SAM Frameworks

We have a selection of pre-defined cyber and information security frameworks available and can also custom-build a framework to your specific requirements. 


New - ISO/IEC 27002:2022,  CIS Controls V8 Reserve Bank of NZ Guidelines on Cyber Resilence   and PCI DSS 4.0


Our general purpose cybersecurity framework.

With approximately 280 requirements, this framework suits most medium sized organisations or those beginning their cybersecurity maturity journey.

Well constructed, using an amended version of the NIST CSF functions and categories, with pragmatic, meaningful controls derived from CIS Controls, this framework is tailored for organisations that rely on a mixture of internal IT systems, internet, cloud, online services and email for administration and delivery of business operations.

More information on SAM-Security                    

SAM-Local Government

The ALGIM local government framework has been derived from SAM-Security content, but specifically customised for Local Government.

This framework forms the foundation of the Local Government Cybersecurity Program which focuses on improving the overall cybersecurity posture of Local Government.

It features benchmarking of participants so that they can compare their performance against their peers, and annual awards recognising achievement in cybersecurity practice in accordance with pre-defined levels and improvement.

More information on the ALGIM Local Government Cybersecurity Programme

Prudential Standard - CPS 234 (AUS)

This framework is designed for the Australian Prudential and Insurance industry and enables organisations to demonstrate compliance to the CPS 234 Standard as required by APRA.

This is a substantial standard that utilises the CPS 234 to define the nine function areas and the CPG 234 to define the Categories and Work Plan Objectives.

As this is an overarching standard we have derived the controls from a variety of sources including NIST SP 800-53, CIS Controls and ISO 27002.

More information on APRA and CPS234


This standard was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

PCI-DSS provides a baseline of technical and operations requirements designed to protect account data and applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers.

PCI DSS also applies to all other entities that store, process or transmit cardholder data and/or sensitive authentication data.

More information on PCI DSS

CIS Controls

CIS Controls are global industry best practice endorsed by leading IT security vendors and governing bodies that are designed to stop today's most pervasive and dangerous cyber attacks.

Frameworks for Controls version 7.1 and version 8 are available within the SAM for Compliance system.

The controls within our CIS Controls version 8 system are derived from the CIS Controls 8 Safeguards as well as the recommendations contained within the Safeguard descriptions. These form a comprehensive guidance set for the establishment of CIS Controls v8.

More information on CIS Controls

NIST Cybersecurity Framework (CSF)

The NIST CSF is a substantial standard designed to facilitate the protection of critical infrastructure in the US.

It is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors that facilitate the alignment of cybersecurity activities with business requirements, risk tolerances and resources.

Our SAM framework is constructed to faithfully replicate the NIST CSF structure with the controls being derived from NIST SP 800-53.

More information on NIST-CSF

NIS Directive - Cyber Assessment Framework (UK)

This directive was created to improve the security of network and information systems across the UK with a focus on essential services.

The CAF consists of a collection of indicators of good practice structured around four main areas which form the framework's function areas.

The four CAFs are broken down into objectives which we have taken as our Categories and workplan content is derived from the NCSC NIS Guidance for each objective.

NIST SP 800-66 (HIPAA Security Rule)

HIPAA (Health Insurance Portability and Accountability Act of 1996) determines the data privacy and security provisions for safeguarding medical information.

Our framework is structured around six function areas containing the 22 sections documented within the HIPAA Security Rule.

The controls have been strictly derived from NIST SP 800-66 HIPAA.

This framework is applicable to medical practices, hospitals and other primary care providers in the US.

NZISM - NZ Information Security Manual

The New Zealand Information Security Manual (NZISM) is the New Zealand Government's manual on information assurance and information systems security.

Assessing and tracking the implementation of NZISM with over 1690 requirements has, until now, been an onerous task so we created a SAM-NZISM framework in order to remove some of the pain and manage compliance.

This standard is applicable to Government Departments, their suppliers and service providers.

More information on NZISM


The National Institute of Standards and Technology (NIST) Standard NIST SP 800-171 determines controls for the protection of controlled unclassified information in non federal information systems and organisations.

This is a very comprehensive standard requiring organisations to implement controls, systems and procedures and processes with an emphasis on the protection of information.

As NIST SP 800-171 is an overarching standard our framework utilises a variety of resources to define the controls including NIST SP 800-53, ISO-27002 and CIS Controls.

Any supplier of services to the US Government and any organisation serious about information protection should use this framework.

More information on SAM-Protect

VCSS CSO - Voluntary Cyber Security Standards for Control Systems Operators (NZ)

This voluntary standard was developed using an industry-driven process and provides a foundational set of requirements designed to improve an organisation's cyber resilience and secure the assets critical to the operation of New Zealand’s control systems environments.

The requirements are principally derived from international best practice standards created by the North American Electric Reliability Corporate (NERC) and the National Institute of Standards and Technology (NIST).

The application of this standard will help prepare New Zealand’s critical infrastructure to address cyber security threats considering the nature, origin, scale, complexity, intensity and duration of these risks.

SAM-Security Lite

With over 25 years experience in managing small businesses, and the same amount of time working in the cybersecurity sector, we truly understand the challenges that face small business when it comes to protecting information, your business, and your reputation.

In today's world everyone is a target and small businesses are not immune from attack from cyber criminals, in fact they are more vulnerable, due to a lack of knowledge of cybersecurity issues and general lack of available resources.

This framework provides a basic set of approximately 140 simple-to-implement actions and checks that, if followed by staff and IT support, will reduce the level of cybersecurity risk in your business.


Minimum Cyber Security Standard (UK)

This Standard is the first technical standard that will be incorporated into the Government Functional Standard for Security in the UK. It defines the minimum security measures that Departments shall implement with regards to protecting their information, technology and digital services to meet the SPF and National Cyber Security Strategy obligations.

The content of the Standard is 'open' so that Departments can apply their own values. In our SAM framework we have adopted a 'best practice' to these values so that Department's are able to measure their compliance against a set of definitive requirements.

AGISM - Australian Government Information Security Manual

The purpose of the Australian Government Information Security Manual (ISM) is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their information and systems from cyber threats.

This standard is applicable to Government Departments, their suppliers and service providers.

More information on AGISM

ISO 22313

ISO 22313 : 2012 is the International Standard for business continuity management systems and provides guidance based on good international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that allows organizations to prepare for, respond to and recover from disruptive incidents when they arise.

This Standard is reproduced under licence with permission from Standards New Zealand, on behalf of ISO/IEC under copyright licence LN001327

ISO 27002

ISO/IEC 27002 : 2022 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS) including corporates and not-for-profits.

Information security is defined within the standard in the context of the C-I-A triad.

The standard's focus is on the protection of information through appropriate management procedures and processes to support technological solutions.

This Standard is reproduced under licence with permission from Standards New Zealand, on behalf of ISO/IEC under copyright licence LN001327

ACSC Essential Eight (Australia)

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations mitigate cyber security incidents caused by various cyber threats. The most effective of these mitigation strategies are known as the Essential Eight

It has been created on the basis that to achieve full compliance to level 2, you complete level 1 and 2, and to complete compliance to level 3, you must also complete levels 1 and 2

More information on ACSC Essential Eight

US Department of Energy - C2M2 v1.1

The Department of Energy (DOE) developed the Cybersecurity Capability Maturity Model (C2M2) from the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) Version 1.0 by removing sector-specific references and terminology. The ES-C2M2 was developed in support of a White House initiative led by the DOE, in partnership with the Department of Homeland Security (DHS), and in collaboration with private- and public-sector experts.

The C2M2 focuses on the implementation and management of cybersecurity practices associated with the information technology (IT) and operations technology (OT) assets and the environments in which they operate.

The framework implementation within SAM for Compliance has 10 Categories, 37 Work Plans and 312 controls. It includes all three maturity levels.

AESCSF -2019(1)

The Australian Energy Sector Cyber Security Framework (AESCSF) has primarily been established to develop a tailored cyber security framework, and supporting tools to set the foundation for the future of energy cyber security in Australia.

The framework implementation within SAM for Compliance has 11 Categories, 37 Work Plans and 282 controls. It includes all three maturity levels.

SAM-Non Profit Lite

Designed for the smaller non-profit organisations with less than 20 computers, this framework focuses on pragmatic requirements to achieve a basic level of cybersecurity.

It includes technology considerations for achieving appropriate cybersecurity measures but also includes common-sense procedures and processes that will further enhance your cybersecurity awareness and improve overall organisational security.

More information on SAM-Non Profit Lite              

SAM-Non Profit

A SAM framework derived from SAM-Security specially for Non-Profit Organisations.

We've based the requirements on industry best practice, including our experience in helping develop and manage international cybersecurity standards.

SAM-Non-Profit allows you to assess, track, monitor and report in real-time, and enhances your ability to protect information assets from cyber-attack.

More information on SAM-Non Profit

VPDSS - Victorian Protective Data Security Standards

The purpose of the Victorian Protective Data Security Standards (VPDSS) is to provide a set of criteria for the consistent application of risk-based practices to manage the security of Victorian government information. The Standards are issued under Parts 4 and 5 of the Privacy and Data Protection Act 2014.

This standard is applicable to Victorian public sector organisations.


CMMC is a standard derived from NIST SP 800-171 to protect Controlled Unclassified Information. It focuses on the CMMC model which measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats.

The framework consists of 999 controls derived predominantly from NIST SP 800-53. CMMC Guidance and CIS Controls are also used.

NSW Cyber Security Policy

The NSW Cyber Security policy outlines the mandatory requirements to which all NSW government departments and Public Service agencies must adhere, to ensure cyber security risks to their information and systems are appropriately managed.

This is a small framework structured around the five mandated sections and includes 99 controls.

ISO/IEC 27001 : 2013

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation.

The 250 requirements set out in this International Standard include the Annexes and are intended to be applicable to all organisations, regardless of type, size or nature.

DIA Privacy Maturity Assessment Framework (NZ)

The Government Chief Privacy Officer has issued core expectations of government agencies that represent good practice for privacy management and governance. The framework comprises of 420 requirements and is based on a 5 tier maturity model.

Agencies are expected to implement the good practice outlined in the expectations in a way that reflects their information holdings and systems.

Information Management Maturity Assessment Framework (Archives NZ)

The primary purpose of this Information Management Maturity Assessment (IM Maturity Assessment) is to help public offices and local authorities to assess the strengths and weaknesses of their information management (IM) programmes to determine where improvements are most needed.

This is a pragmatic, small framework comprised of 70 requirements contained within 22 categories.

ACSC Cyber Security Principles

The purpose of the cyber security principles is to provide strategic guidance on how organisations can protect their systems and information from cyber threats.

This is a small, strategic level framework structured around four sections and includes 23 controls.

HISO 10029:2015

The HISO 10029:2015 is a health and disability sector-wide Health Information Security Framework that advises how health information is created, displayed, processed, transported, has persistence and is disposed of in a way that maintains the information’s confidentiality, integrity and availability.

It is concerned with the security of health information wherever it may exist and is a large framework with 681 controls applicable to the NZ health sector.

RBNZ Guide for Cyber Resilience

This framework is designed for New Zealand financial institutions and enables organisations to self-assess their cybersecurity posture in accordance with standards set by the Reserve Bank of New Zealand.