e To NIST or not to NIST? Which Cybersecurity Framework is right for your organisation? - Equate Technologies

To NIST or not to NIST? Which Cybersecurity Framework is right for your organisation?


The prevalence of ransomware and other information security attacks has highlighted the need for improved IT security in many Australian organisations. And while most organisations understand the value of their information and technology at a strategic level, and are ready to prioritise IT security initiatives and investment, how do organisations know which framework to follow, what action to take and how to evaluate their effectiveness?

The cybersecurity frameworks

Cybersecurity frameworks, published by trusted authorities, have become a popular reference for organisations seeking to evaluate, prioritise and justify their IT security investment.  The Australian Cyber Security Centre’s “Essential Eight Maturity Model” and the American National Institute of Standards and Technology’s “Cybersecurity Framework” ( NIST CSF) are the two frameworks commonly identified by Australian organisations.

They are, however, quite different in purpose, scope, and detail.

What’s the difference?

We are commonly asked by our clients which framework is right for them. So here’s a quick summary.

The Essential Eight – 8 mitigation strategies (the basic standard)ACSC Essential 8 | Certifications - TechnologyOne

The Essential Eight, created by the Australian Cyber Security Centre (ACSC) has gained popularity for its simple, direct, and pragmatic steps.  There are eight mitigation strategies with three levels of maturity:

  • Application control
  • Patch applications
  • Configure Microsoft Office macro settings
  • User application hardening
  • Restrict administrative privileges
  • Multi-Factor Authentication
  • Regular backups

By focusing on just eight areas, organisations with limited cybersecurity resources and a need for pragmatic guidelines can easily prioritise their security effort and investment.

Please note, however, The Essential Eight should only ever be considered as the bare minimum for Australian organisations.  Once these areas are satisfactorily addressed, organisations should continue to consider the broader set of “Strategies to Mitigate Cyber Security Incidents”, also published by the ACSC.

NIST Cybersecurity Framework (NIST CSF) – 5 key areas / 108 subcategories (the gold standard)

This NIST CSF is an internationally recognised, American framework that is broad in scope and granular in detail.

Although NIST CSF can be considered the ‘gold standard’ for cybersecurity frameworks, its comprehensive nature and regimented tone can be daunting (even for cybersecurity professionals!).

The framework core consists of five key areas:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Each core area is divided into specific cybersecurity categories such as “Identity Management and Access Control”.  Categories are then further divided into subcategories that identify specific managerial, operational, or technical activities.  Currently, there are 108 subcategories within the NIST CSF.

Choosing the right framework for your organisation

Both the Essential Eight and NIST CSF recommend that organisations undertake a risk management approach to identify and assess the criticality of their information systems.  While this is beneficial for Essential Eight, it is mandatory for NIST CSF as many of the categories are targeted at a strategic level.  As a result, organisations with cybersecurity that operates at a tactical level and/or lacks Executive level representation (i.e., a Chief Information Security Officer (CISO) or equivalent) may find it difficult to apply the NIST CSF framework.

NIST CSF is also very prescriptive in how cybersecurity is undertaken.  On face value, the core categories, and subcategories are an apt representation of industry best practices.  However, this structure implies certain assumptions that create an artificial rigidity, one that may not reflect the messy and fluid realities of cybersecurity practice.  For example, resource constraints and traditional IT organisational boundaries often results in cybersecurity being a shared IT responsibility or the responsibility of a ‘hybrid team’.

Another example is the growing trend of organisations augmenting or outsourcing their cybersecurity capability to a Managed Cybersecurity Operations Centre (CSOC).  In these situations, the cybersecurity functions of an organisation may not map precisely with a given NIST CSF subcategory, requiring a judgement call on how to interpret and evaluate it.

Our recommendation

The ACSC’s Essential Eight is a simple and practical guide which works for Australian organisations with limited cybersecurity resources or organisations emerging in their cybersecurity practice.

For organisations starting to apply the basics through the Essential Eight, we recommend also using the ACSC’s Strategies to Mitigate Cyber Security Incidents and the ACSC’s Information Security Manual (ISM) as supporting resources. The ISM provides a comparable level of detail to NIST CSF in a less regimented manner and may prove a better option for Australian organisations seeking greater flexibility.

For international organisations, the NIST CSF remains our recommended reference framework for cybersecurity because of its rigour.  Importantly, however, every organisation has differing needs and demands from a risk perspective, according to their size and complexity.

Finally, finding an informed resource can really help to drive discussions and decisions, so please get in touch to talk about your options, we really are here to protect your organisation and its assets.