If you run a business in Australia, you’re likely confused about the cybersecurity frameworks you need to be following, as the country doesn’t have clear guidelines on the minimum cybersecurity standards businesses must meet.
While that is expected to change, with pressure being placed on the Australian government to align with the United State’s established parameters for compliance, for the time being businesses are often left wondering what frameworks they need to follow.
These are the top cybersecurity frameworks Australian businesses should be aware of in 2022:
- Essential Eight – Developed by the Australian Cyber Security Centre (ASCS) to help businesses mitigate threats and breaches, outlining eight basic controls and strategies.
- Australian Energy Sector Cyber Security Framework – This framework is an assessment designed specifically for protecting Australian businesses in the energy sector, combining elements of several robust security frameworks.
- Center for Internet Security Controls – Not specific to an industry, this framework is designed to protect an organisation’s systems from cyber attacks by disrupting the cyber attack lifecycle.
- Cloud Controls Matrix – This framework is meant to support businesses operating with cloud computing environments, and outlined industry best practices.
- Control Objectives for Information Technology – Another non-industry specific framework, this framework is designs to support IT management through the implementation of best practices for IT governance and security operations.
- Australian Government Protective Security Policy Framework – Made for Australian government agencies and non-corporate Commonwealth organisations, this framework established best practices to protect users, information, and critical assets by cultivating a security culture across the organisation.
- The Australian Security of Critical Infrastructure Act 2018 – Established in 2018, this framework is designed to protect Australia’s critical infrastructure specifically against foreign attacks. The industries classified as critical infrastructure per the Act include communications, defence, financial services, health care, and transport among others.
- Prudential Standard CPS 234 – Created by the Australian Prudential Regulatory Authority (APRA), this set of defence measures to protect against cyber attacks is meant for APRA-regulated entities including banks, credit unions, building societies, insurance companies, private health insurers, and superannuation entities.
- EU General Data Protection Regulation (GDPR) – In effect since 2018, this framework focuses on compliance of regulations to protect the data of individuals living in the European Union (EU). All Australian businesses that have a location in the EU or offer their services to those in the EU are required to follow this standard.
- ISO/IEC 38500 – This well-known international standard establishes criteria for IT governance, and focuses on all entities interacting with or in a business taking ownership of their role in a strong security postured, based on six key principles.
If you’re concerned about if you’re in compliance with relevant standards and frameworks for cybersecurity, we’re here to help. Our team offers in-depth cybersecurity audits, assessing your organisation’s existing security infrastructure, identifying vulnerabilities and flagging security compliance issues that need to be addressed. Contact us to learn more.