On 12 March 2025, Australian Securities and Investments Commission (ASIC) lodged a lawsuit against FIIG Securities Limited for failing to have adequate cybersecurity measures for a prolonged period of time. This marks a significant milestone in the Australia’s cybersecurity landscape as it shifts cyber incidents from being just IT issues to regulatory and legal obligations of directors and executives.
Unlike past cases focused on data breach disclosures or privacy violations, ASIC’s case against FIIG focuses on alleged governance failures in cyber risk management. ASIC is asserting that poor cyber governance and controls can be a breach of legal obligations to act with care and diligence under the Corporations Act 2001.
This brings us to the importance of Cyber Governance, Risk, and Compliance (GRC), which helps organisations manage cybersecurity risks, align security practices with business objectives, ensure compliance with laws and standards, and demonstrate accountability to stakeholders. There are several different cyber frameworks that guide organisations on how to implement cybersecurity best practices in GRC. By following them, companies can prove due diligence and reduce legal, regulatory, and operational risks, including the type ASIC highlights in the FIIG lawsuit.
Identity and Access Management (IAM) is also a crucial part of the cybersecurity strategy of an organisation. In this article, we try to evaluate the role of IAM in GRC by analysing different cyber frameworks, thus highlighting why companies should improve their IAM practices. We will consider five different cyber frameworks that are important in Australia.
1. NIST Cybersecurity Framework (CSF) 2.0
https://www.nist.gov/cyberframework
This is a flexible, risk-based framework designed by the National Institute of Standards and Technology (NIST) (a part of the United States Department of Commerce) to help organisations manage and improve their cybersecurity posture. It is built around six core functions — Govern (GV), Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC). It provides a structured approach to managing cyber risks aligned with business objectives.
The NIST CSF 2.0 includes IAM under the Protect (PR) function.
Identity Management, Authentication, and Access Control (PR.AA): Access to physical and logical assets is limited to authorised users, services, and hardware and managed commensurate with the assessed risk of unauthorised access.
- PR.AA-01: Identities and credentials for authorised users, services, and hardware are managed by the organisation
- PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions
- PR.AA-03: Users, services, and hardware are authenticated
- PR.AA-04: Identity assertions are protected, conveyed, and verified
- PR.AA-05: Access permissions, entitlements, and authorisations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
- PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk
2. SOC 2
Service Organisation Control 2 (SOC 2) is a framework that establishes a systematic approach to evaluating the effectiveness of security controls, and allows organisations to identify and mitigate potential risks. Service providers can assure their clients that their data is being managed with the highest standards of security and compliance by completing independent SOC 2 audits.
SOC 2 is based on five Trust Service Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy, and is commonly used by Software as a Service (SaaS) and cloud service providers to demonstrate operational security controls. SOC 2 is quite flexible in terms of which TSCs and controls you can use in the SOC 2 audit and the report. While there are several Common Criteria (CC) within the SOC 2 TSC that are relevant to IAM, CC6 — Logical and Physical Access Controls (which comes under Security) addresses it directly.
The following are the individual criteria that organisations are assessed against during an audit. They describe control objectives — the outcomes the controls need to achieve.
- CC6.1 — The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
- CC6.2 — Prior to issuing system credentials and granting system access, the entity registers and authorises new internal and external users whose access is administered by the entity. User system credentials are removed when access is no longer authorised.
- CC6.3 — The entity authorises, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives
- CC6.4 — The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorised personnel to meet the entity’s objectives.
- CC6.5 — The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.
- CC6.6 — The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
- CC6.7 — The entity restricts the transmission, movement, and removal of information to authorised internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
- CC6.8 — The entity implements controls to prevent or detect and act upon the introduction of unauthorised or malicious software to meet the entity’s objectives.
Under each criterion, there are several “Points of Focus (PoF)”. They are guides that explain what to consider when designing and implementing controls to satisfy the particular criterion. They are not mandatory, but they help organisations and auditors understand how to meet the criteria effectively. For example, “Restricts Logical Access” and “Identifies and Authenticates Users” are two such PoFs under CC6.1. Implementing Role-Based Access Control (RBAC) is an example control that satisfy the “Restricts Logical Access”.
3. ISO 27001
https://www.iso.org/standard/27001
This is an internationally recognised standard that sets out the criteria for establishing, implementing, and continually improving an Information Security Management System (ISMS). Satisfying the requirements defined by ISO 27001 means that an organisation has a system to manage risks related to the security of data owned or handled by them, and that this system respects globally recognised best practices and principles.
The standard is structured into two key parts: Clauses 4–10 and Annex A. Clauses 4–10 define the mandatory requirements for an ISMS, covering aspects such as organisational context, leadership, planning, support, operation, performance evaluation, and improvement. These clauses establish the governance framework that organisations must follow to achieve ISO 27001 certification.
Note that we are referring to ISO 27001:2022 version which is a moderate update from the previous version of the standard: ISO 27001:2013.
Annex A provides a reference set of 93 security controls, categorised into four top-level domains: Organisational, People, Physical, and Technological controls. These controls serve as a guideline for mitigating information security risks and supporting the ISMS requirements defined in Clauses 4–10. While Annex A controls are not mandatory and organisations apply only those relevant to their specific risk environment, they serve as a comprehensive security framework, which we focus in this article.
Some of the controls which directly relate (security controls can sometimes be associated with multiple areas of cybersecurity) to IAM are listed below.
A.5 Organisational Controls
- A.5.15 Access Control
- A.5.16 Identity Management
- A.5.17 Authentication Information
- A.5.18 Access Rights
A.7 Physical Controls
- A.7.2 Physical Entry
A.8 Technological Controls
- A.8.2 Privileged Access Rights
- A.8.3 Information Access Restriction
- A.8.4 Access to Source Code
- A.8.5 Secure Authentication
- A.8.18 Use of Privileged Utility Programs
4. ASD Essential Eight
https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eight
Developed by the Australian Signals Directorate (ASD), the Essential Eight outlines eight prioritised strategies to mitigate cyber threats. It offers practical guidance for organisations to establish a strong baseline of cyber defence. Organisations can assess their implementation using the Essential Eight Maturity Model, which defines four maturity levels (Zero to Three) based on the effectiveness of security controls. The assessment process involves planning, scoping, evaluating controls for each mitigation strategy, and developing a security assessment report. This model allows organisations to progressively improve their cybersecurity posture, with Level Three representing full alignment with the framework’s objectives.
Two out of the eight strategies are directly relevant to IAM.
- Restrict Administrative Privileges
- Multi-Factor Authentication
5. ASD Information Security Manual (ISM)
https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/ism
ASD ISM complements the Essential Eight and provides a comprehensive set of cybersecurity controls and guidelines specifically tailored for Australian government agencies and critical infrastructure providers. It provides principles-based guidance (Govern, Identify, Protect, Detect, Respond) and a detailed set of controls for managing security risks, ensuring compliance with legal and regulatory requirements. The risk management framework used by the ISM is adopted from National Institute of Standards and Technology (NIST) Special Publication (SP) 800–37 Rev. 2.
Note – NIST CSF, which we discussed earlier, is a high-level, voluntary framework that helps organisations identify, assess, and improve their cybersecurity posture. NIST SP 800–37 Rev 2 provides a detailed, mandatory Risk Management Framework (RMF) for implementing cybersecurity risk management in federal and regulated systems. While an organisation can use NIST CSF if they want a flexible cybersecurity strategy that aligns with industry best practices, organisations that require formal risk management for compliance with government (United States) contracts have to adhere to NIST SP 800–37 RMF.
ISM provides thousands of security controls and here we have listed down a few that are relevant to IAM (based on the March 2025 version). Due to the very high number of controls we would not be listing them all here.
User Identification
- ISM-0414: Personnel granted access to a system and its resources are uniquely identifiable.
- ISM-0415: The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable.
- ISM-1583: Personnel who are contractors are identified as such.
- ISM-0420: Where a system processes, stores or communicates AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality.
Unprivileged Access to Systems
- ISM-0405: Requests for unprivileged access to systems, applications and data repositories are validated when first requested.
- ISM-1852: Unprivileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.
- ISM-1566: Use of unprivileged access is centrally logged.
ISM-0409 and ISM-0411 are related to Unprivileged Access to systems by Foreign Nationals.
Privileged Access Management (PAM)
- ISM-1507: Requests for privileged access to systems, applications and data repositories are validated when first requested.
- ISM-1508: Privileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.
- ISM-1175: Privileged user accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.
- ISM-1883: Privileged user accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.
- ISM-1649: Just-in-time administration is used for administering systems and applications.
- ISM-0445: Privileged users are assigned a dedicated privileged user account to be used solely for duties requiring privileged access.
- ISM-1263: Unique privileged user accounts are used for administering individual server applications.
- ISM-1509: Privileged access events are centrally logged.
- ISM-1650: Privileged user account and security group management events are centrally logged.
ISM-0446 and ISM-0447 are related to Privileged Access to systems by Foreign Nationals.
Other IAM related Controls
- ISM-0430, ISM-1591, ISM-1404, ISM-1648, ISM-1716, ISM-1647 are about Suspension of access to systems.
- ISM-0407 is about Recording authorisation for personnel to access systems.
- ISM-0441 and ISM-0443 are about Temporary access to systems.
- ISM-1610, ISM-1611, ISM-1612, ISM-1614, ISM-1615, ISM-1613 are about Emergency access to systems.
- ISM-0078 and ISM-0854 are about Control of Australian systems.
- ISM-1603 and ISM-1055 are about Insecure authentication methods.
- ISM-1504, ISM-1679, ISM-1680, ISM-1892, ISM-1893, ISM-1681, ISM-1919, ISM-1173, ISM-0974, ISM-1505, ISM-1401, ISM-1872, ISM-1873, ISM-1874, ISM-1682, ISM-1894, ISM-1559, ISM-1560, ISM-1561, ISM-2011, ISM-1920, ISM-1683 are about Multi-factor authentication.
Similarly, there are numerous other controls for “Single-factor authentication”, “Setting credentials for user accounts”, “Setting credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts”, “Changing credentials”, “Protecting credentials”, “User account lockouts”, “Session termination”, “Session termination”, “Screen locking”, etc.
One final note about ISM controls is that they discuss the relevancy with Essential Eight maturity model. For example, if I consider some of the MFA related controls mentioned above ISM-1504 is relevant to ML1, ML2, and ML3 (ML for Maturity Level), ISM-1505 is relevant to ML3, ISM-1873 is relevant to ML2, and ISM-1919 is not relevant to any.
Conclusion
In addition to the above frameworks, there are other guidelines such as APRA CPS 234 (https://www.apra.gov.au/information-security), which is a mandatory prudential standard issued by the Australian Prudential Regulation Authority (APRA). It requires financial institutions such as banks, insurers, and superannuation funds to implement robust information security measures, with an emphasis on board accountability, third-party risk management, and timely detection and response to security incidents. Those institutions as a result use other frameworks discussed earlier in this article to comply with these guidelines.
If you have read up to here, that means now you have a considerable idea about GRC and the role of IAM in it. Both of these cybersecurity areas are extremely important for an organisation to maintain a good cybersecurity posture that will help to prevent cyber attacks, detect, control, and recover quickly if one occurs, and protect from potential legal action.