Status: Public draft
Control: Informative
Framework version: v1.1 public draft
Identifier: TSF-CMP-1
Owner: TrustSurface Framework
Vocabulary baseline: TSF-GLO-1
Supports: TSF-OVR-1, TSF-MOD-1
This document positions the TrustSurface Framework relative to the governance and security standards most commonly encountered by adopting organisations. It is provided for orientation, not prescription. Readers using TrustSurface alongside an existing standard will find practical guidance on where the two complement each other.
TrustSurface is a lens. It helps organisations identify, measure, and govern the observable trust signals emitted at the digital edge. It does not compete with control frameworks, audit standards, or maturity models. It complements them by translating internal intent into externally meaningful evidence.
A framework for making trust posture observable, discussable, and governable through signals and evidence.
- not an ISMS
- not a control catalogue
- not an audit standard
- not attack surface management
| Standard / framework | Primary purpose | Primary unit of work | Typical outputs | Where TrustSurface fits |
|---|---|---|---|---|
| ISO/IEC 27001 | Establish and operate an ISMS | Controls, policies, ISMS processes | SoA, policies, audits, continual improvement | Adds a trust-signal view of what stakeholders can observe (e.g. email/domain posture, service transparency) |
| NIST CSF | Organise cyber risk management outcomes | Functions / categories (Identify, Protect, Detect, Respond, Recover) | Profiles, target state, outcomes mapping | Adds a "digital edge" lens that connects outcomes to observable trust signals and evidence refresh |
| COBIT | Govern and manage enterprise IT | Governance and management objectives | Objectives, accountability, metrics | Adds a focused posture lens for externally-facing systems, supporting executive decision rights and reporting |
| ASD Essential Eight | Reduce likelihood and impact of common cyber attacks | Eight mitigation strategies and maturity levels | Maturity assessments, remediation plans | Helps decide where Essential Eight maturity matters most at the edge; makes assurance visible via signals |
| Australian Government ISM | Cyber security framework guidance for protecting systems and data | Controls / guidelines applied via risk management | Control profiles, implementation guidance, assurance artefacts | Provides the control depth; TrustSurface provides an externally-observable evidence lens across the trust surface |
| PSPF | Protective security policy for people, information, and resources | Security domains and required outcomes | Policy compliance, maturity reporting, protective security plans | Helps turn policy intent into observable trust posture for digital-facing services and delegated trust |
Use TrustSurface to strengthen ISO 27001 where stakeholders judge you externally.
- treat Trust Surface domains as ISMS-relevant groupings at the digital edge
- use Trust Signals to define evidence expectations for trust-critical controls (email, domains, public services, third-party integrations)
- use TrustSurface artefacts (inventory, scorecard, signal gap log) as inputs to management review
Use TrustSurface to connect CSF outcomes to externally meaningful evidence.
- map Trust Surface domains to CSF outcomes (especially Identify and Protect)
- use signals to validate outcomes with evidence (e.g. spoof resistance, transport integrity, service reliability)
- use the operating rhythm to establish a lightweight reassessment cadence
Use TrustSurface to operationalise governance intent into evidence.
- clarify decision rights and ownership for trust-critical systems
- add trust posture measures alongside service and risk measures
- use the Trust Signal Gap to track "assurance intent vs observable reality"
The Essential Eight is a set of mitigation strategies with maturity levels. TrustSurface does not restate those controls.
Use TrustSurface to:
- identify which parts of your environment are trust-critical at the edge (e.g. identity boundary, email integrity, public services)
- set evidence expectations for externally visible outcomes (e.g. resistance to impersonation, predictable service behaviour)
- ensure maturity uplift is governed through ownership, cadence, and exception handling
The ISM provides broad control guidance and implementation depth. TrustSurface provides a surface-oriented lens over externally experienced trust posture.
Use TrustSurface to:
- make "what we must protect" explicit as a Trust Surface inventory
- define what evidence will be used to demonstrate posture for trust-critical areas
- avoid over-measuring: focus on high-value, high-visibility signals that affect reputation and stakeholder confidence
PSPF sets policy outcomes across protective security domains. TrustSurface can help governance teams ensure the digital edge aligns to policy intent.
Use TrustSurface to:
- translate policy-level requirements into observable posture for digital services and delegated trust
- maintain a rhythm of reassessment (not a once-a-year compliance exercise)
- surface exceptions and residual gaps as governance decisions
Traditional frameworks answer:
- Are controls defined and operating?
- Are we managing risk within appetite?
TrustSurface adds:
- What signals are we emitting at the digital edge?
- Would an external stakeholder (or attacker) observe weak posture?
- Do we have evidence, ownership, and cadence to keep signals strong?
- ASD Essential Eight: https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight
- ASD Information Security Manual (ISM): https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism
- Protective Security Policy Framework (PSPF): https://www.protectivesecurity.gov.au/
- TSF-OVR-1 - Framework Overview
- TSF-MOD-1 - Trust Surface Model and Domains
- TSF-DEF-1 - Core Definitions
- TSF-GOV-1 - Governance Integration
- TSF-SIG-1 - Trust Signal Catalogue
- TSF-MAT-1 - Digital Trust Maturity Model
- TSF-GLO-1 - Glossary
- TSF-ADP-1 - Adoption Guidance (practical operating guidance for adopters)
TSF-CMP-1 positions TrustSurface as a complementary lens alongside ISO/IEC 27001, NIST CSF, COBIT, ASD Essential Eight, the Australian Government ISM, and the PSPF. In each case, the existing standard provides control depth or policy structure; TrustSurface provides the externally-observable trust signal evidence layer that connects internal assurance to stakeholder-visible posture.