HEXOSYS Insights

The Australian Security Compliance Landscape: An Executive Map

Compliance & Frameworkspillar3 min readPublished 2026-07-08Updated 2026-07-08HEXOSYS Security Architects

An executive map of Australia's security obligations — Essential Eight, ISM, PSPF, CPS 234/230, SOCI, Privacy Act, ISO 27001, PCI DSS — and how to navigate them once.

Australian organisations rarely face one security obligation — they face a stack of them, written by different bodies for different purposes, overlapping without aligning. The result is familiar: duplicated assessments, control frameworks maintained in parallel, and boards unsure which “compliant” actually matters. This guide maps the landscape and how to navigate it once, not five times.

The mandatory layer: obligations

What applies to you is determined by sector and function:

  • Australian Government entities operate under the Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM), with the Essential Eight as the prescribed mitigation baseline and maturity model.
  • APRA-regulated entities — banks, insurers, superannuation — carry CPS 234 (information security) and, since July 2025, CPS 230 (operational risk management), which together cover security capability, control testing, incident notification, service-provider risk and operational resilience.
  • Critical infrastructure entities captured by the SOCI Act carry risk-management program obligations (CIRMP), with cyber security as a required hazard domain and board-level sign-off on the annual report.
  • Everyone handling personal information at qualifying scale answers to the Privacy Act and the Australian Privacy Principles, with a multi-year reform program steadily raising the bar.
  • Card payments bring PCI DSS by contract rather than statute — no less binding in practice.

The voluntary layer: frameworks

Alongside the obligations sit frameworks organisations choose: ISO 27001 for a certifiable security management system, NIST CSF 2.0 as a widely understood maturity and communication lens, and the Essential Eight adopted voluntarily well beyond government because it is concrete and measurable. These are instruments, not obligations — their value is in structuring and evidencing your program, and in speaking a language customers and regulators recognise.

Three disciplines separate organisations that manage this landscape efficiently from those that drown in it:

  1. One control set, many lenses. Maintain a single internal control framework and map it outward to each obligation, rather than running a parallel program per regulator. Most requirements overlap heavily; the mapping makes that overlap work for you.
  2. Obligations first, frameworks second. Legal and regulatory requirements set the floor and the deadlines. Voluntary frameworks then organise how you meet and evidence them — not the other way around.
  3. Assess once, answer many. A well-scoped independent assessment against your control framework should produce the evidence base for APRA engagement, SOCI reporting, ISO surveillance and board assurance alike.

Where organisations typically struggle

The recurring failure modes are predictable: treating each obligation as a separate project; testing control existence rather than control effectiveness (a distinction CPS 234 makes explicit); leaving service-provider obligations unmanaged; and reporting compliance status to boards without translating it into risk position. Each is solvable with structure rather than heroics.

Key takeaways

  • Your sector determines the mandatory layer: PSPF/ISM and Essential Eight, CPS 234/230, SOCI, Privacy Act, PCI DSS.
  • Voluntary frameworks (ISO 27001, NIST CSF) are how you organise and evidence — they don’t replace obligations.
  • One control framework, mapped to many obligations, is the only approach that scales.
  • Effectiveness, not existence: regulators increasingly expect controls to be tested, not just documented.

Go deeper with our guides to Essential Eight Maturity Level 3 and APRA CPS 234, or engage an independent security assessment to build the evidence base once.

Apply this in your organisation.

Discuss how this translates to your environment with a HEXOSYS Security Architect.

Speak with a Security Architect