Which Compliance Frameworks Does Your Business Need?

Most Australian small businesses need to meet the Privacy Act 1988 and, if they take card payments, PCI DSS, with the ACSC Essential Eight as the practical security baseline on top. Everything beyond that, ISO 27001, SOC 2, CPS 234, is driven by who you sell to or what industry you are in, not by a blanket legal requirement. Here is how to work out which frameworks actually apply to your business so you do not chase a certificate you do not need.

Key facts

• The Privacy Act 1988 and the Notifiable Data Breaches scheme apply to most Australian businesses that hold personal information.
• The ACSC Essential Eight is the practical security baseline for Australian SMEs and underpins most other frameworks.
• PCI DSS applies automatically if you store, process, or transmit card data.
• ISO 27001 and SOC 2 are customer-driven: you pursue them when a tender, client, or investor asks for proof.
• APRA CPS 234 applies to regulated financial services entities and many of their service providers.
• The frameworks overlap heavily on core controls, so meeting one makes the others easier rather than starting from scratch each time.

Which compliance obligations apply to every business?

If you hold personal information about customers or staff, the Privacy Act 1988 applies to you, and with it the Notifiable Data Breaches scheme, which can require you to notify the OAIC and affected individuals when a breach is likely to cause serious harm. This is not optional and it is not industry-specific. The second near-universal obligation is PCI DSS, which attaches the moment you take card payments. Between them, these two cover the baseline most small businesses are legally or contractually on the hook for, before any industry-specific or customer-driven framework enters the picture. If you do nothing else, get these two right.

Why is the Essential Eight the baseline to aim for?

The Essential Eight is the ACSC's set of eight mitigation strategies, and it is the most useful target for an Australian SME because it is both achievable and widely recognised. Application control, patching applications, patching operating systems, restricting Office macros, user application hardening, restricting administrative privileges, multi-factor authentication, and regular backups. Those eight controls are the common core that ISO 27001, CPS 234, a cyber insurance application, and most customer security questionnaires all want to see. Reach a solid maturity level on the Essential Eight and you have done the bulk of the work for almost everything else at the same time, which is why we point most SMEs there first.

When do you need ISO 27001, SOC 2, or CPS 234?

These are the frameworks you take on when something external requires them. ISO 27001 is the international security certificate that larger customers and tenders increasingly demand as proof; you pursue it when winning that work depends on it. SOC 2 is the equivalent for selling to US organisations, an auditor's report rather than a certificate. APRA CPS 234 is mandatory if you are a regulated financial services entity, and it also reaches many of the IT and service providers those entities rely on, so you can be pulled into it as a supplier. The common thread is that none of these are triggered by being a small business in general; they are triggered by a specific customer, tender, or regulator. So the honest first step is to ask who is actually asking, rather than collecting certificates pre-emptively.

How do you avoid doing the same work five times?

Treat the controls as the asset, not the certificate. Because the frameworks overlap so heavily on the fundamentals, multi-factor authentication, patching, access control, logging, backups, and an incident response plan, the smart approach is to build those once, properly, and document them well. From that foundation, each specific framework becomes a matter of mapping your existing controls to its requirements and filling the genuine gaps, rather than starting over. This is exactly why we recommend an SME begin with an Essential Eight uplift and good Privacy Act practices, then layer ISO 27001 or SOC 2 on top only when a customer requires it. The groundwork is never wasted.

Frequently asked questions

What compliance does a typical Australian small business legally need?

At minimum, the Privacy Act 1988 and the Notifiable Data Breaches scheme if you hold personal information, plus PCI DSS if you take card payments. Everything else, ISO 27001, SOC 2, CPS 234, is driven by your industry or your customers rather than a blanket law.

Is the Essential Eight mandatory?

It is mandatory for Australian government entities and is widely expected for businesses doing government-adjacent work, but it is not a general legal requirement for every private business. It is, however, the most practical security baseline and the one most customer questionnaires and insurers align to, which is why most SMEs should aim for it regardless.

Do we need ISO 27001 and SOC 2?

Only if your customers ask. ISO 27001 suits Australian, European, and government-adjacent buyers; SOC 2 suits US technology buyers. They overlap heavily, so if you need one, the other becomes much easier later. Do not pursue either without a customer or tender actually requiring it.

Where should we start?

Start with a gap assessment against the Essential Eight, plus making sure your Privacy Act and PCI obligations are met. That covers the near-universal baseline and tells you exactly where you stand before you take on any customer-driven framework.

If you are not sure which compliance frameworks genuinely apply to your business, we can sort that out quickly and start you with a gap assessment against the right one. It saves Sydney businesses a lot of wasted effort chasing certificates they were never going to need. See how 4iT approaches compliance or talk to us to get started.