If you’re an Australian business, you must be wondering about which cybersecurity frameworks and standards you should be complying with in 2022.
In July last year, the Australian Government opened a consultation on options for regulatory reforms and voluntary incentives to strengthen the cyber security regulations. This was to support a growing digital economy and respond to a growing threat environment, particularly ransomware.
Cybersecurity has never been more significant, both as an enabler for Australian industry and as a source of economic growth itself. Improving the guidelines for best practice cyber security hygiene is part of the cyber security roadmap. At present, Australia’s cybersecurity sector is small; however, it is forecast to triple its revenue over the coming decade due to increased demand for cyber security products and services.
We present a list of cybersecurity controls to assist in enhancing cybersecurity threat resilience. These controls can be used to develop security frameworks for protecting Australian businesses from cyberattacks.
The most effective mitigation strategies developed by The Australian Cyber Security Centre (ACSC) to mitigate cybersecurity incidents are the Essential Eight strategies.
Essential Eight (also known as the ASD Essential Eight) is comprised of eight basic mitigation strategies, or security controls, that are divided across three primary objectives.
The Essential Eight are designed to provide network security for Microsoft Windows-based internet-connected systems.
Organisations that implement the Essential Eight can track their compliance through the framework’s maturity scale, which is comprised of maturity levels.
In order to implement the Essential Eight, organisations should first identify a target maturity level that suits their environment. Once the target is achieved, organisations should progressively adopt each maturity level.
Organisations should implement the Essential Eight using a risk-based approach. In doing so, organisations should seek to minimise any exceptions and their scope, for example, by implementing compensating security controls and ensuring the number of systems or users impacted are minimised.
There is no requirement for organisations to obtain independent certification for their Essential Eight implementation. It may, however, be necessary to have an independent party assess an Essential Eight implementation if required by a government directive or policy, by a regulatory authority, or as part of contractual arrangements. All businesses subject to this cybersecurity framework will undergo a thorough audit every five years beginning in June 2022 to ensure that all security controls are maintained at the highest level.
In an information security management system (ISMS), ISO/IEC 27001, also known as ISO 27001, is the most widely adopted international standard for ensuring data and information security. The ISO 27001 standard provides suggestions and action plans for treating and preventing third-party risks by running standard risk assessments and compliance checks.
Implementing ISO 27001 is a complex, multi-stage process, involving many stakeholders, which can quickly complicate its execution. The whole process could be easier and faster if you decide to work with an ISO 27001 consultant.
The ISO 27001 implementation process includes:
- Information Security Policy
- Risk Assessment
- Risk Treatment
- Statement of Applicability
- ISMS Manual and Procedures
- Information Security Improvement Plan
- Performance Monitoring
Nonconformance reporting and corrective actions are a necessity throughout the whole implementation process. Every step of the implementation process needs to be reviewed through internal audits and management reviews.
To become ISO 27001 certified, businesses are assessed across three different information security categories:
- Information Confidentiality – Have the appropriate access controls been implemented to prevent unauthorised access?
- Information Integrity – Does the information have security protection against unauthorised modification?
- Information Availability – Does authorised users have easy access to information when they need it?
The certification is valid for three years. While the certificate remains valid, auditors will continue assessing compliance through annual assessments. Organisations that are certified must conduct routine internal audits every year in order to maintain compliance in time for these assessments.
RFFR (Right Fit for Risk) Framework
RFFR is a component of DESE’s (Department of Education, Skills and Employment) External Systems Assurance Framework (ESAF) that ensures system files and confidential data are secured, stored, and managed responsibly in non-departmental ICT environments.
The term “RFFR ISMS” is used to distinguish the DESE ISMS Scheme from other ISMS
It is important to note that ISO 27001 certification and RFFR certification differ in that the Statement of Applicability for RFFR must include all the controls described in the Australian Government’s Information Security Manual (ISM). Because of the significant workload, the audit duration is substantially longer than what is required for ISO 27001 certification.
The RFFR requires a customised ISO 27001 certification including a customised ISO 27001 audit.
NIST Framework (Cybersecurity Framework)
The NIST (National Institute of Standards and Technology) Cybersecurity Framework provides a framework, based on existing standards, guidelines and practices for private sector organisations in the United States to better manage and reduce cybersecurity risk.
The NIST Framework was designed to improve cybersecurity and risk management communications among internal and external stakeholders and assist organisations to prevent, detect, and respond to cyber threats.
The NIST cybersecurity framework is based on a practical, risk-management approach. There are also guidelines for cyber security activities and a wider perspective on how organisations should view cyber security risks. Cybersecurity threats can be handled using five different functions through this framework, from prevention to recovery.
The five functions included in the Framework Core are:
- Identity – Developing an organisational understanding of managing cybersecurity risk to systems, people, assets, data and capabilities.
- Protect – Outlines appropriate safeguards to ensure delivery of critical infrastructure services and limits or contains the impact of a potential cybersecurity event
- Detect – Defining appropriate activities to identify the occurrence of a cybersecurity event in a timely manner
- Respond – Outlines appropriate activities to do after a security incident to improve response and reduce the impact of an event
- Recover – Identifies appropriate activities to plan for resilience and to restore capabilities or services that were impaired during a cyber-attack, supporting timely recovery, and improving incident response planning.
Achieve and Maintain ISO 27001/Essential Eight Compliance with AWD
As a full-service IT provider with over 24 years of industry experience and expertise, AWD is the right partner to set your business up for long-term growth, success and adequate protection. Through our ISO 27001/Essential Eight cyber security consulting services, we help our clients identify risks and potential threats when it comes to their information and data security. Our services are designed to simplify your ISO 27001/Essential Eight compliance process, understand the potential risks for your business and meet your protection requirements.
Fill out the form below and book a 30-minute free consultation session with one of our ISO 27001/Essential Eight consultants.