The Essential Eight and ISO 27001 are both IT-related policy frameworks for managing data and cyber security processes inside your company. Think of them as an IT best practice guide for your business.
The Essential Eight prioritises practical cyber security measures through a series of technical controls. These technical controls are designed to implement the various Essential Eight mitigation strategies from the Australian Cyber Security Centre (ACSC), and they emphasise action over documentation.
The ISO 27001, on the other hand, offers a holistic view of IT management, including cyber security. While it includes technical controls, it primarily focuses on establishing robust information security policies and procedures. This documentation-heavy approach often prioritises 'telling' over 'doing'.
Both frameworks are valuable and overlap in some parts. Here’s an overview of the two and their critical differences.
Essential Eight explained
The Essential Eight is a set of mitigation strategies created by the Australian Cyber Security Centre (ACSC) to protect Australian businesses from cyber threats today. It focuses on these critical areas:
- Application control: only allows approved apps to run on your company devices, computers, and network.
- Patch applications: keeping your apps updated with the latest security patches.
- Patch operating systems: keeping your operating systems up-to-date.
- Multi-factor authentication (MFA): using two or more verification factors, such as a code from a mobile app, to verify user identities.
- User application hardening: restricting unnecessary features in your apps.
- Restrict administrative privileges: limiting admin access to essential users.
- Restrict
macros in Microsoft Office documents: restrict or allow macros only
from trusted sources.
What is ISO 27001?
This international standard for managing information security is published by the International Organisation for Standardisation (ISO). It covers a series of security practices to keep your data safe. These are the key components:
- Risk assessment and treatment: finding and fixing security risks.
- Security policy: setting up a management-approved security policy.
- Organisation of information security: defining roles and responsibilities.
- Asset management: managing and protecting your information assets.
- Human resource security: making sure employees know their security responsibilities.
- Physical and environmental security: protecting physical assets.
- Communications and operations management: ensuring secure daily operations.
- Access control: limiting access based on business needs.
- Information systems development and maintenance: securing systems throughout their lifecycle.
- Incident management: handling security incidents effectively.
- Compliance:
meeting legal, regulatory, and contractual requirements.
Key differences:
Scope & focus
|
Essential 8: It centres on eight key strategies for mitigating cyber threats. It is a tactical guide designed for immediate, practical improvements in cyber security. |
ISO 27001: It provides a comprehensive framework for an Information Security Management System (ISMS), covering a wide range of security practices and controls. It is strategic and offers a structured approach to managing information security risks. |
Applicability
|
Essential Eight: It is mainly used in Australia, but its strategies are applicable globally. It is suitable for organisations seeking a straightforward, quick-start approach to cyber security. |
ISO 27001: Recognised and applicable worldwide. It is ideal for organisations seeking a formalised, long-term approach to information security management. |
Implementation & certification
|
Essential Eight: Implementation is typically quicker and less resource-intensive. There is no formal certification process, but organisations can self-assess or work with cyber security experts such as Netway Networks to assess their compliance with the strategies. |
ISO 27001: Requires significant planning and resources to implement. Organisations can pursue formal certification through accredited bodies, demonstrating their commitment to information security. |
Objective & approach
|
Essential Eight: Quick, practical enhancements to cyber security resilience. Prescriptive measures that can be implemented relatively quickly. |
ISO 27001: Long-term, systematic management of information security. Comprehensive risk management and continuous improvement cycle (Plan-Do-Check-Act). |
Management system
|
Essential Eight: Does not constitute a complete management system. Primarily, it is a set of actionable strategies without a formal structure. |
ISO 27001: Constitutes a full-fledged Information Security Management System (ISMS). Requires documentation, ongoing management, and regular reviews and audits. |
Deciding between Essential Eight and ISO 27001
Choosing between Essential Eight and ISO 27001 comes down to your business-specific needs, risk profile and resources. Consider the following factors:
- Are you going for a specific tender that requires you to be ISO 27001 compliant? Otherwise, the Essential Eight would be sufficient.
- What are your available resources? Implementing ISO 27001 often requires significant time, budget, and expertise, while the Essential Eight may be more resource-efficient.
- What are your security goals? If you aim for a holistic security management system and certification, ISO 27001 might be preferred. If your focus is on immediate cyber resilience, the Essential Eight could be more suitable.
- What is your business risk appetite? Understanding your organisation’s risk tolerance for potential security breaches will help you determine the level of security required.
Understanding each's strengths and focus areas can help you make a well-informed decision. Whether you opt for the Essential Eight or ISO 27001, the important thing is to take proactive steps to enhance your cyber security posture.
If you have any questions, please get in touch with our team for more information.