The Essential Eight, ISO/IEC 27001 and the NIST Cybersecurity Framework (CSF) are often discussed together, but they are not the same kind of thing. Choosing well starts with understanding what each one is for.
Essential Eight - a prioritised technical baseline
The Essential Eight is an Australian (ASD/ACSC) baseline of eight specific, technical mitigation strategies, measured on a maturity model from ML0 to ML3. It is prescriptive and prioritised: do these eight things well. It is an excellent starting point, especially for Australian SMEs.
ISO 27001 - a management-system standard
ISO/IEC 27001 is an international standard for an information security management system (ISMS). Rather than prescribing specific technical controls, it defines a risk-based system for managing security - and it can be independently certified by an accredited body, which many clients and contracts require.
NIST CSF - an outcomes-based framework
The NIST Cybersecurity Framework is a voluntary, outcomes-based framework organised around core functions. In CSF 2.0 these are Govern, Identify, Protect, Detect, Respond and Recover. It is flexible and widely used to describe and communicate a security program, and it maps to other standards rather than replacing them.
Side by side
| Essential Eight | ISO 27001 | NIST CSF | |
|---|---|---|---|
| Type | Technical baseline | Management-system standard | Outcomes framework |
| Origin | ASD/ACSC (Australia) | ISO/IEC (international) | NIST (United States) |
| Certifiable | No (maturity assessed) | Yes (accredited body) | No |
| Best as | A prioritised starting point | A certifiable system | A common language |
How they fit together
They are complementary, not competing. Many organisations start with the Essential Eight for a fast, prioritised uplift, build an ISO 27001 ISMS when they need certification, and use NIST CSF as the language to describe the whole program. Cyber Compliance focuses on the Essential Eight, the Australian Privacy Principles and ISO 27001, with a shared risk register across them.
Frequently asked questions
Should I use the Essential Eight or ISO 27001?
They serve different needs. The Essential Eight is a fast, prioritised technical baseline; ISO 27001 is a certifiable management system. Many organisations start with the Essential Eight and build toward ISO 27001 when certification is required.
What are the NIST CSF 2.0 functions?
Govern, Identify, Protect, Detect, Respond and Recover. Govern was added in CSF 2.0 to emphasise governance across the other functions.