Skip to main content
Compliance · Framework Comparison

ISO 27001 vs
Essential Eight:
which does your
organisation need?

Australian organisations are increasingly being asked to demonstrate cybersecurity maturity by their boards, insurers, regulators, and enterprise clients. Two frameworks dominate the conversation: ISO 27001 and the Essential Eight. Most comparison articles explain the differences and conclude that "both are complementary." That is true, but it does not help you decide which to pursue first when your budget and resources are limited.

This guide provides a practical decision framework. It explains what each framework actually does, where they overlap, and how to sequence your investment based on who is asking for compliance and what your organisation actually needs.

Book Lighthouse Assessment → Compliance Services
CC
Cliffside Cybersecurity ISO 27001 Lead Auditor · Essential Eight Assessor · Sydney · Est. 2014
On this page
01 / Different problems

They solve different problems.

The most common mistake organisations make is treating ISO 27001 and Essential Eight as competing options. They are not. They address fundamentally different aspects of cybersecurity.

Essential Eight is a prescriptive technical control set developed by the Australian Signals Directorate (ASD). It tells you exactly what to implement: patch applications within 48 hours, enforce multi-factor authentication, restrict administrative privileges, control application execution, and five more specific strategies. It is designed to stop the most common cyberattack techniques. Think of it as what to build.

ISO 27001 is an international management system standard. It does not prescribe specific technical controls. Instead, it requires you to establish a systematic process for identifying information security risks, selecting appropriate controls, and continuously improving your security programme. It covers governance, people, processes, and technology. Think of it as how to manage what you build.

Essential Eight
Eight prescriptive technical strategies. Four maturity levels (0 to 3). Developed by ASD from real-world threat intelligence. Focuses on preventing malware delivery, limiting attacker impact, and ensuring data recovery.
ISO 27001
Management system standard with 10 mandatory clauses and 93 Annex A controls across four themes (Organisational, People, Physical, Technological). Requires formal risk assessment, documented policies, internal audit, and management review.
What E8 does not cover
Supplier security, business continuity, physical security, HR security processes, incident management governance, information classification, legal compliance, or formal risk assessment methodology.
What ISO 27001 does not prescribe
Application whitelisting, specific macro settings, user application hardening configurations, specific patching timeframes (48 hours), or specific MFA methods (phishing-resistant). It requires controls but lets you choose how.
02 / Essential Eight

What Essential Eight actually is.

The Essential Eight is a set of eight mitigation strategies that the ASD identified as the most effective defence against targeted cyber intrusions. The strategies are: application control, patch applications, configure Microsoft Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.

Each strategy is assessed against four maturity levels. Maturity Level 0 indicates significant gaps. Maturity Level 1 provides partial alignment. Maturity Level 2 represents strong implementation and is the baseline expected of Commonwealth entities under the PSPF. Maturity Level 3 represents comprehensive implementation designed to resist highly adaptive adversaries.

The November 2023 update to the maturity model significantly raised the bar. ML2 now requires phishing-resistant MFA and 48-hour patching for critical vulnerabilities. The result: only 22% of Commonwealth entities had achieved overall ML2 across all eight strategies as of the 2025 Commonwealth Cyber Security Posture report, down from 25% in 2023 because the standard got harder, not because security got worse.

Where Essential Eight has regulatory force: Mandatory at ML2 for non-corporate Commonwealth entities under the PSPF. Increasingly expected in government procurement, cyber insurance underwriting, and supply chain security requirements across financial services, critical infrastructure, and education.

03 / ISO 27001

What ISO 27001 actually is.

ISO/IEC 27001:2022 is an international standard for Information Security Management Systems (ISMS). Certification means an accredited body has audited your ISMS and confirmed it meets the standard's requirements. It does not mean your organisation is impenetrable. It means you have a documented, risk-driven management process for information security that is governed, measured, and continuously improved.

The standard has two parts. Clauses 4 to 10 are mandatory requirements covering context, leadership, planning, support, operation, performance evaluation, and improvement. Annex A contains 93 controls across four themes that you select based on your risk assessment. You do not implement all 93; you implement the ones your risk treatment plan justifies, and you document why you excluded the rest in your Statement of Applicability.

The 2022 revision reorganised Annex A from the previous 114 controls across 14 domains and introduced 11 new controls including threat intelligence, cloud security, and data masking. The transition deadline from ISO 27001:2013 was October 2025.

Where ISO 27001 has market force: Increasingly required in enterprise procurement, government tender evaluations, and supplier due diligence. APRA-regulated entities commonly use ISO 27001 as the management framework for meeting CPS 234 obligations. The Defence Industry Security Program preferences ISO 27001 for suppliers handling sensitive information.

04 / Where they overlap

The controls that appear in both.

Essential Eight and ISO 27001 Annex A overlap in several areas. Organisations pursuing both can satisfy requirements simultaneously rather than doing the work twice.

Patching
E8: Patch Applications and Patch Operating Systems (48 hours for critical vulnerabilities at ML2). ISO 27001: A.8.8 Management of technical vulnerabilities.
Multi-factor authentication
E8: MFA strategy with phishing-resistant methods at ML2+. ISO 27001: A.8.5 Secure authentication.
Access control
E8: Restrict Administrative Privileges. ISO 27001: A.5.15 Access control, A.8.2 Privileged access rights.
Backup
E8: Regular Backups with offline storage and tested restoration. ISO 27001: A.8.13 Information backup.

The overlap means that an organisation already implementing Essential Eight has a head start on several ISO 27001 Annex A controls. Conversely, an organisation with ISO 27001 certification already has governance structures that make sustaining Essential Eight maturity significantly easier.

05 / The decision framework

Which to pursue first.

The right answer depends on who is asking for compliance, what your regulatory exposure is, and where your current maturity sits. Here is how to decide.

Government supplier

Start with Essential Eight. Commonwealth and state government procurement increasingly requires Essential Eight ML2 alignment. If government contracts are a significant revenue source, demonstrating ML2 is the faster path to winning and retaining that work.

Enterprise B2B

Start with ISO 27001. Enterprise clients and their procurement teams want to see a certificate. ISO 27001 certification is the internationally recognised proof that your security is governed, and it dramatically simplifies supplier due diligence questionnaires.

APRA-regulated

You likely need both, anchored on CPS 234. CPS 234 is your actual regulatory obligation. ISO 27001 provides the management framework. Essential Eight provides the technical controls. Both support your CPS 234 compliance posture.

Cyber insurance

Essential Eight first. Australian cyber insurers increasingly assess controls that map directly to the eight strategies: MFA, patching, backups, endpoint detection. Demonstrating Essential Eight alignment can materially improve your premium and coverage terms.

Board pressure

ISO 27001 for credibility; Essential Eight for substance. If your board wants assurance that security is governed, ISO 27001 provides the auditable management framework they can report on. If they want evidence that specific technical risks are mitigated, Essential Eight provides the measurable maturity scores.

Limited budget

Start with Essential Eight. It is lower cost to implement, does not require certification body fees, and delivers immediate risk reduction. The governance structures you build along the way (policies, risk registers, evidence collection) become the foundation for ISO 27001 when you are ready.

06 / When you need both

Most organisations need both eventually.

Essential Eight without governance is a point-in-time achievement that degrades as your environment changes. ISO 27001 without prescriptive technical controls is a management system with nothing concrete under it. The frameworks are genuinely complementary, and for any organisation with serious security obligations, the question is not which one but which order.

The practical reality for most mid-market Australian organisations (50 to 500 staff) is this:

  • Year one: Implement Essential Eight to ML2 and build the basic governance structures (policies, risk register, incident response plan) that will become your ISMS foundation.
  • Year two: Formalise the ISMS, conduct your gap assessment against ISO 27001, and prepare for certification. Your Essential Eight evidence becomes your Annex A evidence for the relevant controls.
  • Ongoing: Use the ISO 27001 management review and internal audit cycle to maintain and improve your Essential Eight maturity. The ISMS prevents your technical controls from degrading.

Organisations that try to do both simultaneously can succeed, but only if they have sufficient internal resources or external support to manage two parallel workstreams. For most mid-market organisations, sequencing is more realistic than parallelisation.

07 / Cliffside perspective

We hold ISO 27001 and deliver both.

Cliffside holds ISO 27001 certification for our own ISMS. We have been Lead Auditors since 2008. We also deliver Essential Eight assessments to Maturity Level 3. This is not theory for us. We maintain our own ISMS, we conduct our own internal audits, and we manage the surveillance cycle every year. We know where the hard parts are because we live them.

When a client asks us "which framework should we do first?", we do not give a generic answer. We start with a Lighthouse Assessment that maps your current controls against both frameworks, identifies your regulatory and commercial exposure, and recommends a sequenced plan based on what your organisation actually needs, not what is fashionable.

Frequently asked questions.

Is Essential Eight mandatory in Australia?
Essential Eight Maturity Level 2 is mandatory for non-corporate Commonwealth entities under the PSPF (Protective Security Policy Framework). It is not legislatively mandated for the private sector, but it is increasingly expected by government procurement, cyber insurers, and enterprise supply chain requirements. Critical infrastructure operators under the SOCI Act are also expected to align with Essential Eight as part of their security obligations.
Is ISO 27001 mandatory in Australia?
ISO 27001 is not mandated by any Australian legislation. However, it is increasingly required by enterprise procurement processes, government tender evaluations, and as a condition of doing business with regulated industries. APRA-regulated entities often use ISO 27001 as the management framework for meeting CPS 234 requirements, and the Defence Industry Security Program (DISP) preferences ISO 27001 certification for suppliers handling sensitive information.
Can ISO 27001 and Essential Eight be implemented together?
Yes, and doing them together is often more efficient than doing them sequentially. Essential Eight controls map to several ISO 27001 Annex A requirements, particularly in the Technological theme (A.8). An organisation implementing both can satisfy Essential Eight patching, MFA, and backup requirements while simultaneously building the evidence base for ISO 27001 Annex A controls. The governance, risk assessment, and continuous improvement structures required by ISO 27001 also provide the management framework that makes Essential Eight maturity sustainable rather than a point-in-time achievement.
How long does it take to achieve Essential Eight ML2?
For a mid-market organisation with reasonable existing security maturity, achieving ML2 across all eight strategies typically takes 6 to 12 months. The November 2023 maturity model update raised the bar for ML2, requiring phishing-resistant MFA and 48-hour patching for critical vulnerabilities. Only 22% of Commonwealth entities had achieved overall ML2 as of the 2025 Commonwealth Cyber Security Posture report.

Related insights

Deeper reading on this topic.

ISO 27001 Certification Guide

The honest pre-certification roadmap: gap analysis, ISMS scoping, Statement of Applicability, and common mistakes.

Explore →
Essential Eight to Maturity Level 3

What ML3 actually requires, why most organisations stop at ML2, and how to get there.

Explore →
APRA CPS 234 Compliance Guide

Practical guide to meeting APRA's information security standard for regulated financial entities.

Explore →

Not sure which
framework to start with?

Book a Lighthouse Assessment. We'll map your current controls against both ISO 27001 and Essential Eight, assess your regulatory and commercial exposure, and recommend which to pursue first.

Book Lighthouse Assessment →All compliance services

Not sure where to start?

Book a free Lighthouse Assessment. Honest, transferable, no lock-in.

Book Free Assessment