Frequently Asked Questions

Cybersecurity Frameworks

Q1. What is a cybersecurity framework?
A cybersecurity framework is a structured set of guidelines, best practices, and controls that help organisations manage and reduce cyber risk.
It provides a common language for assessing your current security posture, identifying gaps, and prioritising improvements.

Q2. Why are frameworks important?
Frameworks help businesses and not-for-profits:

  • Prioritise what sensitive data and systems to protect from common cyber threats. Not everything can be or needs to be protected, given limited budgets.

  • Meet regulatory and compliance requirements, commonly the ACNC general requirements but some clients have stricter obligations under state health acts, CPS234 (financial institutions that are regulated by APRA), or SOCI if considered

  • Build trust with customers, partners, and donors

  • Make smart, risk-based decisions about security investments

Q3. What is the Essential Eight (E8)?
The Essential Eight is an Australian Government framework developed by the Australian Cyber Security Centre (ACSC).
It outlines eight key strategies (such as patching, multi-factor authentication, and backups) to help protect against the most common cyber attacks.
It’s a practical, low-cost starting point for most small and medium organisations, there are some limitations however (such as physical security and securing cloud or vendor assessments) but it is an excellent model to align to.

Q4. What is ISO 27001?
ISO 27001 is an international standard for managing information security across your whole organisation.
It focuses on governance ensuring you have the right policies, processes, and risk management in place to protect data.
Many organisations use it to show they meet global best practices or prepare for certification, Defensv has qualified ISO27001 Lead Auditors (PECB) who can perform pre audits or preparation or control assurance. ISO27001 is designed for medium to larger organisations that have progressed further into their cyber resilience journey.

Q5. What Frameworks are there for small businesses or charities?

The following list is not exhaustive and is offered with no warranty or endorsement but something we do suggest as a good start.

  • ACNC have issued basic guidance which can then be used to create a framework, its an excellent start for charities or small business. Defensv has adapted the guidance into a basic Checklist

  • For medium to larger organisations the ASD and AICD have issued guidance for Australian Boards

  • Cybercert is an online system (subscription model) which can help small businesses to monitor and track their cyber readiness.

How long does an assessment take?

The timeframe depends on the type of assessment and the size and complexity of your organisation

  1. Security Health Check usually 1–2 weeks

    • Short interviews (1–2 hours) with key stakeholders to understand processes and systems. Currently these are performed remotely.

    • Basic access to systems or key documents

    • Recommend OpenCase

  2. Essential Eight (E8) Assessment usually 2–3 weeks

    • Access to IT systems, security settings, and relevant policies

    • Brief discussions with IT or management

  3. ISO 27001 Readiness / Gap Assessment usually 3–6 weeks

    • Document review, workshops, and risk assessment

    • Involvement from management and IT

  4. Board or Staff Cybersecurity Training typically 1–2 hours

    • Presentation or workshop format

    • No prep work required

Should we have policies and standards?

Quick answer is Yes. But it does not need to be war and peace. Actually it would be better if policies are kept brief, are to the point and focus on the objective and responsibilities.

  1. Small Businesses and Charities

    • One page policies are very suitable for small businesses and charities with more than 2-5 employees (under that we suggest a single document that is just a few pages long). Why? - policies are designed to be read easily, followed and enforced, we often see organisations that implement detailed policies and standards with the best intentions but are too detailed and not updated regularly, essentially a waste of time.

    • What is worse is that if you have policies that are not followed it could possibly hinder a claim with your cyber insurance in the event of an incident.

  2. Medium to Large organisations

    • We suggest policies that are based on NIST (800-53) and or COBIT, again though keep them to the point and easy to follow.

  3. ISO27001 Preparedness

    • An information Security Management System (ISMS) is a systematic approach to managing sensitive company information to ensure its confidentiality, integrity, and availability.

    • It is a set of policies, procedures, and controls that help organisations identify and manage risks to their information assets.

    • Organisations implementing ISO27001 will typically have the following:

      • ISMS. A framework that outlines the policies, controls, stakeholders and pulls together the a system of how the organisation will govern its information security management.

      • Policies, high level objectives for securing the organisation.

      • Standards, detailed requirements outlining a RACI, security control objectives and aligns to international standards such as NIST or Annexure A.

  4. What should policies and controls generally cover?

    • At a minimum access control, patching, backup and recovery, email, incident response, data protection or privacy, mobile working, physical security, and staff awareness.

    • Optional but highly recommended, vendor and supply chain or cloud, and IT asset management policies.

Cybersecurity Frameworks — Quick Comparison

Cybersecurity Frameworks — Comparison & Links

Recommended starting frameworks and next steps for different organisation types. Official oversight or guidance links included for quick reference.

Organisation Type Recommended Starting Point Next Step Oversight Organisation / Authority
Small NFP or small business ACNC
Community-aligned security practices for small and not-for-profit organisations
 Essential Eight (E8) ACSC
Medium organisation Essential Eight (E8)
Baseline technical controls recommended in Australia
 ISO/IEC 27001 readiness
Also refer to the NIST Cybersecurity Framework
NIST CSF 		ACSC & ISO
Regulated / enterprise organisation ISO 27001
Governance-focused ISMS for regulatory assurance
 APRA CPS230 and CPS234 for financial organisations, ASX Listing Rules for those trading on the ASX ISO & JAS-ANZ (accreditation)
Victorian Government contractor / funded NFP Essential Eight (E8)
Typically expected for Victorian government supply
 VPDSS / PSPF alignment
Victorian state protective data standards (other states have similar requirements)
 ACSC & OVIC (Victoria)

The NIST Cybersecurity Framework above is an important framework, it provides a set of guidelines and best practices to help organisations identify, protect against, detect, respond to, and recover from cyber security threats. Both regulated entities, and medium to large enterprises have benefited from the framework, but it is normally not suitable for smaller organisations (some smaller organisations have used AI to create templates based off NIST controls and with some great documents that were easy to implement, as always though please keep a human in the loop as AI results can vary).

Not included above but also worth discussion is the ASD Information Security Manual (ISM), typically used for Govt agencies and MSPs in the supply chain, IRAP accessors (who are accredited) review the controls in the ISM for a determination. If required Defensv can certainly recommend IRAP accessors and put customers in contact with a trusted party to perform the assessment.