Frameworks

AESCSF: The Cyber Security Framework for Australia'sEnergy Sector

The Australian Energy Sector Cyber Security Framework is the annual self-assessment program that energy sector operators use to measure, benchmark and improve their cyber security maturity. Completing it feeds directly into your SOCI Critical Infrastructure Risk Management Program obligations.

Overcyte automates the assessment workflow and tracks maturitycontinuously, so when the annual submission window opens, you're not startingfrom scratch.
Get in touch
Frameworks

What the AESCSF is and who it applies to

The AESCSF was developed collaboratively by the Australian Energy Market Operator (AEMO), the Australian Cyber Security Centre (ACSC), and the Cyber and Infrastructure Security Centre (CISC). It's not a vendor framework; it's a government and industry initiative designed specifically for the Australian energy sector.

The framework applies to electricity, gas and liquid fuels sub-sectors. Version 2, released in October 2023, expanded the framework from 282 to 354 practices and anti-patterns, placed greater emphasis on operational technology and supply chain security, and is now explicitly recognised by CISC as compatible with SOCI CIRMP obligations, making it relevant to all 11 regulated sectors under the Act, not just energy.

The AESCSF is built on internationally recognised foundations, the US Department of Energy's ES-C2M2 and NIST CSF,with Australian-specific additions including the Essential Eight, Australian Privacy Principles, and the Notifiable Data Breachesscheme.

The 2026 AESCSFprogram is currently open. The assessment portal opened on 16 March 2026.

How the AESCSF assessment works

TheAESCSF assessment has two components that work in sequence. The firstdetermines your criticality. The second measures your cybersecurity maturityagainst that criticality baseline.

Criticality Assessment

The Criticality Assessment Tool (CAT) determinesyour organisation's criticality relative to your peers in the sector. There areseparate versions for electricity, gas and liquid fuels sub-sectors. Theoutcome of your criticality assessment determines which Security Profileapplies to your organisation; this is the starting point for everything thatfollows.

Cyber Security Capability and MaturitySelf-Assessment

The self-assessment measures your cybersecuritycapability and maturity across 11 domains. The Full assessment covers all 354practices and anti-patterns and is designed for medium and high-criticalityentities. The Lite assessment, 29 questions, is suited to low criticalityentities, smaller DER/CER operators, or organisations new to the framework.Both versions are available through the AEMO assessment portal during theannual program window.

How Maturity is Measured: MILs and Security Profiles

TheAESCSF uses two distinct measurement dimensions. Understanding both isessential for setting a target state and tracking progress year on year.

Maturity Indicator Levels (MILs)

MILs run from MIL-0 to MIL-3 and are applied independently to each domain. This system means an organisation can score differently across domains, MIL-2 in Risk Management and MIL-1 in Supply Chain, for example. The overall MIL is determined by the lowest score across alldomains. One weak domain pulls the whole score down. MILs are cumulative within each domain; all practices at a given level must be met before progressing.

Security Profiles (SPs)

Security Profiles are unique to the AESCSF; they don't exist in the C2M2 model, the framework on which the AESCSF is built. There are three SPs, aligned to the three criticality levels determined by the CAT. SPs are cumulative; SP-2 requires SP-1 to be achieved first. Where MILs measure domain-level maturity, SPs represent the target state maturity for your organisation based on its criticality to the sector. Achieving your designated SP is the primary compliance objective of the annual self-assessment.

How AESCSF feeds into your SOCI obligations

SOCI obligations are one of the most common questions from energy sector compliance teams, and one of the most important to get right.

SOCI is the legalobligation. The AESCSF is the recognised framework for meeting the cybersecurity requirements within your CIRMP. AESCSF V2 is explicitly recognised by CISC as compatible with SOCI CIRMP obligations, which means completing your annual AESCSF self-assessment directly satisfies the framework alignment requirement under SOCI.

For energy sector operators, these are not two separate workstreams. The AESCSF self-assessment generates the evidence and maturity scoring that your CIRMP cyber security obligations require. Treating them as separate exercises doubles the effort for no additional compliance benefit.

If your organisation is subject to both SOCI and AESCSF obligations, the most efficient path is a single integrated program, assess once, report to both.

The Eleven AESCSF Domainss insights.

The self-assessment ofAESCSF covers 354 practices and anti-patterns organised across eleven domains.Each domain has an independent MIL score; your program needs to address alleleven to achieve your target Security Profile.
Asset, Change and Configuration Management: Manage OT and IT assets commensurate with risk to critical infrastructure.
Identity and Access Management: Control access to systems and data based onleast-privilege principles.
Threat and Vulnerability Management: Identify, prioritise and remediate vulnerabilities across IT and OT environments.
Situational Awareness: Establish monitoring and logging to maintain visibility of the operational environment.
Informational Sharing and Communications: Share cyber security information with relevant stakeholders and government bodies.
Risk Management: Establishand maintain an enterprise cyber security risk management program.
Event and Incident Response: Detect, escalate and respond to cybersecurityevents and incidents.
Supply Chain and Dependencies Management: Manage cybersecurity risks introduced throughsuppliers and third parties.
Workforce Management: Develop and maintain a workforce with thecybersecurity skills the organisation requires.
Cybersecurity Program Management: Provide governance, strategic planning andsponsorship for cybersecurity activities.
Australian Privacy Management: ·      Managepersonal information in accordance with the Australian Privacy Principles.

How Overcyte Supports Your Annual AESCSF Program

The AESCSF's offlinetoolkit, spreadsheets, PDFs, and manual evidence collection work for a once-a-year exercise. It doesn't work for an organisation that needs to know where it stands between annual submissions, track improvement over time, or demonstrate progress to a board asking increasingly specific questions about cyber maturity.

Overcyte replaces theoffline toolkit with a structured, guided self-assessment mapped to all 11 AESCSF domains, all practices and anti-patterns. Evidence is collected in theplatform as you go, not assembled retrospectively the week before the portal closes. Exportable reports map to AESCSF Security Profiles and MILs, giving your board and your CIRMP the documentation they need.

Trend inginsights across previous assessments show you where you've improved, where you've drifted, and what to prioritise next. For operators managing both SOCI obligations, Overcyte supports both in a single platform, alongside Essential Eight, ISO 27001, NIST CSF, ISA/IEC 62443 and more.

Identify. Secure. Assure.

Ready to simplify cybersecurity compliance for critical infrastructure?
Book a demo
Trust CentreTerms of
ServicePrivacy Policy
© Copyright Overcyte 2026