The very real concerns about the risks of cyber security for Australian businesses has yet again translated into policy reform, this time from the New South Wales (NSW) Government. It’s called the NSW Cyber Security Policy (CSP), and it covers mandatory agency readiness reporting against the ASD8 – The Essential Eight - framework.
NSW service providers are at the forefront of this policy change, with many suddenly having a lot of catching up to do if they want to remain compliant. The impact of this policy shift is twofold: there’s the immediate and critical implications for operations, but also the potential for further policy evolution down the line. After all, compliance frameworks are always changing, as is the craftiness of cyber criminals.
In this blog, we share our take on the impact of these latest policy reforms and give you a peak behind the curtain of our own journey towards security and compliance through ISO 27001 certification – a globally recognised risk-based compliance framework.
Let’s begin with a quick word on The Essential Eight.
Developed by the Australian Cyber Security Centre (ACSC) and recommended by the federal government, The Essential Eight lays out a series of cyber security mitigation strategies and a maturity model for assessing your organisation’s cyber readiness. Most recently updated in 2017 (from the original 4 controls), these strategies serve as a baseline that make it significantly more challenging for adversaries to compromise systems and networks. The key word here is baseline. While regulation is absolutely critical, it also has the potential to become a box ticking exercise. When you achieve compliance, everything may appear to be okay. But limiting your efforts to meet the baseline standards may mean important aspects of cybersecurity are being overlooked.
This is why we believe that activities should not be limited to the ASD8 framework alone but rather can, and should, incorporate a more comprehensive and nuanced approach to cybersecurity. One that adheres to the ASD8 framework, but also prioritises proactive cybersecurity measures from the outset. This way service providers can not only meet their compliance obligations but also strengthen their overall security posture. Ultimately, this is an approach that saves both time and money by avoiding the constant catch-up game of trying to meet evolving compliance requirements with the added benefit of strengthened security. And it’s a path, we at Matrix CNI are walking right now.
Going beyond ASD8 with ISO 27001
Enter ISO 27001 certification. It’s an internationally recognised standard for implementing an enterprise-wide Information Security Management System (ISMS), and is structured to deliver the foundation needed to maintain the confidentiality, integrity, and availability of information assets. Adherence to ISO 27001 ensures organisations comply with best practices while signalling a strong commitment to the security of their data. Importantly, ISO 27001 certification holds more weight than simply conforming to the ASD8 framework because it represents a comprehensive security management system, that goes beyond compliance with local regulations.
Matrix CNI’s journey to ISO 27001 certification so far
Our ongoing efforts to deliver proactive cybersecurity measures and meet the highest standards of security and compliance saw the Matrix CNI team embark on a journey to obtain ISO 27001 certification in mid-2022. It’s widely recognised across our industry as the gold standard with a growing number of tenders, both government and non-government, explicitly seeking ISO 27001 compliance. But it also really gelled with our organisation-wide commitment to process improvement, workflows and being good cyber citizens. Yes, we already have robust quality management systems in place, but when it comes to cybersecurity and the intricacies of IT, it’s critical to continuously evolve and stay ahead of the curve, as the cyber threats we face are dynamic and becoming more complex by the day.
The process itself is rigorous and resource-intensive but we are now around three months away from certification, so we would like to share a little about the process so far, what we have learned, and how this can assist your organisation’s security journey.
We began by conducting a comprehensive gap analysis to identify areas needing improvement and developing and implementing risk mitigation strategies to close the gaps. During this phase, one notable gap was the ‘the human firewall’. We know that preventing cyber-attacks is not just about the right tech - the first and last line of defence is always people. So, we implemented a strong framework to drive growth in cyber awareness among both our staff and customers.
More generally, we found that implementing a strong framework based on global standards and best practices is allowing us to stay ahead of the natural growth in the ICT space, and ensure we are ready to meet the evolving needs of our business and customers.
It’s also worth noting that certification is primarily focused on your own company’s infrastructure and staff, and does not directly cover the networks managed or deployed by us for our customers. Despite this, we will be applying our learnings in this area to improve our service offerings for customers.
Before starting our journey, we had certain expectations. We anticipated that obtaining the certification would serve as that "tick in the box" to demonstrate our commitment to security and make us more competitive. While that has been the case, we have also found that implementing ISO 27001 best practices and policies has allowed us to really sharpen our processes and strengthen our systems against threats.
Embracing security best-practice is not just about compliance but also about becoming responsible cyber citizens. As a prominent player in the ICT industry, we recognise the importance of taking proactive measures in a business world teeming with cybersecurity challenges. While investing in certification comes with its fair share of costs, the benefits far outweigh the investments in time and money. When certification is complete, we will have set an example for our customers, and demonstrated just how important it is to go beyond baseline compliance and take continual steps to better protect sensitive information and systems.
Prioritising your own cyber preparedness
While it remains to be seen how legislation will unfold, there is a collective recognition of the necessity to address cybersecurity at a broader scale. Complying with ASD8 is currently only mandatory for NSW government departments and agencies, but we see governments all over the world starting to use legislation to enforce cybersecurity controls across all sectors. At Matrix CNI we now know that together ASD8 and ISO 27001 present opportunities to both achieve compliance and pursue world-class security simultaneously, and ultimately it allows us to help guide our customers as they consider the cybersecurity risks to their networks, people and data.