In a business landscape where digitisation is the norm, the threat of information technology-related security risks continues to rise. Various forms of IT security risk management frameworks have been created by reputable collectives to help individuals, organisations, and authorities manage these risks.

IT security risk can be defined as the unauthorised access, use, disclosure, disruption, modification, or destruction of information that has the potential to cause undesirable consequences. The origins of IT security risks can range anywhere from cyber threats to human error.

IT security risks can have serious consequences for businesses if left unchecked. For example, a data breach could result in sensitive information being leaked from an organisation’s databases, resulting in repeat cyber attacks, financial losses, loss of customer trust, and potentially legal penalties.

As the risk landscape continues to evolve, IT security risk management frameworks play a role in helping organisations of all types prepare for the potential risks they will have to face.

Overview of IT security risk management frameworks

These frameworks are designed to help organisations effectively assess, mitigate, and monitor risks. They provide guidelines and standards that organisations should follow when formulating and implementing their security strategies.

Some of the common frameworks for IT security risk management in Australia are NIST Cybersecurity Framework, ISO 27001 and ISO 27002, GDPR, PSPF, COBIT, Essential Eight CCM, ISO 38500, and ISO 31000.

Leading frameworks for IT security risk management

The following IT security risk management frameworks are commonly utilised by organisations in Australia to formulate security strategies.

NIST Cybersecurity Framework
Designed by the National Institute of Standards and Technology, this framework represents the public and private sectors working collaboratively to counteract cyber threats. NIST Cybersecurity Framework is essentially the gold standard for assessing maturity, identifying vulnerabilities, and meeting standards for cybersecurity.

NIST Cybersecurity Framework was introduced in 2014 and updated to CSF 1.1 in 2018. It is currently undergoing a new phase of development which will carry significant updates, dubbed CSF 2.0.

ISO 27001 and ISO 27002
Offered by the International Organisation for Standardisation, ISO 27001 and ISO 27002 are the definitive international standards for validating a cybersecurity programme. These are highly valuable certifications that showcase an organisation’s dedication to cybersecurity.

ISO 27001 is concerned with information security management systems while ISO 27002 is concerned with information security, cybersecurity, and privacy protection.

General Data Protection Regulation
Introduced in 2016, GDPR is aimed at strengthening the data protection procedures for EU citizens. However, it also applies to Australian businesses if they have an established presence in the EU or are engaged in commercial activities of any sort with EU citizens.

GDPR includes 99 articles concerned with an organisation’s compliance responsibilities including consumer’s data access rights, data protection policies, and other regulations concerned with data protection. The Australian Privacy Act 1988 also contains similar privacy policies and security measures.

Protective Security Policy Framework
PSPF provides Australian government entities with a set of policies and guidelines to protect their people, information and assets, both at home and overseas. The framework was revised in 2018 to ensure the guidelines are up-to-date.

PSPF provides a security policy that can be effectively implemented across the following outcomes, security governance, information security, personnel security, and physical security.

Control Objectives for Information and Related Technologies (COBIT)
Described as “the globally accepted framework for optimising enterprise IT governance”, COBIT is aimed at helping organisations develop, implement, monitor, and improve IT enterprise governance.

While the aforementioned frameworks are primarily focused on cybersecurity, COBIT focuses more on ensuring IT processes align with the overall objectives of the organisation.

ASD Essential Eight
The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are known as the Essential Eight. While no mitigation strategies are guaranteed to protect against all cyber threats, organisations that implement at least the eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents will make it much harder for adversaries to compromise systems.

They also map to the Information Security Manual (ISM).

Cloud Controls Matrix
Developed by the Cloud Security Alliance (CSA), CCM is a cybersecurity framework for cloud computing. Its controls are mapped to prominent security regulations and standards such as ISO 27001, ISO 27002, and COBIT, making it particularly effective.

It consists of 197 control objectives structured in 17 domains, covering all key aspects of cloud technology.

ISO 31000
This is a framework that is concerned with risk management in general as opposed to IT security risks in particular. However, ISO 31000 is the global standard for risk management, providing security in terms of economic resilience, professional reputation and environmental and safety outcomes.

It is designed to be used by any organisation regardless of size or industry to create a robust risk management strategy to ensure business continuity.


The Security Risk Management Body of Knowledge (SRMBOK) framework and security risk assessment methodology integrates a range of models, including ISO31000 Risk Management Standard, vulnerability analysis models, HB167 Security Risk Management Handbook, ISO28000 Supply Chain Security, Supply- Chain Reference model (SCOR), Hazard Analysis and Critical Control Point (HACCP), Six Sigma, ISO9001, PRINCE2, Balanced Scorecard, and the ISO27000 Information Security series. Developed by industry and subject matter experts it is designed to integrate security practice areas and methodologies in a single source toolkit and reference guide for consultants, managers and practitioners.

Enhance security strategies with IT security risk management frameworks

In a business environment where IT security risks are highly volatile and unpredictable, the frameworks discussed here offer valuable guidance for organisations to formulate security strategies that will enhance their risk management capabilities.