A practical test for choosing the right cyber framework

In my last article, I looked at the growing confusion many Australian businesses are facing when it comes to cyber security standards. There is no shortage of guidance. Between ISO 27001, Essential Eight, the ISM, CIRMP, VPDSS, RACGP guidance, legal sector expectations and SMB1001, most businesses are not struggling because there is nothing available. They are struggling because there is too much to take in, and not enough plain-English advice on where to start.

That is where I think the conversation needs to shift. The real question is not whether these standards matter. They do. The better question is how a business can turn all of that noise into a path that makes sense for its size, risk and stage of growth.

Rather than starting with the biggest framework or the most recognised name, I think businesses are better served by working through a few practical questions first.

Are we actually required to meet this framework?

This is the first question every business should ask, because it cuts through a lot of confusion very quickly. Some frameworks apply because of your sector, your legal status or the type of organisation you are. Others do not apply to you directly at all, even though you may still hear about them in customer conversations, tenders or supplier questionnaires.

A lot of businesses assume that if they work with government, healthcare, legal services or critical infrastructure, they must automatically adopt the customer’s full framework. Sometimes that may be true, but often it is not. The starting point is to work out whether the requirement really sits with your business, or whether it sits with someone else and only affects you in a more limited way.

That distinction matters, because it changes the whole conversation. Instead of assuming you need to inherit an entire framework, you can start by understanding what is actually yours to respond to.

Are parts of it being pushed down through contracts or customer expectations?

Even where a framework does not apply directly, parts of it may still matter in practice. This is where many businesses first run into standards they were never planning to think about. A customer may ask about certain controls in a tender. They may include security clauses in a contract. They may ask for breach notification, proof of backups, MFA, patching, access controls, or supplier assurance.

In that situation, the question is not always whether you need to adopt the whole framework. More often, the real question is which parts matter for the work you are doing and whether they are reasonable for the risk your business creates.

This is where a lot of businesses become overwhelmed, because the conversation jumps straight from “our customer mentioned this framework” to “we must comply with all of it.” In many cases, that is simply not true. What matters is understanding which expectations are actually being passed down to you and how they relate to the service you provide.

What kind of access, data or operational risk do we actually create?

This is usually the question that makes things clearer. If your business handles sensitive information, connects into customer systems, has admin or privileged access, or could cause major disruption if something goes wrong, then stronger controls make sense. If your role is narrower and your access is limited, then a lighter approach may be more appropriate.

That does not mean smaller or lower-risk businesses can ignore cyber security. It means the response should match the real-world role the business plays, not a blanket assumption that every supplier needs to operate like a major enterprise.

This is also where common sense needs to come in. A business should not ignore risk just because it is small. At the same time, it should not assume it needs to build an enterprise-grade program on day one simply because a larger customer sits upstream.

What is the best starting point for our business right now?

This is the question that often gets missed. Many SMBs jump straight into frameworks that were written for larger, more mature or more heavily regulated organisations, and then wonder why the whole process feels heavy and unrealistic. The problem is not always the framework itself. The problem is that it may not be the right place for that business to begin.

That is why I believe SMB1001 has an important role to play. It is not perfect, and it is not complete, but it gives small and medium-sized businesses something many other frameworks do not. It gives them a practical place to start and a staged path to build from. For many SMBs, that is exactly what is missing from the broader cyber conversation.

Most smaller businesses do not need to become a government agency or a large enterprise security program overnight. They need to get the basics right, build confidence, improve maturity over time and add further requirements when they genuinely need to. That is a far more realistic path than trying to absorb every framework at once.

What does this look like in practice?

A good example is a GP clinic that is contracted to complete health checks for critical infrastructure teams. That clinic may absolutely need strong privacy, cyber and contractual controls so it does not create risk for its client. It may need to protect sensitive health information, manage access properly, keep systems secure and meet customer reporting expectations. All of that is reasonable.

But that does not automatically mean the clinic needs to adopt the whole of CIRMP and the full ISM end to end just because its customer operates in critical infrastructure. In many cases, a common-sense staged approach would work better for SMBs. That might mean starting with strong practice security, clear contractual controls, sensible handling of sensitive information, and then lifting further where the service, access or customer requirement justifies it.

That is a much more practical way forward than assuming every supplier must inherit every customer framework in full.

The same thinking applies in other sectors as well. A Victorian law practice may need to pay close attention to legal sector cyber expectations. A supplier into the Victorian public sector may need to understand VPDSS-related obligations. A healthcare provider may need to align closely to RACGP guidance and privacy requirements. Even then, the answer is not always to start with the biggest framework on the table. A better starting point is to understand what actually applies to your business, what risk you create, and then build your cyber approach in stages from there.

So what is the better approach?

For most businesses, the better approach is fairly simple. Start with a framework that fits your size and maturity, work out what really applies to your business, and then add the extra requirements that come with your sector, customers or contracts.

For many SMBs, that starting point may be SMB1001. Not because it replaces every other framework, and not because it is the end of the journey, but because it gives businesses a way to begin without getting stuck in complexity from day one.

That said, a staged path still needs judgement. Some protections should be treated as early priorities regardless of where they sit in a maturity model. Multi-factor authentication is the clearest example. The same can be said for software updates, backups and other basic safeguards that are already widely recognised as sensible business practice. So, this is not an argument for following one framework blindly. It is an argument for using the right framework in the right way.

Final thought

Australian businesses do not need less cyber security. They need a simpler way to work out what applies, what matters most, and where to begin. That is the real value of a practical test. It does not lower the bar. It simply makes the path easier to understand.

For most businesses, the answer will not be one framework on its own. It will be a sensible starting point, supported by common sense and strengthened over time by the requirements that genuinely match the business. That is how cyber uplift becomes achievable, and that is how businesses move from uncertainty to progress.

#CyberSecurity #SMB1001 #CyberGovernance #RiskManagement #BusinessResilience #AustralianBusiness #CyberMaturity #SmallBusiness