A Smarter Starting Point: Using the ACSC Cyber Security Principles to Build Strong Foundations

Published by James Burnard, Director – Governance, Risk & Compliance on 30 September 2025

For many small to medium organisations in Australia, cyber security can feel like a maze. The frameworks are dense, the audits are expensive, and the starting point isn’t always clear. Whether you are a senior leader trying to understand your organisation’s posture, or an IT manager looking for a practical way forward, it’s easy to feel you are being asked to run before you can walk.

At CyberCX, we encourage many organisations to consider the Australian Cyber Security Centre’s (ACSC) Cyber Security Principles as a starting point – not because they are the only option, but because they offer a balanced, strategic foundation that’s built for the cyber landscape that Australian organisations are confronting.

What are the ACSC Cyber Security Principles

Developed by the Australian Signal’s Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Cyber Security Principles provide strategic guidance on how an organisation can protect its information technology and operational technology systems from cyber threats. The principles are grouped into six functional areas:

• Govern – Develop and maintain a strong and resilient cybersecurity culture.
• Identify – Identify assets and associated security risks.
• Protect – Implement and maintain controls to manage security risks.
• Detect – Detect and analyse cybersecurity events to identify incidents.
• Respond – Respond to cybersecurity incidents.
• Recover – Resume normal business operations following incidents.

These principles reflect what good security looks like in practice, not just in terms of controls, but also in terms of behaviours, culture and decision making.

The Cyber Security Principles help organisations focus on what matters – not just what’s easily measurable.

Built for Australian Organisations

Unlike global frameworks that can feel disconnected from local realities, the Cyber Security Principles are designed for Australian organisations. They are technology agnostic and scalable but also aligned to the ASD’s Information security manual and the Essential Eight for those organisations looking for more technical guidance. This means they can be applied to a range of organisations – whether you’re cloud-native, hybrid, or even still managing legacy infrastructure. They also avoid the trap of compliance for its own sake. Instead of diving into dozens or hundreds of controls, or rigid maturity models, they help you understand your organisation’s posture in a way that is meaningful and actionable.

We have seen organisations avoid costly missteps by starting with the Cyber Security Principles. They help prioritise effort and funding based on actual risks – not just what a framework says you ‘should’ do.

Bridging the Gap Between Technical and Non-Technical

One of the most effective and useful aspects of the Cyber Security Principles is how well they engage both technical and non-technical stakeholders. They’re written in clear language, and they reflect behaviours that resonate across an organisation. This makes them ideal for engaging senior leadership, boards, and cross-functional teams. Everyone can understand the intent of the principles, and that leads to better conversations, stronger buy-in, and more effective outcomes.

In effect, you do not have to be steeped in technical cyber knowledge to understand the Principles.

Each principle represents a mature practice or culture. That’s why they’re so effective – they help organisations see the bigger picture, not just the technical details of specific controls.

How CyberCX Applies the Principles

We’ve helped many organisations use the Cyber Security Principles both as an initial starting point and as a long-term foundation of good practice.

Our assessment and uplift approach is people-focused and low overhead. We facilitate cross-functional workshops, from leadership and risk to IT and cyber. We explore specific critical processes in more depth, guided by threat profiles, stakeholder priorities, and our own expert intuition. We don’t rely on rigid tools or worksheets, we bring experienced professionals from across our disciplines to work directly with your business.

This isn’t a tick-box exercise. It’s providing you with experts with deep understanding of their subject matter, working to understand your business, your risks, and your goals.

We build tailored programs of work to help address gaps, from quick wins to multi-year uplift plans. These programs are scaled to your resource and needs, and they’re designed to be practical and reflective of available resources and capabilities.

We’re here to build partnerships – not just deliver reports. That’s part of our commitment to securing our communities.