• +61 2 9241 1344
Become a Client

Cyber Foundation

Having the appropriate foundations to best manage information and cyber security is a never ending battle. To simplify the discipline of good information security management, it can be broken down into 3 key areas:

CYBER GOVERNANCE
Why and What

DEFENCE AND CONTROLS
How

CYBER RESPONSE
When it fails

Cyber Governance

The Governance of information security is primarily responsible for the selling of the need for it and what it actually is – the Why and What. These two focal points are constantly evolving and representing their value, just as much.

Why do we need an information security framework:

  • The Cost of Chaos – Working with Executive Leadership Teams and Boards regularly, we know how to communicate the risks of not having a framework. Focussing on the potential consequences, we provide mediation between the technical jargon and the business strategy implications of not having or having a weak information security framework.
  • Reactive to Proactive – Supported by our expertise in Risk and Resilience, we highlight the importance of integration into Risk Management, Compliance and Audit Frameworks. A wholistic view allows information security frameworks to operate more effectively, ensure accountability, and ensure investment in security results in measurable efficiencies and cost-savings.
  • No More Chasing Compliance – Through the implementation of an information security framework that aligns to best practice international standards such as ISO 27001 or NIST CSF, chasing compliance becomes a chore of the past. Well designed frameworks guided by best practice sell themselves and inherently meet requirements of stakeholders, clients, leadership, regulators and more.
  • Cut Through the Noise – Through the integration of Risk Management, guided by ISO 31000, we help organisations understand risks across the entire information security ecosystem. This results in targeted spending, cut costs, clear strategy and roadmaps, efficient resourcing and leveraging the benefits of technology as much as possible.
What kind of information security framework is needed:

Information security frameworks come in all shapes and sizes. Equally, there is no one way to do things as every organisation operates differently. Despite these differences, there are some key frameworks that already exist that pave the foundations for any organisation of any size:

  • ISO 27001 Information Security Management Systems – Originally published in 2005 and last revised in 2022, the ISO 27001 standard is the most recognised internationally. It covers all aspects of information security, including entities that may develop their own technology in-house. The common misconception with this standard is that it is huge and costly. This misconception is far from the truth as the framework is adjustable and can be implemented in a phased approach.
  • NIST Cyber Security Framework (CSF) – The National Institute of Standards and Technology is known for setting the baseline of many standards including the official measurement of a soda can to the true definition of a strong non-sensical password. Naturally, NIST also brought us the Cyber Security Framework in 2014, last revised in 2024 (version 2.0). This framework may not be as recognised as ISO 27001, however it provides a great alternative to ISO 27001 for organisations who are more outcome and risk-focused. This allows for further tailoring, making it incredibly flexible for smaller organisations.
  • CIS, Topical Requirements, Essential Eight, APRA and More – The Critical Security Controls (CIS) framework, Cyber Security Topical Requirements by the Institute of Internal Auditors and many other standards and guidelines (such as Essential Eight and APRA Prudential Standard CPS 234) are incredibly valuable supplements to the above two frameworks. Working alongside ISO 27001 and NIST CSF, there is a plethora of frameworks available that can be compiled for specific organisational needs and business strategies.
Learn More about Cyber Risk Governance

Defence and Controls

Defending your organisation is not the implementation of an information security framework, it is through a control framework that sits within and provides the clarity you need. A control framework will help you establish clear, measurable security standards and close common vulnerabilities.

  • Establishing Playbooks – Stipulated by information security frameworks and supported by supplementary control frameworks (such as CIS), having the right playbooks in place is essential to any cyber defence posture. We live in an age of “when” rather than “if”. Cyber incidents are inevitable and playbook documentation can be the difference between recovering and becoming one of the 60% of businesses that do not recover from a major cyber incident. We specialise in comprehensive documentation to provide technical staff with the support they need to delegate responsibilities when needed. 
  • Clear Control Mapping – A practice strongly encouraged by both ISO 27001 and NIST CSF, mapping the specific controls within an information security framework allow for strength in mitigating the top threats to your organisation. Sadly, most entities get this wrong and mapping becomes more of a chore than a benefit and this stems from poor integration across the entire framework. We have worked with some of Australia’s largest providers in the financial sector to build out information security control maps to improve testing, assurance and accountability. The outcome? Greater confidence in cyber resilience and improvements in the efficiency of control owners to deliver.
  • Security Beyond Borders – The modern working environment is typically hybrid. With this came a shift in the approach to access management and how devices integrate into complex environments. In comes Zero Trust. We assist organisations to draft comprehensive access management frameworks to allow for borderless security. Highly adaptable access across numerous platforms allows for information security assurance while maintaining privacy and confidentiality as needed.
  • Forget the Guesswork – Another major misconception with information security is that it is owned by Information Technology teams and the performance is entirely their responsibility. This is merely the reflection of a poorly implemented information security framework. Through effective implementation, information security adopts Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) allowing leadership and committees insight into the performance of their investment in security. Information security is measurable, reportable and can easily be continually improved.
Learn More about Cyber Defence and Controls

Cyber Response

With cyber incidents now an inevitability across every sector, knowing how to respond with a hairline trigger can have drastic impact on the outcome of an incident. Responding relies on two key areas to ensure cyber resilience:

Incident Response:

  • Incident Response documentation is a necessity for any information security incident, not for the purpose of being used in the heat of the moment, rather for the purpose of exercising and preparation. We have worked with a vast array of industries to draft incident response plans that take the guesswork out of critical decision-making, acceptable communication and investigation processes.
  • Tabletop exercises, live-play outages and crisis simulations are a specialty that we proudly provide. There is no substitute for experiential learning and understanding the compatibility of key staff during a major disruption. We highlight the weaknesses, provide comprehensive recommendations and work with organisations to mature their incident response capability, preparing for a real-world incident.
  • Our incident response approach also considers areas often overlooked such as forensic evidence collection procedures and more. When dooms day approaches, there is no time to decide what method will be used to prove the cause of an incident. This includes exploring cyber insurance coverage, supporting agencies, and secondary capabilities that are typically unknown.

Business Continuity:

  • No information security framework can operate effectively without an established business continuity management framework. Whether it is in place or not, we help organisation determine the key dependencies of their organisation, timeframes that need to be met, reporting and communication obligations and much more. Through our widely-praised and highly-detailed Business Impact Analysis process, we identify the systems required to deliver each and every business activity and what is needed to recover it within the acceptable timeframe.
  • As part of our incident response exercises, we explore the escalation and de-escalation between business continuity and information security teams. The collaborative nature of an information security framework typically depends on good communication. Crisis communication is heavily explored and we help organisations identify better ways to work as a collective team against threat actors.
Through Incident Response and Business Continuity, information security frameworks can be continually improved. As part of any tabletop, real-world incident, or business impact analysis, we identify areas for improvement and help organisations mature to match the rapidly evolving threat landscape.
Learn More about Cyber Response

Would you like to know more about our Cyber Resilience services and capabilities?

Contact us today