← Back to Resources

AESCSF v2 Explained
Domains, Maturity Levels, Security Profiles and Anti-Patterns

The Australian Energy Sector Cyber Security Framework sits at the centre of cyber compliance for Australia's energy sector — and, increasingly, the yardstick the SOCI Act's enhanced CIRMP Rules measure entities against. But its structure trips people up the first time they meet it: 11 domains, four maturity levels, three Security Profiles, and a set of anti-patterns that can quietly cap your result. This is a plain-English guide to how the framework actually works.

What the AESCSF Is — and Where It Came From

The Australian Energy Sector Cyber Security Framework (AESCSF) is a cyber security maturity model maintained by the Australian Energy Market Operator (AEMO), developed in partnership with industry participants and government since 2018 and refreshed periodically since. It exists to answer a deceptively simple question for an energy business: how good is our cyber security, really — and how good does it need to be given how critical we are?

Rather than inventing controls from scratch, the AESCSF is built on the US Department of Energy's Cybersecurity Capability Maturity Model (C2M2) and mapped to widely used references — the NIST Cyber Security Framework, ISO/IEC 27001, the ASD Information Security Manual (ISM), and the Essential Eight. That lineage matters: it means an AESCSF result isn't an isolated score, it's a maturity picture that translates into the language boards, insurers, regulators and auditors already understand.

Two things make the AESCSF distinctive. First, it is built for operational technology (OT) — the control systems that actually run generation, networks, pipelines and fuel — not just corporate IT. Second, it measures maturity, not just the presence of controls: whether a practice is done at all, done consistently, and done well enough to be governed and improved.

Why this matters now. The SOCI Act's enhanced Critical Infrastructure Risk Management Program (CIRMP) Rules — registered 9 June 2026 — make an AESCSF Security Profile 2 outcome the effective compliance bar for most energy responsible entities by 30 June 2028. If that applies to you, see our companion pieces: The SOCI Enhanced CIRMP Rules Are Now Law and Why SP-2 by June 2028 Is Harder Than It Sounds.

The Four Building Blocks

Everything in the AESCSF is assembled from four pieces. Understand these and the whole framework clicks into place:

  • Domains — 11 subject areas the framework is divided into (Risk Management, Identity & Access Management, and so on).
  • Maturity Indicator Levels (MILs) — a 0-to-3 scale describing how mature the practices in a domain are.
  • Security Profiles (SPs) — SP-1, SP-2 and SP-3 bundle MIL targets across all domains into a single goal based on how critical you are.
  • Anti-patterns — specific serious weaknesses that, if present, undermine your profile regardless of your scores.

In plain terms: domains are what you're assessed on, MILs are how well you're doing it, Security Profiles are the bar you're aiming at, and anti-patterns are the red flags that can stop you clearing that bar.

The 11 Domains

AESCSF v2 organises its practices into 11 domains. They are commonly grouped into four themes — governance, protection, detection/response, and privacy — but each domain is scored independently.

Governance & strategy

  • Cybersecurity Program Management — establishing, funding and governing the overall cyber program.
  • Risk Management — identifying, analysing, treating and monitoring cyber risk.
  • Workforce Management — cyber roles and responsibilities, training, and security awareness.
  • Supply Chain & External Dependencies Management — managing risk from vendors, suppliers, and third-party dependencies.

Protection & defence

  • Cybersecurity Architecture — designing systems and networks to be secure by default, including segregation of critical systems.
  • Identity & Access Management — controlling who can access what, and proving it (including multi-factor authentication).
  • Asset, Change & Configuration Management — knowing what you have and controlling how it changes.
  • Threat & Vulnerability Management — finding, prioritising and remediating threats and vulnerabilities.

Detection & response

  • Situational Awareness — logging, monitoring, and maintaining a common operating picture of the environment.
  • Event & Incident Response, Continuity of Operations — detecting, responding to, and recovering from incidents while keeping operations running.

Privacy

  • Australian Privacy Management — handling personal information in line with Australian privacy obligations.

The weakest-link rule. Because each domain is scored independently and your Security Profile is judged across all of them, your result is governed by your weakest domains, not your strongest. A business that is excellent at Risk Management but weak at Threat & Vulnerability Management does not "average out" — the weak domain holds the whole profile back. Remediation effort should follow the weakest domains, not the most comfortable ones.

Maturity Indicator Levels (MIL-0 to MIL-3)

Within each domain, practices are assessed against a maturity scale. This is the heart of the model: it's not "do you have a policy?" but "is the practice performed, managed, and governed?"

Level Name What it means in practice
MIL-0 Not performed The MIL-1 practices for the domain are not yet in place.
MIL-1 Initial Practices are performed, but may be ad hoc — done, yet not necessarily documented, planned or consistent.
MIL-2 Managed Practices are documented, planned, adequately resourced, and have assigned responsibility and stakeholder involvement. Repeatable.
MIL-3 Measured & governed Practices are governed by policy, measured for effectiveness, reviewed, and continuously improved. Institutionalised.

Two properties of MILs catch people out. First, they are cumulative: to be assessed at MIL-2 in a domain, you must satisfy every MIL-1 and MIL-2 practice — you can't skip a level. Second, each level costs more than the last. The jump from "we do it" (MIL-1) to "we manage it" (MIL-2) is where design effectiveness has to become operating effectiveness — evidence that the control is actually working, not just written down.

Security Profiles (SP-1, SP-2, SP-3)

MILs tell you how mature each domain is. But how mature do you need to be? That depends on how critical your business is — and that's what Security Profiles capture. A Security Profile bundles MIL targets across all 11 domains into a single, criticality-based goal.

Profile Who it's for What it broadly requires
SP-1 — Foundational Smaller or lower-criticality entities A baseline of essential practices across the domains — the entry level of maturity.
SP-2 — Intermediate Higher-criticality energy entities Broadly MIL-2-level maturity across the domains. The target the enhanced SOCI CIRMP Rules set for most energy responsible entities by 30 June 2028.
SP-3 — Advanced The highest-criticality assets The most demanding profile — higher maturity targets across more of the practice set.

Like MILs, Security Profiles are cumulative: SP-2 includes everything in SP-1, and SP-3 includes everything in SP-2. So "moving from SP-1 to SP-2" doesn't mean swapping one set of requirements for another — it means keeping everything you already had and adding a higher bar on top.

Which profile applies to you is driven by your criticality — factors such as AEMO designation, your role in the National Electricity Market, and the consequence of your assets being compromised. A large generation asset and a small retail-facing system can sit on very different profiles.

Anti-Patterns: The Red Flags That Cap Your Result

Here is the piece most newcomers miss. Alongside the maturity practices, the AESCSF assesses a set of anti-patterns — specific practices or conditions that represent a serious cyber security weakness. Examples include:

  • No multi-factor authentication on critical or remotely accessible systems.
  • Flat or unsegmented OT networks, with no separation between critical control systems and general IT.
  • Shared or generic privileged accounts, with no individual accountability.
  • Unsupported or end-of-life systems still in production.
  • No tested, offline or immutable backups of critical systems.

Anti-patterns are scored separately from the maturity practices, and their presence undermines a Security Profile. A profile is only fully attained when its practices are met and no anti-patterns are present. In effect, a single serious anti-pattern can stop you being "AESCSF Met" even when your domain scores look strong. It is the framework's way of saying: maturity on paper counts for little if a fundamental door is left wide open.

Why anti-patterns exist. A maturity model can, in theory, be gamed — an organisation can accumulate documented practices while a glaring, exploitable weakness sits untouched. Anti-patterns are the guardrail against that: they force the obvious, high-consequence gaps to be closed before a profile can be claimed, no matter how good the rest of the assessment looks.

How an AESCSF Assessment Actually Works

Putting the pieces together, an assessment runs roughly like this:

  1. Determine your Security Profile. Establish whether SP-1, SP-2 or SP-3 applies to the asset, and record the basis for that determination.
  2. Answer the practice questions across all 11 domains, indicating whether each practice is not implemented, partially, largely, or fully implemented (some foundational practices are simply yes/no).
  3. Roll the answers up to a MIL per domain. Because MILs are cumulative, a single unmet lower-level practice can hold a domain at a lower level.
  4. Assess the anti-patterns — are any present?
  5. Compare against your target profile. The result shows the percentage of MIL targets met per domain, which domains fall short, and whether any anti-patterns block attainment. A profile is "met" only at 100% of its targets with no anti-patterns present.

The output isn't a single grade — it's a map. It shows exactly which domains are strong, which are holding you back, and what has to be fixed first. That map is what turns a compliance obligation into an actionable remediation plan.

11

Domains

each scored independently; the weakest govern your profile.

4

Maturity levels

MIL-0 to MIL-3 — cumulative, each costing more than the last.

3

Security Profiles

SP-1, SP-2, SP-3 — cumulative targets based on criticality.

0

Anti-patterns allowed

to fully attain a profile — the framework's hard guardrail.

Why the Right Tooling Has Become the Difference

On paper, an AESCSF assessment is "just" a questionnaire. In practice it is a several-hundred-practice, 11-domain, often multi-site maturity program that has to be repeated, evidenced, and defended over years. That gap between the simple description and the real workload is where organisations come unstuck — and it is worth being honest about. The framework rarely defeats an organisation. The way it tries to run the framework does.

Three realities make the AESCSF genuinely hard to sustain by hand:

  • Scale and consistency. Scoring hundreds of practices the same way, every cycle, across every site is beyond what a spreadsheet and an annual consultant visit can reliably hold together. Small inconsistencies in how a practice is interpreted compound into a maturity picture no one fully trusts — and a picture you don't trust is one you can't act on.
  • Visibility between snapshots. You cannot manage what you can only see once a year. If a control regresses the week after your assessment, an annual cycle won't notice for another eleven months — and the regulator's question after an incident is whether maturity was being actively improved, not whether last year's snapshot looked acceptable.
  • Turning answers into action. Raw answers are not a plan. The value is in ranking gaps by risk, surfacing the anti-patterns that quietly cap your profile, tracking remediation through to done, and producing the board-ready reporting that proves the trajectory. Doing all of that by hand, at scale, cycle after cycle, is precisely where good teams fall behind.

This is the quiet shift the move toward SP-2 has forced. At SP-1, an annual document was tolerable. At SP-2, the framework stops being a document and becomes an operating discipline — and operating disciplines need instrumentation. Increasingly, the line between an entity that stays compliant and one that slips is not the strength of its security team; it is whether the team has tooling that keeps maturity visible, repeatable, and defensible without a standing army of consultants.

The right tooling does not replace judgement — it removes the friction that stops capable teams from keeping pace. It scores consistently, ranks gaps by risk, drafts the remediation plan, tracks it to completion, flags anti-patterns before they cap your result, and turns a cycle's work into board-ready Word and Excel reports on demand. That is the difference between the AESCSF being a burden you dread once a year and a management system you actually run — and, more and more, the difference between comfortably meeting your obligations and scrambling to.

What's Different About v2

AESCSF v2 is the current release of the framework. AEMO updates the AESCSF periodically to keep it aligned with the evolving threat landscape, the underlying C2M2 model, and Australian guidance such as the ISM and Essential Eight. Compared with earlier iterations, v2 refines the practice set across the domains, strengthens the mappings to international standards, and treats anti-patterns as an explicit part of how Security Profile attainment is judged — so a v2 assessment is as much about closing high-consequence gaps as it is about accumulating maturity. If you last looked at the AESCSF a few years ago, it's worth re-baselining against v2 rather than assuming your previous result carries over.

Who Needs to Care

Strictly, the AESCSF is a voluntary framework, and AEMO runs an annual voluntary assessment program. In reality it has become the de facto standard for evidencing cyber maturity across the energy sector. And under the SOCI Act, designated energy responsible entities must manage cyber hazards through a CIRMP that demonstrates maturity against an appropriate framework — which, for energy, is the AESCSF. The enhanced CIRMP Rules push that from "SP-1 baseline" to "SP-2 by 30 June 2028" for most energy responsible entities. For those entities, the AESCSF is mandatory in all but name — and the profile you have to hit has just gone up.

Even outside the energy sector, the AESCSF is a useful, OT-aware maturity model for any critical-infrastructure operator that wants a structured, evidence-based view of where it stands.

The Bottom Line

The AESCSF looks complicated from the outside, but it rests on four ideas: domains (what you're assessed on), MILs (how mature each domain is), Security Profiles (the criticality-based bar you're aiming at), and anti-patterns (the serious weaknesses that can cap your result). Read a result through that lens and it becomes a practical instrument: it tells you your target, your weakest domains, and the high-consequence gaps to close first. That's exactly the map an energy business needs to move from where it is to where the SOCI Act now requires it to be.

Frequently Asked Questions

What is the AESCSF?

The Australian Energy Sector Cyber Security Framework is a cyber maturity model maintained by AEMO, built on the US C2M2 and mapped to references such as the NIST CSF, ISO 27001, the ISM and the Essential Eight. It measures how mature an energy entity's cyber practices are across 11 domains and lets it set a target based on criticality. It is the recognised way for energy responsible entities to evidence the cyber element of their SOCI Act obligations.

What are the 11 AESCSF domains?

Cybersecurity Program Management; Risk Management; Workforce Management; Supply Chain & External Dependencies Management; Cybersecurity Architecture; Identity & Access Management; Asset, Change & Configuration Management; Threat & Vulnerability Management; Situational Awareness; Event & Incident Response, Continuity of Operations; and Australian Privacy Management. Each is scored independently, and your Security Profile result is governed by your weakest domains.

What are Maturity Indicator Levels (MILs)?

MILs describe how mature a practice is, from MIL-0 to MIL-3. MIL-0 means the MIL-1 practices are not yet performed; MIL-1 means practices are performed but may be ad hoc; MIL-2 means they are documented, planned, resourced and assigned; MIL-3 means they are governed, measured and continuously improved. MILs are cumulative — to reach MIL-2 you must meet every MIL-1 and MIL-2 practice in the domain.

What is the difference between AESCSF SP-1, SP-2 and SP-3?

Security Profiles bundle MIL targets across the 11 domains into a single, criticality-based target. SP-1 (Foundational) is a baseline for lower-criticality entities; SP-2 (Intermediate) broadly requires MIL-2-level maturity and is the enhanced SOCI CIRMP target for most energy responsible entities by 30 June 2028; SP-3 (Advanced) is the most demanding, for the highest-criticality assets. Profiles are cumulative — SP-2 includes SP-1, and SP-3 includes SP-2.

What are AESCSF anti-patterns?

Anti-patterns are specific serious weaknesses — for example no MFA on critical systems, flat OT networks, shared privileged accounts, unsupported systems, or no tested offline backups. They are assessed separately from the maturity practices, and their presence undermines a Security Profile: a profile is only fully attained when its practices are met and no anti-patterns are present. A single serious anti-pattern can stop you being "AESCSF Met" even with strong domain scores.

Is the AESCSF mandatory?

The framework itself is voluntary, and AEMO runs a voluntary annual assessment program. But the SOCI Act's CIRMP obligations require designated energy responsible entities to demonstrate cyber maturity against an appropriate framework — the AESCSF for energy — and the enhanced CIRMP Rules make an SP-2 outcome the effective bar for most of them by 30 June 2028. For those entities it is mandatory in all but name.

Run an AESCSF v2 Assessment Yourself

The CyberAssure AESCSF v2 Maturity Assessment evaluates your posture across all 11 domains with Security Profile targeting for SP-1, SP-2 and SP-3, assesses anti-patterns, and generates board-ready, AEMO-ready Word and Excel reports, a structured gap register, and a prioritised remediation roadmap — no consultants, run on your own device.

View the AESCSF Assessment