Identify and Implement The Right Cybersecurity Framework

Identify and Implement The Right Cybersecurity Framework

The field of cybersecurity is constantly evolving, and the increasing number of frameworks and standards can be overwhelming for organisations seeking to secure their information assets. This article explores the similarities, uniqueness, applicability, implementation and maintenance process of various cybersecurity frameworks, including ISO 27001, ISO 27017, ISO 27018, SOC2, ISM, and Essential 8.

ISO 27001 is a globally recognised standard that specifies the requirements for an information security management system (ISMS). It is applicable to all types of organisations, regardless of their size, industry, or sector. ISO 27017 and ISO 27018 are extensions of ISO 27001 and provide additional guidance on cloud computing security and personal data protection, respectively.


SOC2 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that assesses a service organisation’s security, availability, processing integrity, confidentiality, and privacy (known as the Trust Services Criteria). It is widely used by cloud service providers and other service organisations to demonstrate their security and compliance posture to their customers.

ISM is the Australian Government’s information security manual, which provides a comprehensive framework for securing government information assets. It is mandatory for all federal government agencies and recommended for state and local government agencies and other organisations that deal with government information.

Essential 8 is a set of eight cybersecurity controls recommended by the Australian Signals Directorate (ASD) for mitigating targeted cyber intrusions. The controls are designed to provide a baseline level of security for organisations of all sizes, and they cover areas such as application whitelisting, patch management, and multi-factor authentication.

While these frameworks differ in their scope and requirements, they share commonalities in terms of their goals and principles. They all aim to provide a comprehensive approach to cybersecurity that considers the risks and threats faced by organisations, and they emphasise the importance of risk management, continuous improvement, and compliance with legal and regulatory requirements.


The implementation process for these frameworks involves several steps, including conducting a risk assessment, developing policies and procedures, implementing controls, and monitoring and reviewing the effectiveness of the ISMS. The specific requirements and procedures may vary depending on the framework, but the core principles remain the same.

Key Takeaways:

  1. There is abundance of freely available high-quality resources to leverage
  2. There are several frameworks and standards available for information security management, each with its unique features, applicability, and implementation process.
  3. ISO 27001 is the most widely recognised information security standard globally and provides a systematic approach to managing information security risks.
  4. ISO 27017 and ISO 27018 are supplementary standards that provide guidelines for cloud service providers on information security controls and privacy protection, respectively.
  5. SOC2 is an auditing standard that assesses a service provider’s controls related to security, availability, processing integrity, confidentiality, and privacy.
  6. ISM is the Australian government’s policy framework for managing and protecting information and provides a risk-based approach to information security.
  7. Essential 8 is the Australian Signals Directorate’s recommended mitigation strategies to protect against cyber threats.
  8. DESE Right Fit for Risk is a risk management framework developed by the Australian Department of Education, Skills and Employment, which provides a tailored approach to information security management based on the organisation’s risk appetite and business needs.
  9. Organisations should carefully evaluate their information security needs and requirements and select the framework or standards that best meet their needs.
  10. Implementation of these frameworks requires a comprehensive approach involving risk assessment, policy development, staff training, continuous monitoring, and periodic review and improvement.