Comparative Positioning and Reference Mappings
How TrustSurface relates to ISO 27001, NIST CSF, Essential Eight, and more.
1. Purpose
This document positions the TrustSurface Framework relative to the governance and security standards most commonly encountered by adopting organisations. It is provided for orientation, not prescription. Readers using TrustSurface alongside an existing standard will find practical guidance on where the two complement each other.
TrustSurface is a lens. It helps organisations identify, measure, and govern the observable trust signals emitted at the digital edge. It does not compete with control frameworks, audit standards, or maturity models. It complements them by translating internal intent into externally meaningful evidence.
2. What TrustSurface is
A framework for making trust posture observable, discussable, and governable through signals and evidence.
3. What TrustSurface is not
- not an ISMS
- not a control catalogue
- not an audit standard
- not attack surface management
4. Side-by-side comparison (high level)
| Standard / framework | Primary purpose | Primary unit of work | Typical outputs | Where TrustSurface fits |
|---|---|---|---|---|
| ISO/IEC 27001 | Establish and operate an ISMS | Controls, policies, ISMS processes | SoA, policies, audits, continual improvement | Adds a trust-signal view of what stakeholders can observe (e.g. email/domain posture, service transparency) |
| NIST CSF | Organise cyber risk management outcomes | Functions / categories (Identify, Protect, Detect, Respond, Recover) | Profiles, target state, outcomes mapping | Adds a “digital edge” lens that connects outcomes to observable trust signals and evidence refresh |
| COBIT | Govern and manage enterprise IT | Governance and management objectives | Objectives, accountability, metrics | Adds a focused posture lens for externally-facing systems, supporting executive decision rights and reporting |
| ASD Essential Eight | Reduce likelihood and impact of common cyber attacks | Eight mitigation strategies and maturity levels | Maturity assessments, remediation plans | Helps decide where Essential Eight maturity matters most at the edge; makes assurance visible via signals |
| Australian Government ISM | Cyber security framework guidance for protecting systems and data | Controls / guidelines applied via risk management | Control profiles, implementation guidance, assurance artefacts | Provides the control depth; TrustSurface provides an externally-observable evidence lens across the trust surface |
| PSPF | Protective security policy for people, information, and resources | Security domains and required outcomes | Policy compliance, maturity reporting, protective security plans | Helps turn policy intent into observable trust posture for digital-facing services and delegated trust |
5. How TrustSurface fits alongside each standard
5.1 ISO/IEC 27001
Use TrustSurface to strengthen ISO 27001 where stakeholders judge you externally.
- treat Trust Surface domains as ISMS-relevant groupings at the digital edge
- use Trust Signals to define evidence expectations for trust-critical controls (email, domains, public services, third-party integrations)
- use TrustSurface artefacts (inventory, scorecard, signal gap log) as inputs to management review
5.2 NIST CSF
Use TrustSurface to connect CSF outcomes to externally meaningful evidence.
- map Trust Surface domains to CSF outcomes (especially Identify and Protect)
- use signals to validate outcomes with evidence (e.g. spoof resistance, transport integrity, service reliability)
- use the operating rhythm to establish a lightweight reassessment cadence
5.3 COBIT
Use TrustSurface to operationalise governance intent into evidence.
- clarify decision rights and ownership for trust-critical systems
- add trust posture measures alongside service and risk measures
- use the Trust Signal Gap to track “assurance intent vs observable reality”
5.4 ASD Essential Eight
The Essential Eight is a set of mitigation strategies with maturity levels. TrustSurface does not restate those controls.
Use TrustSurface to:
- identify which parts of your environment are trust-critical at the edge (e.g. identity boundary, email integrity, public services)
- set evidence expectations for externally visible outcomes (e.g. resistance to impersonation, predictable service behaviour)
- ensure maturity uplift is governed through ownership, cadence, and exception handling
5.5 Australian Government ISM
The ISM provides broad control guidance and implementation depth. TrustSurface provides a surface-oriented lens over externally experienced trust posture.
Use TrustSurface to:
- make “what we must protect” explicit as a Trust Surface inventory
- define what evidence will be used to demonstrate posture for trust-critical areas
- avoid over-measuring: focus on high-value, high-visibility signals that affect reputation and stakeholder confidence
5.6 Protective Security Policy Framework (PSPF)
PSPF sets policy outcomes across protective security domains. TrustSurface can help governance teams ensure the digital edge aligns to policy intent.
Use TrustSurface to:
- translate policy-level requirements into observable posture for digital services and delegated trust
- maintain a rhythm of reassessment (not a once-a-year compliance exercise)
- surface exceptions and residual gaps as governance decisions
6. The practical distinction
Traditional frameworks answer:
- Are controls defined and operating?
- Are we managing risk within appetite?
TrustSurface adds:
- What signals are we emitting at the digital edge?
- Would an external stakeholder (or attacker) observe weak posture?
- Do we have evidence, ownership, and cadence to keep signals strong?
7. External references
- ASD Essential Eight: https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight
- ASD Information Security Manual (ISM): https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism
- Protective Security Policy Framework (PSPF): https://www.protectivesecurity.gov.au/
Related TrustSurface artefacts
- TSF-OVR-1 - Framework Overview
- TSF-MOD-1 - Trust Surface Model and Domains
- TSF-DEF-1 - Core Definitions
- TSF-GOV-1 - Governance Integration
- TSF-SIG-1 - Trust Signal Catalogue
- TSF-MAT-1 - Digital Trust Maturity Model
- TSF-GLO-1 - Glossary
- TSF-ADP-1 - Adoption Guidance (practical operating guidance for adopters)
Summary statement
TSF-CMP-1 positions TrustSurface as a complementary lens alongside ISO/IEC 27001, NIST CSF, COBIT, ASD Essential Eight, the Australian Government ISM, and the PSPF. In each case, the existing standard provides control depth or policy structure; TrustSurface provides the externally-observable trust signal evidence layer that connects internal assurance to stakeholder-visible posture.