The AESCSF Assessment Framework and How to Use It

Enhancements to the AESCSF have been implemented to the platform to comply with the 2022 Version 


What is the AESCSF? 

In 2017, the Australian government set out an initiative to strengthen the country’s cybersecurity posture and created the Australian Energy Sector Cyber Security Framework (AESCSF). There were minor revisions in 2019 and 2021 and has remained mostly the same in the 2022 version. There are no significant changes in version 2022 compared to version 2021.  

The framework applies specifically to Australian energy companies and contains Australian-specific controls, along with questions from existing frameworks, such as the United States’ C2M2 and NIST-CSF. 


Why Use the AESCSF Framework? 

In recent years, the security and reliability of the Australian energy sector has been under increased attention due to cyber attacks against critical infrastructure in several global jurisdictions.  

The Security Legislation Amendment (Critical Infrastructure Protection) Act came into effect on April 2, 2022. This legislation requires Australian critical infrastructure companies to report cybersecurity incidents to the government, as well as adopt a risk management program.  

The AESCSF is a well-suited framework for Australian energy companies to adopt since it adapts controls from established and trusted frameworks, was created specifically to meet Australian energy companies’ security requirements and takes a proactive approach to mitigate cyber security incidents.  


How to Conduct an AESCSF Assessment with 

The AESCSF is a full self-assessment and covers all 282 Practices and Anti-Patterns (specific indicators of bad practice) within the Framework. To streamline the assessment process, includes insights and report automation, as well as remediation and validation workflows to mitigate risk and validate controls in place.  

An AESCSF Reference Report is also included to provide control mappings to other frameworks, such as NIST CSF, ISO 27001, and NIST 800 53r5. 


Measuring Cyber Security Capability and Maturity 

There are two measures for cyber security capability and maturity in the Framework: 

  • Maturity Indicator Level (MIL)  
  • Security Profile (SP)  

The Framework leverages the MILs established within the C2M2. There are four MILs, MIL-0 through MIL-3. Each defines the maturity progression in the Assessment Framework. Every Practice and Anti-Pattern is assigned a MIL that indicates its maturity relative to other Practices.  

The Framework also has three alternate groupings of Practices referred to as Security Profiles (SPs). The Practices and Anti-Patterns within the SPs are at different MILs (e.g., SP-1 includes some MIL-2 and MIL-3 Practices). has added a target Security Profile to the platform, along with guidance for organizations to prioritize risks based on the Security Profile. In addition, has provided maturity levels for AESCSF Domains. 


Ready to Start Your AESCSF Assessment? 

Whether you choose to engage a consultant or tackle it yourself, can help your organization quickly get started with conducting an AESCSF assessment. Our platform does the heavy lifting of distributing and collecting assessment data within one secure location. 

If you are ready to start your next AESCSF assessment, reach out to our team about getting started with the platform. 




Taylor Petry

Taylor is on the communications team at

Share this post


Recent Articles


A Letter from the CEO

Dear team, customers, and investors  The challenges ahead for us collectively in 2023 are numerous:  Global economic uncertainty.  The worrisome expansion of the Ukraine/Russia conflict. 

Read More »

Contact Us