I am looking for alternatives, that are less strict and less time consuming, than ISO 27001. Australia is in the Commonwealth, so maybe Cyber Essentials Plus could work, but I do not know if that plays a part in it being recognized by the Australian Government. Any suggestions? Thanks!
-
1What's your goal? ISO 27001 and CE are very, very different things with very, very different purposes.– schroeder ♦Commented Apr 16, 2021 at 23:13
-
Australian government tend to like IRAP, from my (very, very) limited experience with them.– jmcph4Commented Apr 17, 2021 at 2:35
-
It´s for a data insight, management and analysis company. Sorry it was broad question, thanks!– Maria Celeste Galera LaferrereCommented Apr 17, 2021 at 3:43
-
1Usually the demand to comply to some standards is driven by requirements from customers. Requirements may vary depending on the type service and products offered and on type of customers and their sector, i.e. industry, government, enterprise ... Thus, check out what your customers want from you. If you don't have any customers check out what your competitors offer. It makes not much sense to invest resources into complying to some less strict replacement standard when none of your customers ever will ask for it.– Steffen UllrichCommented Apr 17, 2021 at 6:52
-
Can you please edit your post to talk give some more information about your plans and constraints? Is it a web system? Specialised hardware? Connected to the internet? Software as a service? Government service provision? Outsourcing? What do you need to secure? Identity, communication, data at rest, access control? Personally identifiable information? etc. etc.– brynkCommented Apr 19, 2021 at 8:03
1 Answer
Agree, it's kind of a broad question. If you're looking for general principles, I wouldn't be looking past the ISM - https://www.cyber.gov.au/acsc/view-all-content/ism
If you're looking for specific hardened templates for servers as part of your framework / standards, then maybe CIS is worth a look. CIS can be quite light touch depending on which level you choose to aspire towards - in theory. I've found that there's no one-size solution - there's parts of CIS for example, that they'd mark as level 3 - or the highest level of maturity - but which for our business are no-brainers. In other areas, we struggle to achieve level 1.
Documenting which standards you want to achieve, those standards you're excepting yourself from - that can be a pain. I've used SAM for compliance, which seems to make it as easy as anything else I've come across. https://www.samcompliance.co/
Not affiliated in any way, etc...
Good luck!