Australians most often ask which framework a customer will accept, whether certification is really required, and how to avoid paying twice for overlapping work. A high-demand question missing from the fixed 10 is whether the proposed scope actually covers the legal entity, product, systems, locations and customer information that the relying party cares about.
Which cyber security framework should my business choose?
There is no universal winner: start with the outcome you need, who will rely on it, the systems in scope, your risk profile and the level of independent assurance required. The Essential Eight is a focused Australian technical maturity model; SMB1001 is a commercial, staged certification pathway designed for SMBs; and ISO/IEC 27001 is a broad, international information security management-system standard. NIST CSF can provide flexible risk-management structure where certification is not the immediate goal, while SOC 2 is mainly relevant where customers want an assurance report about a service organisation's controls. The right answer may be one framework, a staged pathway, or a combination with one governing the program and another supplying detailed technical controls.
- Australian SME seeking a practical baseline — Essential Eight Maturity Level One, an appropriate SMB1001 tier or NIST CSF may provide an accessible starting structure, depending on whether formal certification is needed.
- enterprise or international supplier — ISO/IEC 27001 or SOC 2 may be requested because customers want independently issued assurance that is recognised across markets.
- Commonwealth government entity or supplier — PSPF, ISM, Essential Eight, IRAP and contractual requirements should be checked before selecting a voluntary commercial framework.
- internal improvement without certification — Essential Eight, NIST CSF or ISO 27001 principles can be implemented without immediately purchasing a certification engagement.
What specific business outcome do we need, who will rely on the result, what exact scope must it cover, what assurance will they accept, and which framework meets that requirement with the least unnecessary duplication?
Who's actually asking, and does that decide it for me?
The requesting party often decides at least part of the answer. A Commonwealth policy or government contract may specify the Essential Eight, ISM or another government assurance process; an Australian enterprise may request ISO 27001; an SMB supply-chain program may nominate an SMB1001 tier; and a United States customer may ask for SOC 2. Ask for the exact framework, version, target level, scope, assessor requirements and deadline rather than accepting a vague request to be 'compliant'. You can still adopt a broader internal framework, but substituting one certificate or assessment for another requires the relying party's written agreement.
- non-corporate Commonwealth entity — The PSPF requires Essential Eight Maturity Level Two, while additional ISM controls may also apply.
- government or enterprise supplier — The tender or contract may specify the framework, assurance provider, scope and completion deadline.
- SaaS or outsourced service provider — Customers may request ISO 27001 or SOC 2 because they need independent assurance about the service and information they rely on.
- insurer or broker questionnaire — The insurer may ask about individual controls rather than recognising a framework or certificate as automatic evidence of insurability.
Who is asking, what exact framework and version have they named, what level and scope must be demonstrated, who may assess it, what evidence will they accept, and will they confirm any proposed alternative in writing?
How do the main options compare at a glance?
The Essential Eight is the narrowest and most technically prescriptive of the three main Australian options: eight mitigation strategies assessed at maturity levels zero to three. SMB1001 is a commercial, cumulative five-level certification pathway intended to make cyber assurance more accessible to SMBs. ISO/IEC 27001 is a broad, risk-based management system covering governance, people, processes, suppliers, physical environments and technology, with optional accredited certification. NIST CSF 2.0 is a flexible risk-management framework organised around Govern, Identify, Protect, Detect, Respond and Recover, while SOC 2 is an accountant-issued assurance report about controls at a service organisation rather than a certification framework in the same form.
- Essential Eight — Eight Australian technical mitigation strategies, maturity levels zero to three, no inherent certification requirement and incomplete as a whole-of-business security program.
- SMB1001 — Five cumulative commercial certification levels from Bronze to Diamond, designed for proportionate SMB assurance.
- ISO/IEC 27001 — International risk-based ISMS requirements, 93 Annex A reference controls and optional certification by an independent certification body.
- NIST CSF 2.0 — Flexible risk-management structure with no inherent certification scheme and an official quick-start guide for SMBs.
- SOC 2 — A CPA assurance-report pathway for service-organisation controls relevant to security, availability, processing integrity, confidentiality or privacy.
Do we need a technical baseline, a staged SMB certificate, a whole-of-business management system, a flexible risk structure, or a service-auditor assurance report—and which output will the relying party actually recognise?
Which fits a small business vs a mid-market vs an enterprise?
Size is a useful starting signal, not the final decision. ASD says Essential Eight Maturity Level One may generally suit SMEs, Level Two may suit large enterprises and Level Three may suit critical infrastructure or high-threat organisations, but contracts and actual risk can override those generalisations. SMB1001 was designed specifically for SMBs and offers staged tiers, while ISO 27001 can scale from a small company to a multinational if the scope and management system remain proportionate. NIST CSF is also usable by small businesses without certification, and enterprises may use it as an overarching risk structure alongside ISO, Essential Eight or sector controls. A ten-person supplier with privileged access to a major customer's environment may need stronger assurance than a much larger low-risk business.
- microbusiness or early-stage SMB — A focused baseline such as Essential Eight Maturity Level One, SMB1001 Bronze or Silver, or the NIST SMB quick-start approach may be proportionate unless a customer requires more.
- established SMB or lower mid-market — SMB1001 Gold, Essential Eight uplift or a scoped ISO 27001 ISMS may be considered according to customer assurance and risk.
- mid-market or enterprise supplier — ISO 27001 is often more suitable where formal governance, international recognition and accredited certification are required.
- critical infrastructure or high-threat organisation — Higher Essential Eight maturity and sector-specific obligations may be required in addition to a broader governance framework.
- US-facing SaaS provider — SOC 2 may be commercially important even if ISO 27001 or another framework already governs the internal security program.
Ignoring headcount for a moment, what information and access do we hold, what harm could our failure cause, which customers rely on us, and what level of assurance do those risks and relationships justify?
Certification vs self-assessment — which do I actually need?
Use self-assessment when the goal is internal improvement and no relying party requires independent assurance, but make sure the evidence is honest and reviewable. The Essential Eight has no universal certification requirement, although a customer, regulator or government policy may require independent assessment. SMB1001 assurance varies by tier: CyberCert currently describes Gold as a light-touch self-assessment and Platinum and Diamond as independently verified. ISO 27001 can be implemented without certification, but an accredited certificate provides third-party assurance that customers can verify. SOC 2 is an independent CPA assurance report, so it should not be described as self-certification or as an ISO-style certificate.
- internal Essential Eight assessment — Suitable for identifying and managing gaps unless a directive, regulator or contract requires an independent assessor.
- SMB1001 Gold — Current CyberCert material describes it as a light-touch self-assessment, so the relying party should confirm that this assurance level is acceptable.
- SMB1001 Platinum or Diamond — CyberCert describes these tiers as independently verified and charges a separate required audit fee.
- ISO 27001 accredited certification — Use where a customer wants independent, internationally recognisable certification and verify the certification body through JAS-ANZ or another recognised accreditation system.
- SOC 2 report — Use where service customers require a CPA assurance report about control design or operation rather than a management-system certificate.
Is this exercise for our own improvement, or must another party rely on it—and if another party is relying on it, what independence, assessor qualification, report type and public verification do they require?
Can I do more than one, and do they share evidence?
Yes. Many organisations use one framework for governance, another for technical implementation and a separate certificate or report for customer assurance. Asset inventories, risk registers, access reviews, patch records, MFA configurations, training records, incident exercises, supplier reviews and backup tests can often support several frameworks. However, evidence is reusable only where the requirement, scope, time period and assurance method genuinely align. A crosswalk reduces repeated work but does not turn an ISO 27001 certificate into an Essential Eight maturity result, an SMB1001 certificate or a SOC 2 report.
- ISO 27001 plus Essential Eight — ISO can govern the broader ISMS while the Essential Eight supplies detailed Australian technical requirements and maturity targets.
- SMB1001 plus Essential Eight — Technical evidence may overlap, but the certification tier and Essential Eight maturity result remain separate claims.
- ISO 27001 plus SOC 2 — Common controls and evidence can be shared, but the outputs differ: an ISO management-system certificate versus a CPA assurance report.
- NIST CSF plus control framework — NIST CSF can organise risk outcomes while Essential Eight, ISO Annex A, ISM or another control set supplies implementation detail.
Which framework will govern our program, which external outputs must we produce, and can we build one evidence register that maps each control to every applicable requirement without claiming false equivalence?
What will each cost and how long will each take?
No authority publishes one universal implementation price because the main cost is closing gaps, changing operations and maintaining evidence, not naming a framework. As a public enterprise-market example, Telstra lists an Essential Eight assessment at A$20,000 excluding GST, but that is an assessment and roadmap rather than full remediation. CyberCert currently lists SMB1001 subscriptions from US$95 for Bronze to US$995 for Diamond, with separate required audit fees of US$3,000 for Platinum and US$5,000 for Diamond; CyberCert says prepared Bronze and Silver applicants may complete certification in days, while gaps can extend this to weeks. One Australian ISO consultancy estimates A$15,000–A$30,000 and three to six months for organisations with 1–50 staff, rising with size and complexity, but those figures are commercial estimates rather than official tariffs. NIST CSF and the Essential Eight publications are free to access, but implementation, tools, staff time, assessment and ongoing operation still carry costs.
- Essential Eight — Official guidance is free; public assessment pricing includes a Telstra enterprise example of A$20,000 excluding GST, with remediation and recurring operation additional.
- SMB1001 — Current CyberCert subscription prices range from US$95 to US$995 before tax, with separate audit fees at the verified higher tiers and implementation charged separately.
- ISO/IEC 27001 — Australian commercial estimates commonly begin in the tens of thousands of dollars and several months, with annual surveillance and three-year recertification creating recurring costs.
- NIST CSF — The framework and SMB guide are free; there is no inherent certification fee, but implementation and assurance costs depend on the selected controls and business environment.
- SOC 2 — Costs depend on scope, readiness, observation period, tooling and the CPA firm; no authoritative universal Australian price was identified.
What is the full three-year cost of assessment, subscriptions, licences, remediation, internal labour, evidence, training, independent assurance, surveillance and renewal—not merely the advertised certificate or platform fee?
What are the traps in picking the wrong one?
The biggest trap is choosing the framework with the strongest marketing rather than the output the business or customer needs. Other failures include treating the Essential Eight as a complete security program, assuming every SMB1001 level has the same independent assurance, accepting a non-accredited ISO certificate without checking the customer requirement, or calling SOC 2 a certification. A narrowly scoped certificate can also be useless if it excludes the product, entity, location or supplier the customer relies on. Starting with the highest maturity level can waste money and create operational resistance, while choosing only the cheapest option can leave legal, governance, supplier and incident risks unmanaged.
- wrong assurance output — A self-assessment, certificate and CPA assurance report are not interchangeable merely because each uses security terminology.
- technical baseline treated as complete program — Essential Eight implementation should be supplemented with governance, risk, people, supplier, detection, response and recovery controls where needed.
- unverified certificate — Check the issuing body, accreditation, certificate status, standard version, legal entity and exact scope.
- startup or resource-constrained business — Pursuing several assurance programs simultaneously without mapping shared work can consume runway and distract from actual risk reduction.
- government-facing supplier — A commercial certificate may support assurance but may not replace PSPF, ISM, Essential Eight, IRAP or tender-specific requirements.
What would make this framework choice fail—wrong scope, wrong version, insufficient independence, customer rejection, unaffordable recurring cost, operational disruption or gaps outside the framework—and how will we test those assumptions before committing?
What's a sensible starting point / sequence?
First identify any non-negotiable legal, tender, customer, insurer or sector requirement, because that establishes the required destination. Next define scope, inventory important information and systems, assess current controls and choose a target proportionate to the business's risk. Build foundational controls and evidence once, then map them to every required framework instead of running disconnected projects. ASD recommends progressing through Essential Eight maturity levels rather than jumping directly to a higher target, and the same practical principle applies more broadly: stabilise the basics, prove they work, then add governance or assurance depth. Seek certification or external assessment only after the controls have operated long enough to produce credible evidence.
- small business with no external mandate — Start with scope, asset and account visibility, foundational controls and a lightweight risk structure before buying certification.
- business facing a customer deadline — Confirm the accepted output immediately, perform a gap assessment and sequence remediation around the contract deadline.
- Essential Eight pathway — Progressively implement and assess each maturity level, keeping all eight strategies at a balanced level before advancing.
- ISO 27001 destination — Define scope and governance early, then operate the ISMS, complete internal audit and management review, and proceed through Stage 1 and Stage 2 certification.
- multiple future requirements — Use a single control and evidence register with cross-framework mappings so later certifications reuse validated work.
What is mandatory now, what is our honest current state, what minimum controls reduce the most risk, what evidence can we collect once, and what staged roadmap gets us to the required assurance without attempting everything at once?
What's my next step?
Common misconceptions
- There is one cyber security framework that is objectively best for every Australian business. INFERRED
- Every Australian private business is legally required to implement Essential Eight Maturity Level Two. INFERRED
- The Essential Eight is a complete information security management system that removes the need for additional governance, supplier, people, detection and response controls. VERIFIED
- Every SMB1001 level receives the same level of independent verification. VERIFIED
- ISO itself audits organisations and issues ISO 27001 certificates. VERIFIED
- A non-accredited ISO certificate must be accepted wherever a customer asks for accredited ISO 27001 certification. INFERRED
- SOC 2 is an organisational certification issued in the same way as ISO 27001. VERIFIED
- A cross-framework mapping automatically proves compliance or certification under every mapped framework. INFERRED
- The highest maturity level or most expensive certificate is always the best place to start. INFERRED
- A certificate guarantees that the organisation cannot suffer a cyber incident or data breach. VERIFIED
- A certificate held by one group company automatically covers every related legal entity, product, service, location and supplier. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| PSPF Essential Eight Maturity Level Two requirement | Department of Home Affairs / Australian Signals Directorate | A non-corporate Commonwealth entity is subject to the Protective Security Policy Framework. | Ongoing implementation of all eight strategies at Maturity Level Two; the four additional core strategies identified in the policy amendment applied from 2022-07-01. | |
| Tender, customer or supply-chain framework requirement | Customer, procuring entity or contracting party | A tender, supplier-security clause, procurement process or contract requires a named framework, maturity level, certificate or assurance report. | By the deadline stated in the tender or contract and maintained for the required contract or renewal period. | Potential consequences can include failed onboarding, tender ineligibility, remediation demands, breach remedies or loss of the contract; the consequences depend on the agreement. |
| Accredited ISO 27001 certification cycle | Accredited certification body under JAS-ANZ or another recognised accreditation body | An organisation chooses or is contractually required to obtain and maintain accredited ISO/IEC 27001 certification. | Stage 1 audit, Stage 2 certification audit, annual surveillance audits and recertification every three years. | The certificate may be suspended, reduced in scope, withdrawn or expire if the organisation or certification conditions are not maintained. |
| SMB1001 supplier-tier requirement | Customer or supply-chain program owner using SMB1001 | A customer contract or supplier-assurance program nominates an SMB1001 certification tier based on supplier risk. | By the customer's onboarding or contract deadline and before certificate expiry; CyberCert says it begins alerting SMBs 90 days before expiry. | Potential consequences depend on the contract and may include failed supplier approval, remediation or removal from an approved supply chain. |
Sources
- Essential Eight maturity model primary
- Essential Eight maturity model FAQ primary
- Essential Eight assessment process guide primary
- Essential Eight maturity model and ISM mapping primary
- Policy amendment — Information security primary
- SMB1001 cybersecurity certification primary
- Supplier Categorization Matrix primary
- Detailed Standards Mappings primary
- CyberCert SMB1001 certification and pricing primary
- About the Supplier Cyber Assurance Program primary
- ISO/IEC 27001:2022 — Information security management systems primary
- ISO Certification primary
- JAS-ANZ accreditation primary
- JAS-ANZ Accredited Bodies Register primary
- JAS-ANZ Certified Organisations Register primary
- ISO 27001 Information Security Management Systems primary
- NIST Cybersecurity Framework primary
- NIST Cybersecurity Framework 2.0 Small Business Quick-Start Guide primary
- System and Organization Controls: SOC Suite of Services primary
- Essential Eight Assessment forum
- How Much Does ISO 27001 Certification Cost in Australia? forum
- Essential 8 Security Standards forum
- Mandatory ACSC Essential Eight forum
- ACSC Essential Eight forum
- Can MSPs offer any value for Small Businesses? forum
- Compliance Without Evidence Is Fiction forum
- GRC Tool for mapping compliance levels forum
- ISO 27001 Certification Costs for Australian Businesses forum
- Australia's Compliance Costs Killing Startup Innovation forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.