Australian Energy Sector Cyber Security Framework (AESCSF)

Australia

v2024

11 domains

32 controls

The Australian Energy Sector Cyber Security Framework is developed by the Australian Energy Market Operator (AEMO) in collaboration with the Australian Cyber Security Centre. It provides a maturity model approach to cyber security for Australia's energy sector, incorporating elements from NIST CSF, C2M2, and the ASD Essential Eight. Applies to electricity and gas market participants.

Verified

Get the official standard — this page is an AI-assisted companion tool, not a replacement for the authoritative text.

Visit aemo.com.au

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (11)

Asset, Change and Configuration Management

3 controls

Manage IT and OT assets, configurations and changes (Domain ACM).

Controls in the Asset, Change and Configuration Management domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 3 controls
Code	Title	Description
AESCSF-ACM-1	Asset inventory	Maintain an inventory of IT and OT assets important to the delivery of the energy function.
AESCSF-ACM-2	Configuration management	Establish and maintain secure configuration baselines for assets.
AESCSF-ACM-3	Change management	Manage changes to assets through a controlled change-management process.

Australian Privacy Management

2 controls

Manage personal information in line with Australian privacy obligations (Domain APM, AESCSF addition).

Controls in the Australian Privacy Management domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 2 controls
Code	Title	Description
AESCSF-APM-1	Australian privacy management	Manage personal information in accordance with the Australian Privacy Principles and the Privacy Act 1988.
AESCSF-APM-2	Privacy breach management	Detect, manage and notify privacy/data breaches affecting personal information.

Cyber Security Program Management

3 controls

Establish and govern an enterprise cyber security program (Domain CPM).

Controls in the Cyber Security Program Management domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 3 controls
Code	Title	Description
AESCSF-CPM-1	Cyber security program management	Establish, resource and maintain an enterprise cyber security program.
AESCSF-CPM-2	Cyber security governance and strategy	Provide governance and strategic direction for cyber security, with board/executive oversight.
AESCSF-CPM-3	Cyber security architecture	Establish and maintain a cyber security architecture for IT and OT environments.

Event and Incident Response, Continuity of Operations

4 controls

Detect, respond to and recover from incidents and maintain continuity (Domain IR).

Controls in the Event and Incident Response, Continuity of Operations domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 4 controls
Code	Title	Description
AESCSF-IR-1	Incident response plan	Establish and maintain a cyber incident response plan covering IT and OT.
AESCSF-IR-2	Incident detection and handling	Detect, analyse, contain and eradicate cyber incidents.
AESCSF-IR-3	Continuity of operations and recovery	Maintain continuity and recover operations after a cyber incident, including for OT-dependent energy functions.
AESCSF-IR-4	Incident reporting	Report cyber incidents to AEMO, the ACSC and (where applicable) under the SOCI Act.

Identity and Access Management

3 controls

Manage identities and control access to IT and OT (Domain IAM).

Controls in the Identity and Access Management domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 3 controls
Code	Title	Description
AESCSF-IAM-1	Identity management	Establish and maintain identities for personnel and devices accessing IT and OT.
AESCSF-IAM-2	Access control	Control and limit access to IT and OT, including privileged access, on a least-privilege basis.
AESCSF-IAM-3	Multi-factor authentication	Require multi-factor authentication for remote and privileged access to IT and OT.

Information Sharing and Communications

2 controls

Share cyber security information and communicate with stakeholders (Domain ISC).

Controls in the Information Sharing and Communications domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 2 controls
Code	Title	Description
AESCSF-ISC-1	Cyber security information sharing	Share and receive cyber security information with AEMO, the ACSC and sector peers.
AESCSF-ISC-2	Stakeholder communications	Communicate with internal and external stakeholders, including during cyber incidents.

Risk Management

3 controls

Establish and manage a cyber security risk management program for IT and OT (Domain RM).

Controls in the Risk Management domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 3 controls
Code	Title	Description
AESCSF-RM-1	Establish cyber security risk management strategy	Establish and maintain a cyber security risk management strategy and program covering both IT and operational technology...
AESCSF-RM-2	Identify and assess cyber risks	Identify, analyse and prioritise cyber security risks to the organisation's IT and OT assets and critical functions.
AESCSF-RM-3	Manage and treat cyber risks	Treat identified risks to within risk tolerance and monitor residual risk over time.

Situational Awareness

3 controls

Establish situational awareness through logging, monitoring and a common operating picture (Domain SA).

Controls in the Situational Awareness domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 3 controls
Code	Title	Description
AESCSF-SA-1	Logging and monitoring	Log and monitor security-relevant events across IT and OT.
AESCSF-SA-2	Anomaly and event detection	Detect anomalies and cyber events that may indicate compromise.
AESCSF-SA-3	Common operating picture	Establish a common operating picture of the cyber security state to support decisions.

Supply Chain and External Dependencies Management

3 controls

Manage cyber risks from suppliers and external dependencies (Domain EDM).

Controls in the Supply Chain and External Dependencies Management domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 3 controls
Code	Title	Description
AESCSF-EDM-1	Supply chain risk management	Manage cyber security risks arising from suppliers and the supply chain.
AESCSF-EDM-2	External dependency assessment	Identify and assess external dependencies (including third-party and shared services) important to energy delivery.
AESCSF-EDM-3	Dependency resilience	Manage and monitor external dependencies to maintain resilience of critical functions.

Threat and Vulnerability Management

3 controls

Identify and manage threats and vulnerabilities (Domain TVM).

Controls in the Threat and Vulnerability Management domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 3 controls
Code	Title	Description
AESCSF-TVM-1	Vulnerability management	Identify, assess and remediate vulnerabilities in IT and OT in a timely, risk-based manner.
AESCSF-TVM-2	Threat management	Collect and use cyber threat intelligence relevant to the energy sector.
AESCSF-TVM-3	Patch and remediation management	Apply security patches and remediations to IT and OT, balancing operational constraints.

Workforce Management

3 controls

Manage the cyber security workforce, training and personnel security (Domain WM).

Controls in the Workforce Management domain of Australian Energy Sector Cyber Security Framework (AESCSF) — 3 controls
Code	Title	Description
AESCSF-WM-1	Cyber security workforce management	Define cyber security roles and ensure the workforce has the capacity to perform them.
AESCSF-WM-2	Training and awareness	Provide cyber security training and awareness to the workforce, including OT personnel.
AESCSF-WM-3	Personnel security	Apply personnel security controls (screening, onboarding and offboarding) for access to IT and OT.

Your Compliance Coverage

If you comply with Australian Energy Sector Cyber Security Framework (AESCSF), you already cover:

NIST Cybersecurity Framework 2.0

59%

19 controls mapped

Compare →

NIST SP 800-53 Rev 5

28%

9 controls mapped

Compare →

ISO 27018:2019

3 controls mapped

Compare →

+ 10 more: ISO 27002:2022 (9%), Australian Privacy Principles (APPs) (6%)

See all 13 mapped frameworks ↓

Maps to 13 other frameworks

32 total controls

NIST Cybersecurity Framework 2.0

19 source controls mapped|19 target controls covered

59%

NIST SP 800-53 Rev 5

9 source controls mapped|10 target controls covered

28%

ISO 27018:2019

3 source controls mapped|3 target controls covered

ISO 27002:2022

3 source controls mapped|3 target controls covered

Australian Privacy Principles (APPs)

2 source controls mapped|2 target controls covered

ISO 27701:2019

2 source controls mapped|2 target controls covered

ACSC Essential Eight

2 source controls mapped|3 target controls covered

ISO 27001:2022

2 source controls mapped|2 target controls covered

ISO 37001:2016

1 source controls mapped|1 target controls covered

ISO 27017:2015

1 source controls mapped|1 target controls covered

ISO 45001:2018

1 source controls mapped|2 target controls covered

ISO 55001:2014

1 source controls mapped|1 target controls covered

ISO 10007:2017

1 source controls mapped|1 target controls covered

Compare Australian Energy Sector Cyber Security Framework (AESCSF) with NIST Cybersecurity Framework 2.0

Frequently Asked Questions

What is Australian Energy Sector Cyber Security Framework (AESCSF)?

Australian Energy Sector Cyber Security Framework (AESCSF) is a compliance framework from Australia with 11 domains and 32 controls. The Australian Energy Sector Cyber Security Framework is developed by the Australian Energy Market Operator (AEMO) in collaboration with the Australian Cyber Security Centre. It provides a maturity model approach to cyber security for Australia's energy sector, incorporating elements from NIST CSF, C2M2, and the ASD Essential Eight. Applies to electricity and gas market participants. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Australian Energy Sector Cyber Security Framework (AESCSF) have?

Australian Energy Sector Cyber Security Framework (AESCSF) has 32 controls organised across 11 domains. The largest domains are Event and Incident Response, Continuity of Operations (4 controls), Asset, Change and Configuration Management (3 controls), Cyber Security Program Management (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Australian Energy Sector Cyber Security Framework (AESCSF) map to?

Australian Energy Sector Cyber Security Framework (AESCSF) maps to 13 other compliance frameworks. The top mapping partners are NIST Cybersecurity Framework 2.0 (59% coverage), NIST SP 800-53 Rev 5 (28% coverage), ISO 27018:2019 (9% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with Australian Energy Sector Cyber Security Framework (AESCSF) compliance?

Start your Australian Energy Sector Cyber Security Framework (AESCSF) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Australian Energy Sector Cyber Security Framework (AESCSF) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 32 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.

Get Started Free →

Free forever — no credit card required