An Overview of Cyber Security and Asset Management Standards in the Australian Mining and Minerals Sector

An Overview of Cyber Security and Asset Management Standards in the Australian Mining and Minerals Sector

RMIT University Centre for Cyber Security Research and Innovation (CCSRI) was commissioned by the Joint Accreditation System of Australia and New Zealand (JASANZ) to examine the effectiveness of three ISO and ISO-IEC Standards (AS ISO/IEC 27001; AS ISO/IEC550001 and AS ISO 22301) in the mining and minerals sector, benefits of implementing these Standards, and barriers to their implementation.

The impetus for this research: between 2019 and 2020, there was a four-fold increase in reported cyber breaches among mining companies (Verizon, 2019). Mining and mineral resources are significant sources of wealth and income in Australia. The sector employs 1.2 million people and generates $50 billion average earnings per year and $160 billion of resource exports (AusIMM, 2023). Highly sophisticated cyber-attacks are proliferating across the economy. Ensuring the mining and minerals sector is resilient to these threats is pivotal for safeguarding Australia’s economic prosperity.

RMIT CCSRI conducted in-depth research through an extensive gap analysis literature review, surveying industry practitioners, and conducting focus groups and one-on-one interviews with industry experts and experienced practitioners.

The report found ten key issues, with respect to cyber security, business continuity and asset management risks in the mining and minerals sector:

  • Lack of a regulatory framework around cyber security and asset management in the mining industry.
  • Boards and company officers had limited visibility of cyber vulnerabilities and asset management risks within their business.
  • Awareness of ISO and ISO-IEC Standards is low amongst small-to medium companies.
  • The three ISO and ISO-IEC Standards are not complementary to one another.
  • The ISO and ISO-IEC Standards are difficult to understand: they are perceived to be difficult to understand and too technical in nature.
  • ISO and ISO-IEC Standards are ill-suited to the sector’s unique environment. As a result, many mining and minerals companies use in-house standards.
  • ISO and ISO-IEC Standards are not suitable for evolving threat environment.
  • ISO and ISO-IEC Standards are not used widely in procurement.
  • Cyber security is slowing being viewed as a series challenge by mining and minerals companies.
  • Mining and minerals companies use legacy systems, which are highly prone to attacks due to the age of the systems and lack of security features.

The report makes 17 recommendations for Government (including JASANZ), Industry and Mining and Minerals companies, to mitigate these risks. These are primarily for:

Government to:

  • Implement a legislative framework to ensure preparedness and response capabilities against cyber incidents, including potential obligations under a revised SOCI Act.
  • Promote relevant security standards, including ISO and ISO-IEC Standards, through national outreach programs.
  • Provide financial support to small and medium-sized companies to access ISO and ISO-IEC Standards.


  • Simplify the standards, ensure they are complimentary to each other, and tailored to the mining sector’s needs, and are updated more frequently.
  • Develop case studies and adoption strategies tailored for small and medium-sized enterprises to demonstrate the benefits of ISO and ISO-IEC Standards.
  • Establish an industry network of ISO Champions to promote ISO and ISO-IEC Standards within the mining and minerals sector.

Industry Bodies to:

  • Conduct low-cost or free cybersecurity and asset management awareness, training, and skills development programs to enhance preparedness in the sector.
  • Mining and Minerals Companies to:
  • Mandate ISO certification for third-party suppliers, whenever possible.
  • Consider adopting ISO and ISO-IEC Standards to foster an ongoing security culture and build trust with the wider community.
  • Invest in modernising systems, including newer Operational Technology systems. For legacy systems, implement compensating controls to mitigate risks.

Read the Key Findings Report and White Paper

27 November 2023


27 November 2023


Related News

aboriginal flag
torres strait flag

Acknowledgement of Country

RMIT University acknowledges the people of the Woi wurrung and Boon wurrung language groups of the eastern Kulin Nation on whose unceded lands we conduct the business of the University. RMIT University respectfully acknowledges their Ancestors and Elders, past and present. RMIT also acknowledges the Traditional Custodians and their Ancestors of the lands and waters across Australia where we conduct our business - Artwork 'Luwaytini' by Mark Cleaver, Palawa.