How the frameworks differ

Essential Eight vs ISO 27001 vs NIST CSF

Three of the most-cited cyber frameworks answer different questions. Here is what each one is, where it fits, and how they work together.

The Essential Eight, ISO/IEC 27001 and the NIST Cybersecurity Framework (CSF) are often discussed together, but they are not the same kind of thing. Choosing well starts with understanding what each one is for.

Essential Eight - a prioritised technical baseline

The Essential Eight is an Australian (ASD/ACSC) baseline of eight specific, technical mitigation strategies, measured on a maturity model from ML0 to ML3. It is prescriptive and prioritised: do these eight things well. It is an excellent starting point, especially for Australian SMEs.

ISO 27001 - a management-system standard

ISO/IEC 27001 is an international standard for an information security management system (ISMS). Rather than prescribing specific technical controls, it defines a risk-based system for managing security - and it can be independently certified by an accredited body, which many clients and contracts require.

NIST CSF - an outcomes-based framework

The NIST Cybersecurity Framework is a voluntary, outcomes-based framework organised around core functions. In CSF 2.0 these are Govern, Identify, Protect, Detect, Respond and Recover. It is flexible and widely used to describe and communicate a security program, and it maps to other standards rather than replacing them.

Side by side

 Essential EightISO 27001NIST CSF
TypeTechnical baselineManagement-system standardOutcomes framework
OriginASD/ACSC (Australia)ISO/IEC (international)NIST (United States)
CertifiableNo (maturity assessed)Yes (accredited body)No
Best asA prioritised starting pointA certifiable systemA common language

How they fit together

They are complementary, not competing. Many organisations start with the Essential Eight for a fast, prioritised uplift, build an ISO 27001 ISMS when they need certification, and use NIST CSF as the language to describe the whole program. Cyber Compliance focuses on the Essential Eight, the Australian Privacy Principles and ISO 27001, with a shared risk register across them.

Note: Cyber Compliance is a self-assessment and reporting aid, not a certification, audit or legal advice. Outputs help you prepare and track gaps; confirm your position with a qualified auditor, certification body or legal adviser before relying on it.

Frequently asked questions

Should I use the Essential Eight or ISO 27001?

They serve different needs. The Essential Eight is a fast, prioritised technical baseline; ISO 27001 is a certifiable management system. Many organisations start with the Essential Eight and build toward ISO 27001 when certification is required.

What are the NIST CSF 2.0 functions?

Govern, Identify, Protect, Detect, Respond and Recover. Govern was added in CSF 2.0 to emphasise governance across the other functions.

Start your free trial