Home / Resources / Cyber Standards Guide
A practical guide to choosing the right frameworks and compliance standards for your business.
Navigating cybersecurity standards can be overwhelming. ISO 27001, Essential Eight, SOC 2, PCI DSS-the alphabet soup of frameworks leaves many businesses unsure where to start or what actually applies to them.
This guide cuts through the complexity. We'll help you understand which standards matter for your industry, what compliance actually requires, and how to build a security program that protects your business without unnecessary overhead.
The reality: Most SMBs don't need every framework. What you need depends on your industry, the data you handle, your customers' requirements, and your risk profile. Getting this right saves money and focuses your security investment where it matters.
Different industries have different regulatory requirements and risk profiles. Here's what typically applies.
Banks, lenders, insurance, investment firms. Heavy regulatory oversight with strict data protection requirements.
Medical practices, allied health, aged care, health tech. Patient data requires strong privacy controls.
Law firms, accountants, consultancies. Client confidentiality and professional obligations drive requirements.
Online stores, point-of-sale, retail chains. Payment processing triggers PCI DSS requirements.
Software companies, cloud services, tech startups. Enterprise customers often require compliance attestations.
Production, supply chain, industrial operations. IP protection and operational technology security.
Government agencies, councils, public services. Mandated frameworks with specific requirements.
Schools, universities, training providers. Student data protection and research IP security.
Each framework has a different focus and level of rigour. Here's what you need to know about the major standards.
What it is: The international gold standard for information security management systems (ISMS). ISO 27001 provides a systematic approach to managing sensitive information.
Who needs it:
What's involved: Certification requires implementing documented policies, risk assessments, and controls across 14 domains. Annual surveillance audits maintain certification. Expect 6-12 months for initial certification.
Cost indication: $15,000-$50,000+ for certification depending on organisation size, plus ongoing audit costs.
What it is: Eight prioritised mitigation strategies developed by the ACSC. Practical, technical controls that address the majority of cyber incidents.
Who needs it:
What's involved: Four maturity levels (0-3). Most organisations should target Maturity Level 2 or 3. Self-assessment is possible, or use a third-party assessor.
Cost indication: Implementation costs vary widely. Many controls use existing Microsoft 365 tools. Assessment: $5,000-$15,000.
What it is: An audit framework for service providers storing customer data in the cloud. Developed by AICPA. Evaluates controls related to security, availability, processing integrity, confidentiality, and privacy.
Who needs it:
What's involved: Type I (point-in-time) or Type II (period of time, typically 6-12 months). Requires CPA firm audit. Annual attestation.
Cost indication: $30,000-$100,000+ for audit depending on scope and organisation complexity.
What it is: Security standard for organisations that handle credit card data. Maintained by the major card brands (Visa, Mastercard, etc.).
Who needs it:
What's involved: Compliance level depends on transaction volume. Most SMBs can self-assess using SAQ (Self-Assessment Questionnaire). Larger merchants need external assessments.
Cost indication: Using a payment processor that handles card data (like Stripe) significantly reduces scope. Full PCI compliance: $5,000-$200,000+ depending on level.
What it is: New Zealand's privacy legislation governing how organisations collect, use, store, and disclose personal information.
Who needs it:
What's involved: 13 Information Privacy Principles. Mandatory breach notification (serious harm threshold). Privacy officer recommended but not mandatory for most.
Cost indication: Compliance is a baseline legal requirement. Cost is implementing appropriate policies and controls-often integrated with broader security program.
What it is: European Union regulation on data protection and privacy. Known for strict requirements and significant penalties.
Who needs it:
What's involved: Lawful basis for processing, data subject rights, Data Protection Officer (in some cases), data processing agreements, breach notification within 72 hours.
Cost indication: Varies significantly. May require legal counsel for gap analysis. Implementation: $10,000-$100,000+ depending on data handling complexity.
What it is: Voluntary framework developed by the US National Institute of Standards and Technology. Provides a common language for managing cybersecurity risk.
Who needs it:
What's involved: Five core functions: Identify, Protect, Detect, Respond, Recover. Self-assessment against maturity tiers. No formal certification.
Cost indication: Free to use. Implementation costs depend on current maturity and desired state.
Ask yourself these questions to determine which standards apply to your organisation.
Don't overcomplicate it. Start with the Privacy Act (mandatory for everyone), add Essential Eight for practical security controls, then layer on industry-specific requirements. Most SMBs don't need ISO 27001 or SOC 2 unless customers specifically require it.
A pragmatic approach that delivers real security without unnecessary overhead.
The Essential Eight gives you the most security bang for your buck. These eight controls address the most common attack vectors and are practical to implement. Target Maturity Level 2 as your baseline-it covers the fundamentals without requiring enterprise-grade tooling.
This isn't optional-it's the law. But many organisations haven't properly documented their privacy practices. Get your privacy policy right, understand what data you hold, and have a breach response plan ready.
Insurers increasingly require specific controls. MFA, endpoint protection, backup verification, and email security are typically baseline requirements. Check your policy and make sure you can actually claim if something goes wrong.
Only pursue ISO 27001 or SOC 2 when customer requirements justify the investment. The time and cost are significant, and certification for its own sake doesn't make you more secure-it just proves you've implemented the controls.
We help organisations cut through the complexity. Our security assessment identifies what you actually need based on your industry, customers, and risk profile-not a one-size-fits-all checklist.
Deep dive into the eight strategies and how to implement them in your organisation.
What insurers require and how to ensure you can actually claim when you need to.
Essential security settings for Microsoft 365 that many organisations miss.