Most Australian business owners have heard of the Essential Eight. But there’s another ACSC framework that’s equally important and far less understood: the ACSC Security Principles. Published as part of the Information Security Manual (ISM), these principles provide the strategic foundation for protecting your business from cyber threats.
This guide explains what the ACSC Security Principles are, how they’re structured, and why they matter for your small business.
What Are the ACSC Security Principles?
The ACSC Security Principles are a set of strategic cybersecurity guidelines developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC). They’re published as part of the Information Security Manual (ISM) — the Australian Government’s authoritative guide to protecting information and systems.
Unlike the Essential Eight, which focuses on eight specific technical controls, the Security Principles take a broader, strategic view. They address how your organisation should think about cybersecurity — from governance and leadership to incident response and recovery.
The principles are technology-agnostic, meaning they apply regardless of whether you run Windows, Mac, Linux, or cloud-based systems. They’re designed to be scalable — relevant for a 5-person trades business and a 500-person enterprise alike.
GOVERN
Governance
Develop a strong cybersecurity culture with leadership oversight, risk management, and documented policies.
IDENTIFY
Identify
Know your assets, understand their value, and document the security risks to your systems and data.
PROTECT
Protect
Implement and maintain controls to manage security risks — from access control to secure configuration.
DETECT
Detect
Monitor your systems to detect cybersecurity events and identify incidents before they cause serious damage.
RESPOND
Respond
Have plans and procedures ready to respond effectively when a cybersecurity incident occurs.
RECOVER
Recover
Resume normal business operations following incidents with tested backup and recovery processes.
Why Do the Security Principles Matter for Small Businesses?
They Cover What the Essential Eight Doesn’t
The Essential Eight is excellent at hardening your technical defences — patching, access control, backups, MFA. But it doesn’t address governance, incident response planning, asset identification, or detection capabilities. The Security Principles fill those gaps, giving you a complete picture of your cybersecurity posture.
Insurers and Regulators Are Looking Beyond Technical Controls
Cyber insurers increasingly want to see that you have an incident response plan, that you know what data you hold, and that someone in your organisation is responsible for security decisions. These are all Security Principles requirements — not Essential Eight controls.
They’re the Foundation for Everything Else
Whether you eventually pursue ISO 27001, need to meet SOCI Act requirements, or simply want to protect your business comprehensively, the Security Principles provide the strategic foundation that technical controls build upon.
How Are They Assessed?
The ACSC Security Principles use a five-level maturity model: Incomplete, Initial, Developing, Managing, and Optimising. Unlike the Essential Eight’s three maturity levels which focus on technical implementation depth, the Security Principles maturity model measures how well-embedded the principles are in your organisation’s culture and operations.
For most small businesses, reaching “Developing” or “Managing” maturity represents a solid, practical achievement. The assessment covers 34 controls across the six domains — Govern, Identify, Protect, Detect, Respond, and Recover.
Assess Your Security Principles with CyberSmart360
CyberSmart360 is one of the few platforms that supports both the Essential Eight and the ACSC Security Principles. You can assess against either framework — or both — from the same dashboard, with the same guided, plain-language approach.
Complete your Security Principles assessment in under 2 hours. Get an AI-powered analysis of your gaps and a clear remediation plan — all from $49/month.
CyberSmart360 supports both Essential Eight and ACSC Security Principles — because comprehensive cybersecurity needs both technical controls and strategic governance.
