ASIC Cyber Resilience Good Practices
The Australian Securities and Investments Commission sets expectations for cyber resilience of regulated entities in the financial services sector. Based on ASIC Report 429 (2015) and Report 716 (2022), it outlines good practices for boards and management in managing cyber security risks. Applies to Australian financial services licensees, credit licensees, and market operators.
Get the official standard — this page is an AI-assisted companion tool, not a replacement for the authoritative text.
Visit asic.gov.auFramework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (8)
Asset Management
Centralised asset and configuration management.
| Code | Title |
|---|---|
| ASIC-CR-AM-1 | Centralised asset management system |
| ASIC-CR-AM-2 | Configuration management |
Collaboration and Information Sharing
Information sharing with peers, agencies and threat-intel providers.
| Code | Title |
|---|---|
| ASIC-CR-CO-1 | Confidential information sharing |
| ASIC-CR-CO-2 | Specialist threat-intelligence providers |
Cyber Awareness and Training
Staff awareness, training and testing.
| Code | Title |
|---|---|
| ASIC-CR-AT-1 | Staff awareness and training |
| ASIC-CR-AT-2 | Continuous development |
| ASIC-CR-AT-3 | Random staff testing |
Cyber Risk Management and Threat Assessment
Intelligence-led cyber risk management and third-party risk.
| Code | Title |
|---|---|
| ASIC-CR-RM-1 | Intelligence-led cyber risk management |
| ASIC-CR-RM-2 | Fusion centres for real-time monitoring |
| ASIC-CR-RM-3 | Third-party and supply chain risk management |
Cyber Security Strategy and Governance
Board ownership, responsive governance and alignment of cyber strategy.
| Code | Title |
|---|---|
| ASIC-CR-GOV-1 | Board engagement and periodic review of cyber strategy |
| ASIC-CR-GOV-2 | Treat cyber resilience as a management and investment tool |
| ASIC-CR-GOV-3 | Board cyber fluency |
| ASIC-CR-GOV-4 | End-to-end assurance processes |
| ASIC-CR-GOV-5 | Responsive, event-driven governance |
| ASIC-CR-GOV-6 | Align cyber governance with enterprise governance |
Detection Systems and Processes
Continuous monitoring, analytics and red teaming.
| Code | Title |
|---|---|
| ASIC-CR-DE-1 | Continuous monitoring with SIEM |
| ASIC-CR-DE-2 | Data analytics for threat integration |
| ASIC-CR-DE-3 | Red teaming |
Protective Measures and Controls
Essential Eight and additional protective controls.
| Code | Title |
|---|---|
| ASIC-CR-PR-1 | Implement the ASD Essential Eight |
| ASIC-CR-PR-2 | Security Development Lifecycle |
| ASIC-CR-PR-3 | Encryption of data at rest and in transit |
| ASIC-CR-PR-4 | Outbound email filtering and monitoring |
| ASIC-CR-PR-5 | Restricted removable media / USB access |
Response and Recovery Planning
Scenario-based response, recovery and stakeholder communication.
| Code | Title |
|---|---|
| ASIC-CR-RR-1 | Scenario planning and response exercising |
| ASIC-CR-RR-2 | War gaming |
| ASIC-CR-RR-3 | Proactive board reporting during incidents |
| ASIC-CR-RR-4 | Customer and breach notification |
| ASIC-CR-RR-5 | Stakeholder communication plan |
Your Compliance Coverage
If you comply with ASIC Cyber Resilience Good Practices, you already cover:
NIST Cybersecurity Framework 2.0
93%
27 controls mapped
Compare →APRA CPS 234
38%
11 controls mapped
Compare →NIST SP 800-53 Rev 5
28%
8 controls mapped
Compare →+ 2 more: ASD Strategies to Mitigate Cyber Security Incidents (24%), ACSC Essential Eight (3%)
See all 5 mapped frameworks ↓Maps to 5 other frameworks
Frequently Asked Questions
What is ASIC Cyber Resilience Good Practices?
ASIC Cyber Resilience Good Practices is a compliance framework from Australia with 8 domains and 29 controls. The Australian Securities and Investments Commission sets expectations for cyber resilience of regulated entities in the financial services sector. Based on ASIC Report 429 (2015) and Report 716 (2022), it outlines good practices for boards and management in managing cyber security risks. Applies to Australian financial services licensees, credit licensees, and market operators. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does ASIC Cyber Resilience Good Practices have?
ASIC Cyber Resilience Good Practices has 29 controls organised across 8 domains. The largest domains are Cyber Security Strategy and Governance (6 controls), Protective Measures and Controls (5 controls), Response and Recovery Planning (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does ASIC Cyber Resilience Good Practices map to?
ASIC Cyber Resilience Good Practices maps to 5 other compliance frameworks. The top mapping partners are NIST Cybersecurity Framework 2.0 (93% coverage), APRA CPS 234 (38% coverage), NIST SP 800-53 Rev 5 (28% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with ASIC Cyber Resilience Good Practices compliance?
Start your ASIC Cyber Resilience Good Practices compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ASIC Cyber Resilience Good Practices requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 29 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required