The UK NCSC 10 Steps and how they compare to the ACSC Essential Eight

The NCSC “10 Steps to Cyber Resilience” is a set of high-level guidelines developed by the UK’s National Cyber Security Centre (NCSC). It provides organizations with a framework to improve their cybersecurity posture. The 10 Steps cover various aspects of cybersecurity, including risk management, user education, network security, incident response, and system configuration. The guidelines focus on understanding and managing risks, implementing appropriate controls, and fostering a culture of security within the organization.
The steps are:

• Risk management: Take a risk-based approach to securing your data and systems. This involves identifying and assessing your organization’s cyber risks, and then implementing controls to mitigate those risks.
• Engagement and training: Collaboratively build security that works for people in your organisation. This involves educating employees about cyber security risks and how to protect themselves and the organization from attack.
• Asset management: Know what data and systems you have and what business need they support. This helps you to prioritize your security efforts and ensure that your most important assets are protected.
• Architecture and configuration: Design, build, maintain and manage systems securely. This includes using secure configurations, implementing appropriate security controls, and keeping your systems up to date with the latest security patches.
• Vulnerability management: Identify and remediate vulnerabilities in your systems and software. This helps to reduce the risk of exploitation by attackers.
• Identity and access management: Control who has access to your systems and data, and what level of access they have. This helps to prevent unauthorized access and unauthorized use of data.
• Data security: Protect your data both in transit and at rest. This includes using strong encryption, implementing access controls, and protecting your data from unauthorized access.
• Logging and monitoring: Continuously monitor your systems and networks for suspicious activity. This helps you to detect and respond to attacks quickly.
• Incident management: Plan your response to cyber incidents in advance. This helps you to respond quickly and effectively to attacks, minimizing the damage caused.
• Supply chain security: Assess and manage the security risks posed by your suppliers. This helps to protect your organization from attack through third parties.

In Australia, the closest comparison is the ACSC Essential Eight. Though they differ in that the 10 Steps are more comprehensive, place a greater emphasis on risk management and engagement and training. The Essential Eight is more prescriptive than the general guidance provided by the 10 Steps.

The 10 Steps cover a wider range of topics and also place a greater emphasis on risk management and engagement and training. The Essential Eight, on the other hand, are more focused on technical controls.

They do overlap in some areas, for example the 10 Steps’ Asset Management and Vulnerability Management align quite closely to to The Essential Eight’s Patch Applications and Patch Operating systems Strategies. Some steps like Logging and Monitoring are also contained within the Essential Eight Maturity Model.

While we recommend organisations implement the Essential Eight strategies that are applicable to their risk profile – and note that many commonwealth and state government agencies are mandated to implement Essential Eight to specific Maturity Levels – the 10 Steps are valuable resources for Australian government agencies that are looking to improve their cyber security posture.

If you are an Australian Government organisation and want to know more about improving your cybersecurity posture aligning with the Essential Eight as well as informed by other frameworks like the 10 Steps, ACSC Gateway Guidance or DTA Cyber Hubs, please get in touch using the below form.