Skip to content

Policy Pack Structure

This document defines GetCimple's 2-tier policy structure, designed to provide complete Essential Eight governance coverage at the entry level, with advanced capabilities for organizations with complex operations.

Overview

Policies are organized into two packs:

  • Standard Pack: Complete E8-ready governance (12 policies + E8 Mapping Guide)
  • Complete Pack: Advanced governance for mature security programs (19 policies + E8 Mapping Guide)

Standard Pack (12 Policies + E8 Mapping Guide)

Positioning: Essential governance for Essential Eight compliance

Perfect for organizations needing to establish E8-aligned security posture and meet ACSC baseline requirements.

Policy Purpose E8 Relevance
1. cyber-and-information-security-policy.md Overarching security framework Sets security direction for all E8 controls
2. access-control-policy.md User access management E8 #5 (Admin privileges), E8 #7 (MFA)
3. incident-response-plan.md Security incident handling Detection, response, recovery procedures
4. data-backup-and-recovery-policy.md Data protection and recovery E8 #8 (Regular backups)
5. privacy-policy.md Personal information handling Privacy Act compliance, data subject rights
6. password-authentication-policy.md Authentication standards E8 #7 (MFA requirements)
7. third-party-supplier-security-policy.md Vendor risk management Supplier assessment, ongoing monitoring
8. business-continuity-and-disaster-recovery-policy.md Business resilience Continuity planning, disaster recovery
9. data-classification-policy.md Information categorization Enables targeted security controls
10. physical-asset-environment-security-policy.md Physical security controls Asset protection, environmental security
11. remote-work-and-byod-policy.md Modern workplace security E8 controls for distributed workforce
12. employee-handbook---cyber-security.md Staff security guide Operationalizes policies for all staff

Plus: Essential Eight Mapping Guide - Shows exactly how these 12 policies provide complete governance coverage for all ACSC Essential Eight controls.

Why These Twelve?

  • Complete E8 Coverage: Provides governance for all 8 Essential Eight mitigation strategies
  • Regulatory Foundation: Addresses core Privacy Act and ACSC compliance needs
  • Risk Coverage: Covers critical cyber risks (access, incidents, data loss, vendors, backups)
  • Board Confidence: Provides comprehensive governance oversight
  • Implementation Reality: Achievable for teams to implement systematically

Standard Pack Value Proposition

"Get E8-ready governance from day one. This pack includes 12 foundational policies covering all Essential Eight controls, plus our E8 Mapping Guide that shows you exactly which policies support which controls. Perfect for Australian businesses needing to establish baseline security governance and meet ACSC requirements."

Complete Pack (20 Policies + E8 Mapping Guide)

Positioning: Advanced governance for mature security programs

For organizations managing complex operations, offshoring arrangements, custom software development, or requiring proactive security programs beyond baseline compliance.

Everything in Standard Pack, Plus:

Policy Purpose Why in Complete?
13. ai-security-policy.md AI governance and security Emerging technology governance
14. social-media-policy.md Social platform usage Reputational risk management
15. infrastructure-network-and-cloud-security-policy.md Technical infrastructure Detailed technical controls for complex environments
16. third-party-software-acquisition-policy.md Software procurement security Supply chain security depth
17. vulnerability-management-policy.md Proactive security management Mature security operations, E8 enhancement
18. offshore-outsourcing-and-service-provider-policy.md Offshore provider governance ASIC-aligned offshoring controls
19. security-audit-and-compliance-policy.md Audit and assurance program Enforcement mechanism for all policies
20. secure-software-development-lifecycle-policy.md Custom software development security ACSC ISM compliance for organizations developing web/mobile/AI applications

Complete Pack Benefits

  • ASIC Alignment: Dedicated offshoring and audit policies addressing 2025 regulatory findings
  • Proactive Security: Vulnerability management and continuous assurance
  • Emerging Risks: Covers AI and social media governance
  • Technical Depth: Detailed infrastructure and supply chain controls
  • Mature Operations: Audit framework for complex, multi-vendor environments
  • Software Development: Comprehensive ACSC ISM-aligned governance for custom application development

Complete Pack Value Proposition

"Everything in Standard, plus advanced governance for complex operations. Includes ASIC-aligned offshoring and audit policies, vulnerability management, AI security, deep infrastructure controls, and comprehensive secure software development lifecycle (SDLC) governance. For businesses with sophisticated security needs, offshoring arrangements, custom software development, or those building proactive security programs beyond baseline E8 compliance."

Implementation Approach

For New Customers

  1. Assessment First: Complete E8 assessment to understand current state
  2. Pack Selection:
  3. Most organizations: Start with Standard Pack (complete E8 coverage)
  4. Complex operations/offshoring: Consider Complete Pack
  5. Regulated industries: May require Complete Pack elements
  6. Phased Rollout: Even within a pack, prioritize implementation

Pack Progression

Standard Pack β†’ 12-24 months β†’ Complete Pack
     ↓                              ↓
E8 baseline coverage         Advanced maturity

Industry Considerations

Some industries may need Complete Pack earlier:

  • Financial Services: Offshoring is common, ASIC scrutiny is high
  • Organizations Using OSPs: Offshore service providers require dedicated governance
  • Mature Security Programs: Those ready for proactive vulnerability management
  • Complex Infrastructure: Multi-cloud, hybrid, or sophisticated environments
  • Software Development Companies: Organizations developing custom web, mobile, or AI applications

Understanding the E8 Mapping Guide

The Essential Eight Mapping Guide is a key deliverable in both packs that demonstrates how GetCimple policies provide governance coverage for ACSC's Essential Eight mitigation strategies.

What the Guide Does

  • Clarifies the Distinction: E8 are controls (technical implementations), not policies (governance)
  • Shows the System: Maps which policies (often multiple) cover each E8 control
  • Provides Roadmap: Guides implementation by showing policy-to-control relationships
  • Manages Expectations: Clarifies that policies provide governance; customers implement controls

What the Guide Is NOT

  • Not a policy itself (it's a mapping and implementation guide)
  • Not a replacement for technical implementation (shows governance framework only)
  • Not a guarantee of compliance (implementation and evidence collection required)

How to Use the Guide

  1. Start Here: Use as your onboarding tool to understand the pack
  2. Map Your Controls: See which policies govern which E8 controls
  3. Plan Implementation: Identify which policies to prioritize based on E8 gaps
  4. Demonstrate Coverage: Show auditors and boards your governance framework

Policy Dependencies

Must Implement First

  1. Cyber and Information Security Policy (sets foundation for all others)
  2. Access Control Policy (foundational for E8 #5, #7)
  3. Data Classification (before implementing data protection controls)

Can Implement in Parallel

  • Privacy Policy
  • Business Continuity Policy
  • Third Party Policies
  • Employee Handbook

Should Implement Last (Complete Pack)

  • AI Security Policy (unless actively using AI systems)
  • Vulnerability Management (requires mature processes)
  • Audit Policy (implements after other policies are operational)
  • Secure SDLC Policy (only if developing custom software; not applicable otherwise)

Customization Within Packs

Each pack can be customized:

  • Remove: Policies truly not applicable (rare, requires justification)
  • Defer: Policies to implement later within pack
  • Prioritize: Based on immediate risks, E8 gaps, or compliance needs

Success Metrics

Standard Pack Success

  • All 12 policies approved by board/management
  • Policy owners assigned and trained
  • E8 Maturity Level 1 achieved
  • Quarterly policy reviews established

Complete Pack Success

  • Proactive vulnerability management operational
  • Offshore providers systematically governed and audited
  • All third-party risks managed through audit program
  • E8 Maturity Level 2+ achieved
  • Continuous improvement cycle established

Future Considerations

Additional policies may be added based on:

  • Regulatory changes (e.g., new ASIC requirements)
  • Emerging threats and technologies
  • Customer feedback and industry needs
  • International compliance frameworks (ISO 27001, SOC 2, etc.)

The pack structure will be reviewed annually to ensure it remains relevant, valuable, and aligned with the Australian regulatory landscape.