PSPF, ISM, Essential Eight. I finally got these three straight.

PSPF, ISM, Essential Eight. I finally got these three straight.

The PSPF, the ISM and the Essential Eight are three different things. I used to treat them as one. They sit in the same sentences, the same documents and the same meetings, so it is easy to run them together.

The PSPF is the policy. The ISM is the full rulebook. The Essential Eight is the short list you start with. They do not fight each other. They are the same goal at three different zoom levels. I am learning these as I go.

The PSPF is the policy. The ISM is the full rulebook. The Essential Eight is the short list you start with.

. . .

Why they blur together

I reckon the reason they blur together is simple. They all come from government. They all touch security. They all get name-dropped in the same breath. When you are learning them, it is easy to run them together and lose track of which one sits where.

They also work at different levels. That is the part that trips you up. One sets direction. One spells out the technical detail. One tells you where to start. When you hear all three in the same meeting, it sounds like three competing standards. They are not. The levels are what sort them out.

So let me take them one at a time.

The PSPF

PSPF stands for the Protective Security Policy Framework. Think of it as the Australian Government's protective security rulebook for itself, run by the Department of Home Affairs.

It sets out what government entities have to do to protect their people, their information and their assets. It covers far more than cyber. The PSPF spans security governance, risk, information, technology, personnel and physical security, so cyber is just one piece of a much wider picture. In the current release cyber sits inside the technology side. Locked doors and staff vetting live in there too. So I try to call it protective security, not just cyber.

Policy and outcomes are what the PSPF deals in. It tells you what must be achieved and why, not which technical setting to flick. For that detail, it points you somewhere else. Which brings me to the next one.

A small note on currency, because I got this wrong at first. The current version is PSPF Release 2025, issued on 24 July 2025. It now comes out on an annual release cycle, so there is a fresh one each year. It is run by the Department of Home Affairs. If you read an older source that names a different department, treat the framework detail in it as out of date.

The ISM

ISM stands for the Information Security Manual. Think of it as the detailed cyber control catalogue. Publishing it is the job of the Australian Signals Directorate, the ASD, which is the federal agency that runs Australia's signals intelligence and national cyber security. Its cyber arm is the Australian Cyber Security Centre, the ACSC.

The ISM is a large library of specific controls covering identity, encryption, system hardening, networks, logging and a lot more. This is the technical how. When a government system gets built and assessed, this is the book it is built against.

To keep it useful, the ASD republishes it on a regular cycle, so there is always an up-to-date version. You do not memorise the ISM. You look things up in it, the way a tradie reaches for the standards manual on a job.

One honest aside, because the distinction matters. Saying a system is "designed against the ISM" is a claim you make about your own work. Having it independently checked is a different thing. The ASD runs a scheme called IRAP, the Information Security Registered Assessors Program, where a registered assessor evaluates a system against the ISM. "We follow the ISM" and "we have been IRAP assessed" are not the same sentence. Worth keeping straight.

The Essential Eight

This is the one I had actually heard of before I started. The Essential Eight is the ASD's list of eight priority actions that stop the most common cyber attacks. Eight things, chosen because they block the attacks that cause the most damage.

Here are the eight: application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups.

It is easy to treat the Essential Eight as a checklist you tick off. It is not. The ASD also publishes the Essential Eight Maturity Model. It rates how well you have actually put the eight in place, from Maturity Level Zero (not done) up to Maturity Level Three (done well, for high-threat settings). So it is not a tick-and-forget list. There is a difference between doing a thing and doing it well and the maturity levels capture that.

Start-here is the job the Essential Eight does. It is not the whole story and the ASD says so plainly. It is the slice you do first because it buys you the most protection for the least effort.

How they differ: it is about altitude

Once I had each one defined, the difference between them stopped being about content and started being about altitude. They are not three rival standards. They are three heights over the same ground.

PSPF flies highest. Policy umbrella. The why and the high-level rules. Whole of government and broader than cyber.

ISM sits in the detail. Hundreds of controls. Technical how for cyber and information security. This is the depth.

Essential Eight sits at ground level. Eight actions to do first. Your on-ramp.

They differ by altitude and purpose, not by disagreement. None of them contradicts the others. Each is a different zoom on the same goal: keep the systems and the information safe.

How they stack

They do not just sit at different heights. They point to each other.

The PSPF says government entities must run secure technology. For the detail of how, it points to the ISM. So the PSPF sits on top and the ISM does the cyber heavy lifting underneath it.

The Essential Eight is drawn from the ISM. The eight are pulled out of the broader set of strategies in the ISM and packaged as the priority starting point. So the Essential Eight is a subset, not a separate or competing thing.

The clean one-liner: the PSPF points to the ISM for cyber. The Essential Eight is the priority slice of the ISM you do first.

How the three stack. The PSPF sits on top and points to the ISM for the cyber detail. The Essential Eight is a prioritised slice carved out of the ISM. Generated by Author using Claude.

The building-code picture

Think of building a house.

Start with the building code. That is your PSPF. Every building must be safe, weatherproof and secure. Fire, structure, access and more all sit under it. Code sets the standard and the reason for it. What it does not do is tell the electrician which cable to use.

The ISM is the thick electrical and engineering standards manual. The technical book the trades actually build to. Every wire gauge, every clearance, every spec is in there.

The Essential Eight is the home safety starter checklist. Smoke alarms, deadlocks, a fire extinguisher. The few things that stop the most common and most damaging incidents. They are not the whole engineering manual. Skipping them is where most of the real harm comes from.

The picture is not perfect. Here is where it breaks. A building code is mandatory for everyone who builds. These frameworks are not. They bind government and reach others by contract or choice, which I will come to in a second. And a safety checklist in a house is tick-and-done, while the Essential Eight is graded by how well you do each item. So hold the picture loosely. It gets you most of the way there.

Who this actually applies to

This is the part I want to be careful about, because it is easy to get wrong. These are not rules every Australian business must follow.

Most federal government departments and agencies must follow the PSPF. Contractors and suppliers get reached through contract terms, not because the framework binds them directly. State governments and private businesses are not bound by default.

The ISM and the Essential Eight are the baseline that Commonwealth government adopts. For everyone else, they get taken up voluntarily or because a contract or a sector rule requires it. Some critical infrastructure operators get a version of the Essential Eight pulled in through specific rules, but that is its own regime, not a blanket law over every business.

So the honest framing is this. These are the government's frameworks and they have become a common reference point well beyond government. Plenty of organisations follow them by choice or because a customer asked. Not because every business must.

. . .

The stack in one breath

Policy on top is the PSPF. The full rulebook underneath is the ISM. Carved out of that rulebook sits the Essential Eight, the short list you start with.

If you only take one thing from this, take the altitude idea. They are not competing. They are the same goal seen from three heights. See that and the meetings get a lot less confusing.

I am still learning this and I will keep writing it down as I go. If you work in this space and I have a level wrong, I would love to hear it. That is half the reason I write these in the first place.