← Back to Cyber Services

Not sure which standard applies to you? Here is how they all connect — and which path makes sense for your business.

ISO 27001, Essential Eight, DISP, SMB1001, Privacy Act — if you have heard several of these mentioned and are not sure where they overlap or where to start, this page is for you.

How the standards relate to each other

These are not competing options. Most of them build on each other — and work done toward one reduces the effort required for the others.

The key insight: M365 security sits inside Essential Eight. Essential Eight sits inside DISP. SMB1001 uses E8 ML1 as its technical backbone. ISO 27001 is the comprehensive outer layer that all others map into. Privacy frameworks run in parallel.

Key relationships explained

If you address one standard, here is what that work does for the others.

M365 inside E8

Every control you apply to your Microsoft 365 environment — MFA, conditional access, application control, patching — directly satisfies Essential Eight requirements. A good M365 security posture gets you part of the way to E8 ML1 before you start.

E8 inside DISP

DISP requires compliance across four security streams. The information and cyber security stream maps almost entirely to the Essential Eight. If you have achieved E8 ML1 or ML2, the DISP cyber stream is largely covered — the remaining DISP work is governance, personnel, and physical security.

SMB1001 = E8 ML1 as its backbone

SMB1001 Bronze certification is built on Essential Eight Maturity Level 1 as its technical foundation, plus governance controls on top. If you are working toward SMB1001, you are also building toward E8 compliance. The certifications are complementary, not competing.

E8 + DISP map into ISO 27001

Both E8 and DISP map substantially into ISO 27001 Annex A controls. If you have done either, a significant proportion of your ISO 27001 control implementation is already done. ISO 27001 is the comprehensive outer layer — it absorbs the others without conflict.

Privacy runs parallel

Privacy frameworks — the AU Privacy Act, NZ Privacy Act 2020, and ISO 27701 — are independent programmes that run alongside your security frameworks. Some controls overlap (data breach response, access control), but privacy compliance is a separate obligation that requires its own programme.

Where to start

Start with a Getting Started assessment. A Cyber Risk Snapshot, E8 Assessment, Privacy Health Check, or M365 Security Review tells you where you are before you commit to a path. Every implementation service starts here — and the assessment fee is typically credited against the implementation.

Four paths for AU and NZ SMEs

Most businesses fit one of these journeys. Pick the one that reflects why you are looking at this.

🛡️

Defence Supply Chain

You are pursuing DISP or working with a defence prime

M365 Security ReviewLock down your Microsoft environment — this is the natural DISP on-ramp for the cyber stream.

Essential Eight AssessmentBaseline your E8 maturity — DISP assessors look at this directly.

DISP AccreditationGovernance, personnel, physical, and cyber security streams — with E8 covering most of the cyber work.

Start your DISP journey

🏅

Achievable Certification

You want a recognised credential without 12 months of ISO 27001 work

Cyber Risk SnapshotUnderstand your starting position — what you have and what gaps need closing before certification.

SMB1001 CertificationBronze in weeks. An internationally recognised credential your clients and insurers will know.

ISO 27001 (optional next step)If a client or tender requires it, your SMB1001 work is a significant head start.

See your certification options

🏢

Enterprise Supply Chain Pressure

A client like Westpac, CBA, or BHP is requiring E8 or ISO 27001

E8 Maturity AssessmentIndependent baseline against the client's required maturity level. Evidence pack included.

E8 ImplementationSystematic implementation to target maturity — coordinated with your MSP, overseen independently.

ISO 27001 CertificationIf the tender requires it — your E8 work covers a significant portion of Annex A controls.

Meet your client requirements

🔒

Privacy Compliance

The Privacy Act exemption ends 1 July 2026 — or you handle personal data at scale

Privacy Health CheckData flow mapping and gap analysis against the AU Privacy Act 1988 or NZ Privacy Act 2020.

Privacy Act Compliance Sprint4–6 week sprint to get compliant before 1 July 2026. For businesses newly covered by the AU Act.

Privacy FrameworkOngoing privacy programme — PIAs, Privacy Officer services, and continuous compliance as your organisation grows.

Start before 1 July 2026

Common questions about how standards relate

How does the Essential Eight relate to ISO 27001?

The Essential Eight is an Australian Government framework of eight specific technical mitigation strategies. ISO 27001 is a broader international standard for information security management. The E8 strategies map substantially into ISO 27001 Annex A controls — particularly in access control, patching, and incident response. Organisations that have implemented E8 ML2 or ML3 have covered a significant portion of the ISO 27001 control set. Neither replaces the other: E8 is prescriptive and technical; ISO 27001 requires a management system and documentation that E8 alone does not provide.

What is SMB1001 and how does it compare to ISO 27001?

SMB1001 is a tiered cybersecurity certification standard designed specifically for small and medium businesses. It uses Essential Eight Maturity Level 1 as its technical backbone and adds governance controls on top. Bronze certification is achievable in weeks and provides a recognised, audited credential that insurers and clients are starting to recognise. ISO 27001 is the more comprehensive and internationally recognised standard — significantly more work to achieve, but the right answer when enterprise clients or government contracts require it. SMB1001 Bronze is often the right first step, with ISO 27001 as a longer-term goal where needed. See SMB1001 Certification and ISO 27001 Certification.

If I am pursuing DISP, do I need Essential Eight separately?

DISP covers four security streams: governance, personnel, physical, and information/cyber. The information and cyber security stream aligns closely with the Essential Eight. DISP assessors look at your E8 maturity as part of the cyber stream assessment. So no — you do not need a separate E8 engagement if you are doing DISP, but demonstrating E8 maturity (particularly ML1 or ML2) strengthens your DISP application. See DISP accreditation and Essential Eight Implementation.

Does the AU Privacy Act apply to NZ businesses — and vice versa?

Each Act has jurisdiction based on where personal information is collected and where the organisation operates, not just where it is headquartered. An AU business that collects personal information from NZ individuals may have NZ Privacy Act 2020 obligations. An NZ business operating in Australia may have AU Privacy Act 1988 obligations. If you operate across both, you need both. See Privacy Framework for organisations needing ongoing coverage of both Acts.

Where should I start if I am not sure which standard applies?

A Cyber Risk Snapshot is the generalist entry point — it identifies what you have, what gaps exist, and which standards are most relevant to your situation. If you know the trigger (an insurer, a client, a regulator), the scenario cards on the Cyber Services page point you directly to the right path. If you are genuinely unsure, talk to us — we will give you an honest view without a sales agenda.

Still not sure which path fits your situation?

Tell us what is prompting the conversation and we will help you work out where to start. No obligation.

Find your path

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.