Australian businesses looking to strengthen their cybersecurity posture in 2026 inevitably encounter two frameworks — the Information Security Manual and the Essential Eight. Both come from the Australian Signals Directorate. Both are referenced in government contracts, insurance questionnaires and compliance audits. And for most business owners, the relationship between them is genuinely confusing.
The confusion matters because it leads to one of two costly mistakes: businesses either try to implement the full ISM when they only need the Essential Eight, wasting months and significant budget on controls that do not apply to them or they assume Essential Eight compliance covers everything, only to discover during a government tender or IRAP assessment that it does not.
This guide explains what each framework is, how they relate to each other, who each one applies to, and which one your business should be working toward.
What Is the Information Security Manual?
The Information Security Manual is Australia’s most comprehensive cybersecurity framework. Published and maintained by the Australian Signals Directorate, the ISM provides a complete set of cybersecurity principles and controls that organisations can apply to protect their systems and data.
The scope of the ISM extends far beyond technical IT security. It covers cybersecurity governance and risk management, personnel security including background checks and security clearances, physical security for offices and data centres, system hardening across networks, applications, databases and endpoints, cryptography and key management, gateway and network security, media handling and data transfers, and incident response procedures.
The current ISM contains over 700 individual controls. These controls are organised by the classification level of the data a system handles from non-classified through to PROTECTED and above. The higher the classification, the more controls apply.
The ISM is the framework that underpins the Information Security Registered Assessors Program, commonly known as IRAP. When an Australian government agency needs assurance that a system meets security requirements, it engages an IRAP assessor to evaluate that system against the relevant ISM controls.
What Is the Essential Eight?
The Essential Eight is a prioritised subset of eight mitigation strategies that the ASD identified as the most effective baseline controls for protecting internet-connected IT networks. It was derived from the ISM’s broader Strategies to Mitigate Cyber Security Incidents meaning the Essential Eight is technically a focused extract from the ISM, not a separate framework.
The eight strategies are application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication and regular backups.
Hyetech’s detailed guide on Essential Eight compliance walks through each of these strategies and the maturity levels in full. For the purposes of this comparison, the key point is that the Essential Eight focuses specifically on preventing malware execution, limiting the impact of security incidents and ensuring data recovery a targeted set of controls rather than a comprehensive governance framework.
How the Two Frameworks Relate to Each Other
The simplest way to understand the relationship is this: the ISM is the entire library and the Essential Eight is the top shelf.
The Essential Eight sits within the ISM. Every Essential Eight control maps directly to specific ISM controls — the ASD publishes an official mapping document that shows exactly how each Essential Eight maturity level requirement corresponds to ISM control numbers.
However, achieving Essential Eight compliance at any maturity level does not mean you are ISM compliant. The Essential Eight addresses between 31 and 99 controls depending on the maturity level. The full ISM contains over 700. The gap includes entire domains governance, physical security, personnel security, cryptography, media handling that the Essential Eight does not touch.
Equally, an organisation that is fully ISM compliant has by definition already implemented the Essential Eight, since those controls are a subset of the ISM’s broader requirements.
Think of it as the relationship between a health check and a full medical examination. The Essential Eight is the health check it covers the most critical indicators and catches the majority of problems. The ISM is the full examination thorough, exhaustive and necessary when the stakes are highest.
Who Needs the ISM?
The full ISM applies primarily to organisations that handle classified or sensitive government information. In practice, this means Australian Government agencies at all levels — federal, state and territory, organisations that provide ICT services to government including cloud service providers, managed service providers and software vendors, defence industry participants registered under the Defence Industry Security Program, critical infrastructure operators in sectors like energy, water, transport, telecommunications and healthcare, and any organisation that must undergo an IRAP assessment to win or retain government contracts.
If your business is in the defence supply chain, provides cloud hosting to a government department, or operates critical infrastructure, the ISM is your compliance benchmark and the Essential Eight alone will not be sufficient.
The ISM also applies different control requirements based on classification level. A system handling PROTECTED data faces significantly more controls than one handling OFFICIAL information. This tiered approach means ISM compliance is not one-size-fits-all — the scope of your assessment depends entirely on what data your systems touch.
Who Needs the Essential Eight?
The Essential Eight is recommended by the ASD as the minimum cybersecurity baseline for all Australian organisations — government and private sector alike. In practice, it applies to every Australian business that wants to demonstrate a credible security posture.
Specifically, the Essential Eight is the right framework for private sector SMBs not working with classified government data, businesses seeking to meet cyber insurance requirements where insurers increasingly ask about Essential Eight controls like multi-factor authentication and patching cadence, organisations preparing for government contracts where Essential Eight Maturity Level 2 is becoming a standard procurement prerequisite, and any business that wants a practical and achievable starting point for cybersecurity improvement.
For Australian SMBs with 10 to 200 employees, the Essential Eight provides the highest security return for the lowest investment. It addresses the attack vectors behind the overwhelming majority of breaches reported to the OAIC — a pattern Hyetech covered in detail in the guide to Australia’s Notifiable Data Breaches scheme.
Key Differences at a Glance
Scope. The ISM covers over 700 controls across governance, physical, personnel and technical security. The Essential Eight covers 8 technical mitigation strategies with 31 to 99 individual controls depending on maturity level.
Purpose. The ISM provides a complete cybersecurity governance framework for protecting classified and sensitive information. The Essential Eight provides a prioritised set of controls to defend internet-connected networks against the most common cyber threats.
Who it applies to. The ISM is mandatory for government agencies and required for organisations handling classified data or undergoing IRAP assessment. The Essential Eight is recommended for all Australian organisations and increasingly expected by insurers, auditors and procurement panels.
Maturity model. The ISM applies controls based on data classification level non-classified, OFFICIAL, PROTECTED and above. The Essential Eight uses a maturity model with levels 0 through 3 based on adversary sophistication.
Assessment. ISM compliance is formally assessed through IRAP by ASD-endorsed assessors. Essential Eight maturity can be self-assessed or independently assessed, though formal assessment is required when mandated by contract or policy.
Effort and cost. Full ISM compliance requires significant investment in governance, documentation, physical security and specialist expertise often taking 6 to 12 months for initial alignment. Essential Eight Maturity Level 1 can typically be achieved within 1 to 3 months for a well-supported SMB.
Can You Need Both?
Yes — and many organisations do. The most common scenario is a business that provides services to both government and private sector clients. In this case, the organisation typically needs ISM compliance for its government-facing systems and uses the Essential Eight as its baseline for the rest of the business.
Defence contractors are a clear example. A company registered under the Defence Industry Security Program must comply with the ISM for systems handling defence information, but its internal corporate network and business applications may be governed by Essential Eight requirements alone.
The ASD explicitly states that organisations should consider their Essential Eight and ISM requirements independently. Achieving Maturity Level 2 for the Essential Eight does not mean that ISM controls at the equivalent level are automatically satisfied the two frameworks use different criteria for defining their levels.
For businesses navigating both frameworks simultaneously, having a managed IT service provider with experience in Australian government compliance is critical. Running parallel compliance programs without coordination wastes resources and creates gaps.
Where to Start in 2026
For most Australian SMBs, the answer is straightforward: start with the Essential Eight.
The Essential Eight gives you the controls that prevent the majority of successful cyber attacks. It satisfies the questions your cyber insurer is asking. It positions you for government contracts that require Maturity Level 2. And it builds the technical foundation that makes ISM compliance achievable later if your business moves into government or defence work.
The practical starting point is a cybersecurity assessment that maps your current controls against Essential Eight requirements and identifies the gaps. Hyetech’s network security auditing service delivers exactly this a structured assessment that shows where you stand today, what needs to change first and what a realistic timeline to compliance looks like.
From there, the priority controls to implement are multi-factor authentication across all user and admin accounts, automated patching for applications and operating systems, and restricting administrative privileges to only those who need them. These three controls alone address the attack vectors behind the majority of breaches targeting Australian businesses.
For organisations that need to go beyond the Essential Eight into full ISM alignment, Hyetech’s cybersecurity solutions include governance support, managed detection and response for continuous monitoring, and the ongoing compliance management that ISM demands.
If you are unsure which framework applies to your business, contact Hyetech for a consultation. With offices in Narre Warren, Chadstone and Richmond, our team helps Victorian businesses navigate Australian cybersecurity compliance whether that means reaching Essential Eight Maturity Level 2 or building toward full ISM alignment.