9 September 2021

Essential Eight vs NIST CSF: Cybersecurity In Focus

Essential Eight vs NIST CSF: Cybersecurity In Focus

Cyber security has become essential for any organisation seeking to protect its valuable assets. With the increasing number of cyber threats, it has become imperative to implement a comprehensive cyber security framework to safeguard against potential risks. Two of the most popular frameworks today are the Essential Eight and NIST cyber security frameworks.

In Australia, the Essential Eight offers a technical checklist approach that streamlines cybersecurity compliance. However, it’s highly prescriptive, very technical, and does not provide a framework for more integrated approaches to organisational cybersecurity.

Internationally, the US National Institute of Standards and Technology (NIST) offers the Cyber Security Framework (CSF). While still technical in nature, the NIST CSF is less prescriptive. Instead, the framework prioritises risk mitigation using five flexible and cost-effective functions. These five functions align to stages inherent in a cyberattack, allowing IT managers to defend the organisation. This broad, investigative approach helps encourage conversations by allowing technical and executive personnel to communicate effectively about cybersecurity’s impact on the organisation as a whole.

The Essential Eight in focus

The Essential Eight is a series of eight technical recommendations designed to work in tandem to mitigate the risks of potential data breaches. Developed and maintained by the Australian Cyber Security Centre (ACSC), the Essential Eight is the minimum baseline of cyber threat protection recommended by the Australian Signals Directorate. It forms the basis of a mandated cybersecurity framework for all 98 non-corporate Commonwealth entities.

Access the Self-Assessment Here!

Find your Essential Eight maturity level for free

All government entities that must comply with this cybersecurity framework undergo a comprehensive audit every five years. As supply chain attacks have also become an increasingly popular way to effect data breaches, organisations that work directly alongside or peripherally to government agencies may find themselves needing to comply with the Essential Eight to maintain ongoing business arrangements.

How the Essential Eight works

The Essential Eight strategies help mitigate cybersecurity incidents by hardening systems against cyber-attacks, limiting the damage caused by potential attacks, and making it easier to recover from an attack should it otherwise impact an organisation.

The Essential Eight strategies themselves cover vital areas of concern for many organisations. These include:

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict administrative privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Regular backups

The strategies are ranked according to maturity level – meaning the risks an organisation faces related to increasing levels of cybercriminal tradecraft.

Level 0 – shows weaknesses in an organisation’s overall cybersecurity posture.

Level 1 –an organisation can likely hold its own against a noncommittal attack using basic tradecraft and tools.

Level 2 – the organisation is ready to handle attacks from a more committed attack.

Level 3 – indicates the organisation can mitigate attacks from a dedicated threat actor using advanced tradecraft and techniques.

Essential Eight: pros

Clear actions – gives clear goals for organisations looking to mitigate the risk of data breaches.

Weighted response to risk – the range of maturity levels allows organisations to mitigate a level of tradecraft they are likely to face, aligning the Essential Eight to their risk management goals.

Quickly check compliance – with such clear outcomes, it’s easier for an organisation to show how well they comply with a certain level of maturity.

Mitigates technical entry points – the strategies in the Essential Eight focus on technical factors for mitigation.

Essential Eight: Cons

Requires advanced technical knowledge – the content of the strategies can be challenging for non-technical staff to understand, implement, or appreciate.

Narrow focus – does not account for business activities and behavioural elements that might contribute towards these risks.

Can be intrusive – while some elements of the Essential Eight are relatively simple to accomplish, others can take significant resources and interrupt daily operations.

Who is the Essential Eight for?

Given that the Australian government has developed the Essential Eight, it’s little wonder that it is mandatory for other government agencies.

It’s also no surprise that businesses and organisations that work alongside these agencies – either directly or as part of the supply chain – will be interested in reaching a level of compliance that makes them attractive to these agencies.

However, it’s not just the government ecosystem that benefits from the Essential Eight. Organisations that want a simple checklist approach to cybersecurity – and have the in-house capacity to make it happen – can use the Essential Eight to identify gaps in their cybersecurity posture and make changes that suit their level of risk.

NIST CSF in focus

The National Institute of Standards and Technology (NIST) is a US government organisation responsible for solutions that ensure measurement traceability, quality assurance and documentation standards. NIST is also in charge of developing guidelines, criteria, and best practices in cybersecurity in the form of the Cyber Security Framework (CSF).

The NIST CSF v1.1 provides a blueprint for security that is world-class, action-focused, and helps to cover gaps that organisations may find in other frameworks.

How the NIST CSF works

The framework covers five critical areas called “cores” that relate to cybersecurity:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

These cores are risk-based and guided by stakeholder perspectives. The cores can be adapted to suit many technologies and industry sectors without relying on prescriptive actions.

The cores measure implementation via tiers across four areas – partial, risk-informed, repeatable, and adaptive.

The tiers include:

Risk Management Process – relates to functionality and repeatability of cybersecurity risk management.

Integrated Risk Management Program – measures the extent to which cybersecurity is considered in risk management decisions.

External Participations – tracks the degree to which the organisation monitors and manages supply chain risk and shares information with outside parties.

The idea is to develop desired outcomes based on core factors that define the entire breadth of cybersecurity. The cores span prevention and recovery actions, translating these elements into actionable language that an organisation’s stakeholders understand.

NIST CSF encourages organisations to consider business requirements and material risks and use these measures to make reasonable and informed cybersecurity decisions. The framework then helps identify and address feasible and cost-effective improvements.

NIST CSF: pros

Flexible, adaptable framework – The CSF’s outcomes-driven approach makes it highly flexible across various industries and organisation sizes, with future-facing actions that let organisations update their strategies in response to changing demands.

Maps to other frameworks – The behavioural elements of the NIST CSF mean it can easily map to other cybersecurity controls, which means that organisations can meet their compliance requirements while strengthening their overall cybersecurity stance.

Widely recognised – NIST CSF represents the collective experience of thousands of information security professionals. It forms the basis of industry best practice by being the most comprehensive, in-depth set of controls of any framework.

Enable long-term view of cybersecurity – The CSF helps remove the” one-off” audit compliance mindset, replacing it with a more adaptive and responsive posture.

Bridge the gap between technical and business side stakeholders – The CSF risk-based approach makes it compatible with the priorities of organisational executives. This approach helps align the integrated risk management approach necessary for cybersecurity management to broader business goals, enabling better communication and decision-making through a shared security vocabulary.


Relies on understanding existing standards – The NIST CSF is non-prescriptive, meaning it does not deliver a detailed checklist to follow. Instead, organisations are encouraged to follow standards that meet their risk management needs. If an organisation is unfamiliar with the standards referenced in the framework, it may struggle to implement the required actions.

Technical communication is a must – The NIST CSF requires a thorough understanding of an organisation’s current cybersecurity risk profile to drive the organisation’s adoption and execution of a remediation plan. While this can encourage buy-in from key stakeholders, it also requires a level of technical communication that may be outside the capacity of some organisations.

Can the Essential Eight and NIST CSF work together?

The short answer is yes. The NIST CSF is a cybersecurity compliance framework that maps to various regulatory standards. Whereas the Essential Eight is – essentially – a prescribed list of technical strategies that aim to mitigate threats.

The requirements laid out by the Essential Eight maturity levels map very well to the core components of the NIST CSF.

For some organisations, the Essential Eight can be the starting point for shoring up their cybersecurity stance. Higher levels or broader considerations are then possible by applying these actions to the NIST framework and identifying critical areas of activity.

In this way, the NIST CSF forms a structured way to communicate the issues uncovered by the Essential Eight, while the Essential Eight covers critical areas listed by the CSF.

Which one is right for my organisation?

When mitigating the risk of data breaches, an organisation’s cybersecurity can benefit from professional attention.

The ultimate decision of which cybersecurity strategy to follow comes down to two key issues – risk management and resources. Organisations must determine which approach best lets them manage and mitigate risks and balance the potential costs with likely outcomes.

In-house IT staff can get the job done – there’s no doubt. But even these seasoned professionals may benefit from an external review.

When an organisation doesn’t have in-house IT, managed cybersecurity solutions can provide critical backup, which means the difference between a smooth-running IT environment and continual cybersecurity issues.

To find out which option works best for you, get in touch with First Focus today!