Australian Cyber Security Centre (ACSC) Essential 8 controls

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict administrative privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Regular backups

ACSC Information Security Manual (ISM)

  1. Guidelines for Cyber Security Roles
  2. Guidelines for Cyber Security Incidents
  3. Guidelines for Procurement and Outsourcing
  4. Guidelines for Security Documentation
  5. Guidelines for Physical Security
  6. Guidelines for Personnel Security
  7. Guidelines for Communications Infrastructure
  8. Guidelines for Communications Systems
  9. Guidelines for Enterprise Mobility
  10. Guidelines for Evaluated Products
  11. Guidelines for ICT Equipment
  12. Guidelines for Media
  13. Guidelines for System Hardening
  14. Guidelines for System Management
  15. Guidelines for System Monitoring
  16. Guidelines for Software Development
  17. Guidelines for Database Systems
  18. Guidelines for Email
  19. Guidelines for Networking
  20. Guidelines for Cryptography
  21. Guidelines for Gateways
  22. Guidelines for Data Transfers

ACSC cyber security principles

  • Govern: Identifying and managing security risks.
  • Protect: Implementing controls to reduce security risks.
  • Detect: Detecting and understanding cyber security events to identify cyber security incidents.
  • Respond: Responding to and recovering from cyber security incidents.

Govern Principles

  • G1: A Chief Information Security Officer provides leadership and oversight of cyber security.
  • G2: The identity and value of systems, applications and data is determined and documented.
  • G3: The confidentiality, integrity and availability requirements for systems, applications and data are determined and documented.
  • G4: Security risk management processes are embedded into organisational risk management frameworks.
  • G5: Security risks are identified, documented, managed and accepted both before systems and applications are authorised for use, and continuously throughout their operational life.

Protect Principles

  • P1: Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements.
  • P2: Systems and applications are delivered and supported by trusted suppliers.
  • P3: Systems and applications are configured to reduce their attack surface.
  • P4: Systems and applications are administered in a secure and accountable manner.
  • P5: Security vulnerabilities in systems and applications are identified and mitigated in a timely manner.
  • P6: Only trusted and supported operating systems, applications and computer code can execute on systems.
  • P7: Data is encrypted at rest and in transit between different systems.
  • P8: Data communicated between different systems is controlled and inspectable.
  • P9: Data, applications and configuration settings are backed up in a secure and proven manner on a regular basis.
  • P10: Only trusted and vetted personnel are granted access to systems, applications and data repositories.
  • P11: Personnel are granted the minimum access to systems, applications and data repositories required for their duties.
  • P12: Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories.
  • P13: Personnel are provided with ongoing cyber security awareness training.
  • P14: Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel.

Detect Principles

  • D1: Event logs are collected and analysed in a timely manner to detect cyber security events.
  • D2: Cyber security events are analysed in a timely manner to identify cyber security incidents.

Respond Principles

  • R1: Cyber security incidents are reported both internally and externally to relevant bodies in a timely manner.
  • R2: Cyber security incidents are contained, eradicated and recovered from in a timely manner.
  • R3: Business continuity and disaster recovery plans are enacted when required.

Protective Security Policy Framework

Security governance

Policy 1: Role of accountable authority
Policy 2: Management structures and responsibilities
Policy 3: Security planning and risk management
Policy 4: Security maturity monitoring
Policy 5: Reporting on security
Policy 6: Security governance for contracted goods and service providers
Policy 7: Security governance for international sharing

Information Security

Policy 8: Sensitive and classified information
Policy 9: Access to information
Policy 10: Safeguarding data from cyber threats
Policy 11: Robust ICT systems

Personnel security

Policy 12: Eligibility and suitability of personnel
Policy 13: Ongoing assessment of personnel
Policy 14: Separating personnel

Physical security

Policy 15: Physical security for entity resources
Policy 16: Entity facilities
Scroll to Top