Why cyber maturity baselines matter before frameworks
Cyber security frameworks play an important role in strengthening organisational resilience.
They provide structure, shared language, and recognised benchmarks for uplift. In Australia, frameworks such as the Essential Eight, ISO standards and sector-specific requirements are widely adopted – and rightly so.
However, frameworks are most effective when they are applied at the right point in the journey.
Before an organisation can meaningfully align to any framework, it needs a clear, realistic understanding of its current cyber maturity and risk context. That is where a cyber security maturity baseline becomes critical.
A baseline is not a framework – and it isn’t meant to be
A cyber security baseline does not replace frameworks. Its purpose is different.
A baseline establishes:
- Where the organisation is today
- How cyber maturity operates in practice
- Where risk is genuinely concentrated
- Which areas require attention first
Frameworks, on the other hand, define:
- What “good” looks like
- Which controls are expected
- How uplift can be structured, assured and measured
When frameworks are applied without a baseline, organisations often encounter:
- Overly ambitious uplift plans
- Investment in controls that do not address the highest risks
- Fatigue from trying to do too much, too quickly
- Difficulty sustaining maturity over time
A baseline provides the context frameworks need to be applied proportionately and effectively.
When organisations typically look for a cyber security baseline
Organisations usually seek a cyber security baseline when one or more of the following triggers are present:
- Preparing for upcoming governance, resilience or regulatory expectations, including CPS 230
- A recent cyber incident, near miss or control failure
- Increasing reliance on third parties, cloud platforms or SaaS providers
- Board or executive questions such as “Are we actually resilient?”
- Limited budgets combined with higher accountability for outcomes.
In these moments, the challenge is rarely a lack of frameworks. It is a lack of clarity on where risk truly sits.
Why timing matters more than the framework itself
Frameworks are designed to be broadly applicable. Organisations are not. Every environment has its own mix of:
- Technology complexity
- Operational dependencies
- Regulatory pressure
- Third-party exposure
- Delivery velocity
- Risk tolerance
Without understanding these factors, framework adoption can become a compliance exercise rather than a risk-reduction strategy.
A baseline answers a different question:
“Given how we actually operate today, where does risk truly sit?”
Only once that is understood does it make sense to determine:
- Which frameworks are most relevant
- Which controls should be prioritised
- What level of maturity is realistic in the near term
The real problem with most cyber maturity assessments
Many cyber security maturity assessments fall into one of three traps.
1. Checklist-led scoring
They measure maturity against a single framework- often Essential Eight or ISO- and stop there. This shows whether controls exist, but not whether they are effective in context.
2. One size fits all targets
Organisations are pushed toward the same maturity end state, regardless of size and complexity, sector and regulatory exposure and operating model or delivery velocity.
3. Theoretical uplift
The outcome is often a score and a long list of controls, with little clarity on what reduces risk first, what can wait, or what adds cost without improving resilience. This creates a false sense of security: “We’ve done Essential Eight, so we’re fine,” or “We’ll never be ISO-ready, so what’s the point?” Both increase risk, just in different ways.
A domain-based baseline reflects real-world risk
Modern cyber risk rarely sits in a single control gap.
It emerges across multiple, interconnected areas – technical, operational, governance-related and organisational.
A domain-based baseline assessment helps ensure risk is viewed holistically rather than through a single lens.
While domains vary by organisation, they typically span areas such as:
- Foundational security controls
- Operational and delivery practices
- Governance, policy and accountability
- Data and information risk
- Third-party and supply-chain exposure
- Emerging and evolving threats
Domains are not frameworks. They ensure the baseline reflects how risk actually manifests in real operating environments.
Essential Eight remains the foundation – not the destination
The Essential Eight continues to provide a strong foundation for cyber hygiene.
Used well, it supports:
- Reduction of common attack vectors
- Consistency across organisations
- A clear path for technical control uplift
However, its value is maximised when organisations understand:
- Their operational realities
- Their exposure beyond purely technical controls
- Their capacity to implement and sustain change
A baseline assessment enables Essential Eight uplift to be:
- Targeted to the areas of highest risk
- Aligned to organisational capability
- Sequenced sensibly over time
This avoids the common trap of attempting to uplift everything at once – and succeeding at very little.
From baseline to framework-led uplift
The outcome of a baseline assessment is not a score for reporting purposes.
It is a starting position.
From that starting point, organisations can:
- Select the frameworks most relevant to their context
- Prioritise controls based on risk and impact
- Build a practical, defensible uplift roadmap
- Track progress in a way that makes sense to technical and non-technical stakeholders
This sequencing – baseline first, frameworks next – supports sustainable improvement rather than reactive change.
Reducing cyber risk without unnecessary complexity
Cyber resilience isn’t about finding every possible gap.
It’s about fixing the ones that actually reduce risk.
A baseline assessment helps organisations understand:
- Where they stand today
- What matters most in their operating context
- Which actions deliver real risk reduction
All without over-engineering controls or adding complexity that looks good on paper but fails operationally.
Establish clarity before controls
Cyber security maturity is not achieved by implementing the most controls.
It is achieved by implementing the right controls, at the right time, for the right reasons.
Establishing a baseline provides the clarity needed to make informed decisions and ensures that frameworks are used as enablers, not obstacles.
Start with the baseline
Understanding where you are today is what allows frameworks to work as intended.
It is not about lowering standards.
It is about applying them intelligently.
Use Avocado’s online tool – Cyber Maturity Self-Assessment – to get your baseline today.
Want to talk to us now? Book a complimentary consult with our team. We can help you:
- Translate technical controls into clear, business-ready language your executives understand
- Align cyber initiatives with governance, risk and compliance expectations
- Prioritise actions that deliver real risk reduction and measurable value
- Move from reactive firefighting to confident, data-driven decision-making
- Right-size recommendations to your industry, threat exposure, organisational scale and risk appetite- no unnecessary controls
- Start with clarity. Then uplift with confidence.
