SAM Frameworks

We have a selection of pre-defined cyber and information security frameworks available and can also custom-build a framework to your specific requirements. 


New - ACSC Essential Eight (Aus), AGISM (Aus), VCSS CSO (NZ)


Our general purpose cybersecurity framework.

With approximately 280 requirements, this framework suits most medium sized organisations or those beginning their cybersecurity maturity journey.

Well constructed, using an amended version of the NIST CSF functions and categories, with pragmatic, meaningful controls derived from CIS Controls, this framework is tailored for organisations that rely on a mixture of internal IT systems, internet, cloud, online services and email for administration and delivery of business operations.

More information on SAM-Security                    

SAM-Local Government

The ALGIM local government framework has been derived from SAM-Security content, but specifically customised for Local Government.

This framework forms the foundation of the Local Government Cybersecurity Program which focuses on improving the overall cybersecurity posture of Local Government.

It features benchmarking of participants so that they can compare their performance against their peers, and annual awards recognising achievement in cybersecurity practice in accordance with pre-defined levels and improvement.

More information on the ALGIM Local Government Cybersecurity Programme

Prudential Standard - CPS 234 (AUS)

This framework is designed for the Australian Prudential and Insurance industry and enables organisations to demonstrate compliance to the CPS 234 Standard as required by APRA.

This is a substantial standard that utilises the CPS 234 to define the nine function areas and the CPG 234 to define the Categories and Work Plan Objectives.

As this is an overarching standard we have derived the controls from a variety of sources including NIST SP 800-53, CIS Controls and ISO 27002.

More information on APRA and CPS234


This standard was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

PCI-DSS provides a baseline of technical and operations requirements designed to protect account data and applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers.

PCI DSS also applies to all other entities that store, process or transmit cardholder data and/or sensitive authentication data.

More information on PCI DSS

CIS Controls

CIS Controls are global industry best practice endorsed by leading IT security vendors and governing bodies that are designed to stop today's most pervasive and dangerous cyber attacks.

This framework is designed around the five NIST CSF functions and includes all 20 cybersecurity action areas.

It is a relatively small standard, approximately 170 controls, and is a well structured, pragmatic, standard with a technological focus, that enables an organisation to implement best practice regardless of resources.

More information on CIS Controls

NIST Cybersecurity Framework (CSF)

The NIST CSF is a substantial standard designed to facilitate the protection of critical infrastructure in the US.

It is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors that facilitate the alignment of cybersecurity activities with business requirements, risk tolerances and resources.

Our SAM framework is constructed to faithfully replicate the NIST CSF structure with the controls being derived from NIST SP 800-53.

More information on NIST-CSF

NIS Directive - Cyber Assessment Framework (UK)

This directive was created to improve the security of network and information systems across the UK with a focus on essential services.

The CAF consists of a collection of indicators of good practice structured around four main areas which form the framework's function areas.

The four CAFs are broken down into objectives which we have taken as our Categories and workplan content is derived from the NCSC NIS Guidance for each objective.

NIST SP 800-66 (HIPAA Security Rule)

HIPAA (Health Insurance Portability and Accountability Act of 1996) determines the data privacy and security provisions for safeguarding medical information.

Our framework is structured around six function areas containing the 22 sections documented within the HIPAA Security Rule.

The controls have been strictly derived from NIST SP 800-66 HIPAA.

This framework is applicable to medical practices, hospitals and other primary care providers in the US.

NZISM - NZ Information Security Manual

The New Zealand Information Security Manual (NZISM) is the New Zealand Government's manual on information assurance and information systems security.

Assessing and tracking the implementation of NZISM with over 1690 requirements has, until now, been an onerous task so we created a SAM-NZISM framework in order to remove some of the pain and manage compliance.

This standard is applicable to Government Departments, their suppliers and service providers.

More information on NZISM


The National Institute of Standards and Technology (NIST) Standard NIST SP 800-171 determines controls for the protection of controlled unclassified information in non federal information systems and organisations.

This is a very comprehensive standard requiring organisations to implement controls, systems and procedures and processes with an emphasis on the protection of information.

As NIST SP 800-171 is an overarching standard our framework utilises a variety of resources to define the controls including NIST SP 800-53, ISO-27002 and CIS Controls.

Any supplier of services to the US Government and any organisation serious about information protection should use this framework.

More information on SAM-Protect

VCSS CSO - Voluntary Cyber Security Standards for Control Systems Operators (NZ)

This voluntary standard was developed using an industry-driven process and provides a foundational set of requirements designed to improve an organisation's cyber resilience and secure the assets critical to the operation of New Zealand’s control systems environments.

The requirements are principally derived from international best practice standards created by the North American Electric Reliability Corporate (NERC) and the National Institute of Standards and Technology (NIST).

The application of this standard will help prepare New Zealand’s critical infrastructure to address cyber security threats considering the nature, origin, scale, complexity, intensity and duration of these risks.

SAM-Security Lite

With over 25 years experience in managing small businesses, and the same amount of time working in the cybersecurity sector, we truly understand the challenges that face small business when it comes to protecting information, your business, and your reputation.

In today's world everyone is a target and small businesses are not immune from attack from cyber criminals, in fact they are more vulnerable, due to a lack of knowledge of cybersecurity issues and general lack of available resources.

This framework provides a basic set of approximately 140 simple-to-implement actions and checks that, if followed by staff and IT support, will reduce the level of cybersecurity risk in your business.


Minimum Cyber Security Standard (UK)

This Standard is the first technical standard that will be incorporated into the Government Functional Standard for Security in the UK. It defines the minimum security measures that Departments shall implement with regards to protecting their information, technology and digital services to meet the SPF and National Cyber Security Strategy obligations.

The content of the Standard is 'open' so that Departments can apply their own values. In our SAM framework we have adopted a 'best practice' to these values so that Department's are able to measure their compliance against a set of definitive requirements.

ISO 27002

ISO/IEC 27002 : 2013 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS) including corporates and not-for-profits.

Information security is defined within the standard in the context of the C-I-A triad.

The standard's focus is on the protection of information through appropriate management procedures and processes to support technological solutions.

This Standard is reproduced under licence with permission from Standards New Zealand, on behalf of ISO/IEC under copyright licence LN001327

ACSC Essential Eight (Australia)

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations mitigate cyber security incidents caused by various cyber threats. The most effective of these mitigation strategies are known as the Essential Eight

This is a small framework of only 47 controls contained within the essential eight headings as the categories.

It has been created on the basis that to achieve full compliance to level 2, you complete level 1 and 2, and to complete compliance to level 3, you must also complete levels 1 and 2

More information on ACSC Essential Eight

SAM-Non Profit

A SAM framework derived from SAM-Security specially for Non-Profit Organisations.

We've based the requirements on industry best practice, including our experience in helping develop and manage international cybersecurity standards.

SAM-Non-Profit allows you to assess, track, monitor and report in real-time, and enhances your ability to protect information assets from cyber-attack.

More information on SAM-Non Profit

SAM-Non Profit Lite

Designed for the smaller non-profit organisations with less than 20 computers, this framework focuses on pragmatic requirements to achieve a basic level of cybersecurity.

It includes technology considerations for achieving appropriate cybersecurity measures but also includes common-sense procedures and processes that will further enhance your cybersecurity awareness and improve overall organisational security.

More information on SAM-Non Profit Lite              

AGISM - Australian Government Information Security Manual

The purpose of the Australian Government Information Security Manual (ISM) is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their information and systems from cyber threats.

This standard is applicable to Government Departments, their suppliers and service providers.

More information on AGISM