8 IT Governance Frameworks Every Australian Business Should Know

1.     COBIT Framework

OBIT (Control Objectives for Information and Related Technologies) is a well-established IT governance framework developed by ISACA – an organisation that provides guidance on information governance, security, and audit practices.

Originally introduced in 1996 to help financial auditors manage IT systems, COBIT has since evolved into a universal IT governance framework that can be implemented across industries to ensure the quality, control, and reliability of IT systems.

The latest version of COBIT includes 40 governance and management objectives across five key domains:

• Evaluate, Direct, and Monitor: This defines IT governance objectives and ensures alignment with your business strategy.
• Align, Plan, and Organise: This Focuses on IT strategy, planning, and resource allocation.
• Build, Acquire, and Implement: This covers the development and deployment of IT solutions.
•  Deliver, Service, and Support: This ensures efficient IT service management and operations.
•  Monitor, Evaluate, and Assess: This tracks IT performance and compliance with governance policies.

Why Businesses Use COBIT

Many organisations often struggle to communicate IT controls and strategies effectively—leading to inefficiencies and compliance challenges. The primary goal of COBIT is to create a common language for IT professionals, business leaders, and compliance auditors to reduce confusion and ensure that IT governance discussions are clear and aligned with business goals.

• Measurable benefits
•  Improved risk management
• Better alignment between IT and business goals
• Helps businesses better comply with regulatory requirements

2.     ISO/IEC 38500 For International Best Practises

ISO/IEC 38500 is a global standard for IT governance that offers a high-level framework suitable for businesses of all sizes. It’s designed to help organisations align their IT with overall business objectives and ensure they’re meeting regulatory, legal, and ethical requirements.

Unlike frameworks that govern day-to-day IT management, ISO/IEC 38500 offers a high-level overview, helping leaders and decision-makers make smarter IT decisions that benefit the entire business.

The Principles of ISO/IEC 38500

There are 6 fundamental principles that govern ISO/IEC 38500:

1. Responsibility: Define clear IT roles and accountability across the business, ensuring every team understands their responsibilities.
2. Strategy: Align IT strategy with business goals, ensuring IT supports both current needs and long-term vision.
3. Acquisition: Base IT investments on solid business cases, ensuring every decision is backed by data and thorough analysis.
4.  Performance: Monitor IT systems to guarantee they’re delivering the expected value and driving business outcomes.
5. Conformance: Ensure strict adherence to internal policies and regulatory requirements, minimising legal and compliance risks.
6. Human Behaviour: Understand that IT decisions affect everyone; employees, customers, and stakeholders and should always be made with their needs in mind.

3.     The Essential Eight

Created in 2017 by the Australian Cyber Security Centre (ACSC), the Essential Eight is Australia’s Native Cybersecurity Framework. It helps organisations across the nation build stronger cyber defences protects internet-connected systems from evolving cyber threats and forms the foundation of IT governance for many local businesses.

The Essential Eight has eight fundamental mitigation strategies:

1. Application Control
2. Patch Applications
3. Configure Microsoft Office Macro Settings
4. User Application Hardening
5. Restrict Administrative Privileges
6. Patch Operating Systems
7. Multi-factor Authentication
8. Regular Backups

These strategies help prevent attacks, limit their impact, and enable recovery. The framework uses four distinct maturity levels to determine the level of threat:

• Maturity Level Zero: If compromised, these weaknesses could expose critical systems and data. Put simply, it puts sensitive systems and information at risk.
• Maturity Level One: Here, attackers are using simple, readily available tools to exploit obvious vulnerabilities. They target anyone they can, typically through exploiting weaknesses in software or passwords.
•  Maturity Level Two: These attackers are willing to invest more time and effort into their tools and targets. They typically employ social engineering techniques (think phishing and similar methods) to trick employees into handing over sensitive information.
• Maturity Level Three: At this level, attackers are more advanced and highly adaptive. They will take the time to learn about an organisation’s security protocols and invest time and effort into bypassing these defences.

Implementation Guidelines for Different Business Sizes

When it comes to implementing the essential eight framework, different organisations should approach it based on size and industry.

• Small and Medium-Sized Businesses (SMBs): Start with Maturity Level One as your foundation. This level is designed to help you establish a solid IT governance base, and as your business expands and your infrastructure matures, you can gradually move toward Maturity Level Two.
• Large Enterprises: For big organisations with complex operations and large data volumes, it’s essential to operate at Maturity Level Two at a minimum. As your organisation evolves, you’ll need to push toward Maturity Level Three to keep up with growing IT demands and ensure governance across a larger scale.
• High-Risk Sectors (Healthcare, Finance, Critical Infrastructure): For industries where safety and compliance are paramount, Maturity Level Three is not optional. These sectors have a higher risk profile, and the potential consequences of inadequate IT governance can impact public safety. Maturity Level Three is necessary to mitigate these risks and ensure the highest standards of IT governance.

4.     ITIL Framework

The Information Technology Infrastructure Library (ITIL) is a widely used framework that provides a structured approach to IT service management. Originally designed to standardise IT support and service management processes, ITIL is particularly popular in Australian universities and businesses to create a clear, well-organised strategy for managing IT services and digital technology.

• Better Service Quality: Standard service delivery makes systems more reliable
• Risk Management: Smart planning helps reduce potential issues
• Resource Optimisation: Efficient processes lead to smarter resource use
•  Business Alignment: IT services support business goals directly

The latest version, ITIL 4, released in 2019, offers solutions to address the complexities and demands of modern IT service management. It is based on 4 key dimensions to ensure that IT services meet business goals and align with organisational needs:

• Organisations and People: This focuses on the internal structure of your organisation and the teams involved in service delivery. It’s about understanding how teams are connected, the skill level of staff, and fostering a culture that supports service management.
•   Information and Technology: Here, the focus is on the tools and technologies required to deliver and manage services. It considers the capacity and capabilities of your IT infrastructure, and how effectively it supports both product delivery and IT governance.
• Partners and Suppliers: This dimension highlights the role of external partners and suppliers who help deliver services. It’s about managing relationships with vendors and ensuring they align with your business needs.
• Value Streams and Processes: This covers how services and products are delivered from start to finish. It ensures your processes are streamlined, efficient, and continuously improving.

5.     NIST Cybersecurity Framework:

The NIST Cybersecurity Framework (CSF), developed by the National Institute of Standards and Technology, is a highly flexible and widely recognised set of guidelines for managing cybersecurity risks. While it originated in the United States, it’s increasingly being adopted globally, including in Australia.

At its core, the NIST CSF is a risk-based approach that helps organisations identify, manage, and mitigate cybersecurity threats. It provides a structured yet adaptable framework that can be tailored to different business needs, ensuring that any organisation, regardless of its industry or size, can implement effective cybersecurity measures.

The NIST CSF has six core functions that serve as the foundation of good cybersecurity governance:

1.  Govern: Focuses on setting the overall cybersecurity strategy for the organisation. It ensures that there is clear leadership and oversight in place, including the management of supply chain risks.
2.  Identify: It involves understanding the critical assets that need protection, the vulnerabilities within the system, and the potential threats that could impact business operations. This stage forms the basis of all future decisions related to cybersecurity.
3.  Protect: Once risks have been identified, effective safeguards are implemented. This includes setting up controls, access management protocols, and procedures to defend against cyber threats.
4. Detect: Even with protective measures in place, organisations must be prepared to identify cybersecurity incidents as they occur. This function focuses on developing and maintaining the capability to quickly detect and assess potential attacks or security breaches.
5.  Respond: Once an incident is detected, NIST emphasises the need for a well-coordinated incident response, by taking immediate and effective action to contain the breach, mitigate damage, and prevent further compromise. The goal is to limit the impact of the attack and reduce the recovery time.
6. Recover: After an attack or breach, the focus shifts to recovery. This involves restoring affected systems, data, and operations as quickly as possible to resume business continuity.

6.     FAIR: A Quantitative Risk Assessment for Modern Businesses

FAIR (Factor Analysis of Information Risk) is the only internationally recognised quantitative model designed to assess both information security and operational risks in clear, financial terms. While it is easy to understand the qualitative impacts of a cyber attack or downtime, it is also important to understand the risks as tangible financial numbers. After all, at the end of the day it is business.

This risk analysis methodology helps organisations break down complex risks into measurable components, allowing them to understand, analyse, and prioritise risks based on their financial impact. By applying a structured, data-driven approach, businesses can make more informed decisions when allocating resources to mitigate potential risks.

FAIR has 5 Main Components

• Risk Analysis Methodology: A standardised system to classify information and operational risks, ensuring consistent understanding across organisations.
•  Data Collection Criteria Framework: Establishes guidelines for collecting relevant risk data.
• Measurement Scales for Risk Factors: Provides the scales needed to measure the potential impact and likelihood of risks.
• Complex Risk Scenario Analysis: Offers the ability to model detailed risk scenarios, improving the accuracy of risk predictions.
• Computational Engines for Risk Calculation: Integrates advanced computational tools to calculate and assess risk exposure more precisely.

Quantifying Cyber-Risks

In FAIR, risks are assessed through two main components: Loss Event Frequency (LEF) and Loss Magnitude (LM).

• Loss Event Frequency (LEF) looks at the likelihood of a threat event occurring and the vulnerability of your systems, or how often a threat might result in a loss.
• Loss Magnitude (LM) measures the direct and indirect financial impact of those events. Primary losses include direct costs such as productivity loss and recovery expenses, while secondary losses reflect indirect costs like reputational damage, fines, and missed business opportunities.

This structured approach allows businesses to more effectively quantify the impact of cyber risks.

Implementing FAIR

• The first step is Risk Scenario Identification, where businesses identify the key assets at risk and link them to potential threats.
•    Next is Loss Event Frequency Assessment, where businesses assess how often threats could occur, the capabilities of those threats, and the strength of existing defences.
• The third stage is Loss Magnitude Assessment, where businesses measure both primary and secondary losses and consider their immediate and long-term effects.
•  Finally, in Risk Derivation and Communication, risk factors are grouped together and assessed, and computational modelling is used to calculate expected losses, which are then communicated to stakeholders in financial terms.

7.     CMMI

The Capability Maturity Model Integration (CMMI) is a globally recognised framework designed to help organisations improve their processes for developing and maintaining products and services. It was developed by the Software Engineering Institute at Carnegie Mellon University to provide a structured approach to process improvement, reducing risks in software, product, and service development.

Put simply, the CMMI framework is a set of best practices that can be applied at different levels of an organisation to drive continuous improvement. It describes five maturity levels that assess an organisation’s journey toward peak operational efficiency:

•  Level 1 – Initial: Here, processes are unpredictable and reactive, often leading to project delays, budget overruns, and inconsistent results.
• Level 2 – Managed: Teams implement structured planning, ensuring that project execution is controlled and measurable.
•  Level 3 – Defined: Organisations move from a reactive to a proactive approach, applying standard practices across projects and portfolios.
•   Level 4 – Quantitatively Managed: Decision-making becomes data-driven, and performance aligns with stakeholder expectations.
• Level 5 – Optimising: Organisations achieve stability while maintaining flexibility and are able to quickly respond to changes and new opportunities.

The latest version of this framework, CMMI Version 2.0, places an even greater emphasis on performance. It helps businesses understand their performance needs, set measurable goals, and track progress at every stage of maturity.

It also aligns more seamlessly with agile and Scrum methodologies (Agile is a flexible, iterative approach to project management, while Scrum is a structured Agile framework that organises work into short, time-boxed sprints) With added focus on safety and security, it helps businesses refine their existing workflows without disrupting what already works.

8.     Australian Government PSPF Framework

The Australian Government introduced the Protective Security Policy Framework (PSPF) in 2024 to help government entities safeguard their people, information, and assets. Built on a tiered structure, the PSPF includes core principles, security domains, policies, and technical guidelines to ensure a strong and consistent approach to security across agencies.

• Security Governance: Establishing clear planning, roles, and reporting structures.
•  Risk Management: Managing enterprise-wide and third-party security risks.
•  Information Security: Implementing classification systems and data protection measures.
• Technology Security: Strengthening cyber defences and securing digital assets.
• Personnel Security: Managing vetting procedures and access controls.
• Physical Security: Ensuring the security of government facilities and infrastructure.

Private Sector Applications

While the PSPF primarily applies to government entities, private organisations that handle sensitive government information must also comply with specific PSPF requirements under special agreements. For example, ASIC-licensed information brokers must:

•  Implement security measures that align with material classification levels.
• Regularly review and assess security arrangements.
• Monitor subcontractor compliance with PSPF guidelines.
• Protect sensitive information from unauthorised access.