to ensure the controls included are up to date and include any emerging threats within the industry.

The controls outlined in the ISM can be incorporated with an ISO 27001 audit, where the ISM controls are mapped to the ISO 27001 standard to demonstrate compliance with the relevant clauses by the implementation of the ISM controls. This can be included, and called out in an ISO 27001 audit report, which will give increased detail on how the ISO 27001 clauses are being met, specifically calling out the controls from the relevant framework which are being used and how they are being implemented.

National Cyber Security Centre (NCSC) Cyber Security Framework

The New Zealand National Cyber Security Centre Cyber Security Framework outlines a framework that can be used to protect. As well as a broad framework for addressing cyber threats, it contains an Information Security Manual (NZISM) which, similar to the Australian ISM, is a framework outlining controls which can be implemented to mitigate individual security threats.

The Beta version of the framework has been released and will be used to shape how the NZ Government communicate the cyber security expectations with business executives and leaders.

The framework is made up of five high level functions:

• Guide & Govern
• Identity & Understand
• Prevent & Protect
• Detain & Contain
• Respond & Recover

The NZISM contains controls, broken up into different categories which can be used to secure your systems and data. The controls are broken down and further categorised based on their effectiveness of mitigating threats into baseline controls which are essential to manage risks, and those which are best practise.

Currently the Cyber Security Framework and NZISM are used by government agencies, however their use will inevitably be rolled out to protect the government’s systems and data from any risks from their suppliers.

Hybrid Systems

Hybrid systems, which include a management system and implementation of controls is another way which some government agencies implementing to protect their data and systems. One such example is the Australian DEWR (Department of Employment and Workplace Relations) ISMS scheme which is a customised ISO 27001 standard which includes additional controls from the ISM. Compliance with this is mandated (from March 2024) for all DEWR providers who need to access the DEWR systems and data. Compliance with the scheme is demonstrated through a JAS-ANZ accredited audit based on this scheme.

This is a potential area which, based on how the role out goes, could be used by other departments within Australia or New Zealand based on the Cyber Security Framework.

Conclusions

Based on the publication of the Australian ISM and NZ Cyber Security Framework, enhancing your ISMS to map controls from the relevant framework to your risk assessment and statement of applicability will give your system increased protection against emerging threats and best practise mitigation strategies and controls.

Controls into from either ISM or NZISM can be mapped to the ISO 270001 standard clauses, and can be included within an ISO 27001 audit. Here, the auditor can delve deeper into how you are implementing the relevant controls, and call these out in your audit report. This will give you a more detailed understanding of how you are meeting the ISO 27001 standard, and can give regulatory bodies more confidence in your ISMS.