Cyber security policies
Cyber Security NSW leads and coordinates cyber security across the NSW Government, setting mandatory policy requirements and supporting agencies to manage cyber risk. It translates policy into practical guidance, delivers services and capability uplift, and leads whole‑of‑government responses to significant cyber incidents.
NSW Cyber Security Policy
The NSW Cyber Security Policy sets the mandatory requirements that all NSW Government agencies must meet to manage and reduce risks to their information, systems and services.
By 31 October each year, agencies must report to Cyber Security NSW, either through their portfolio Chief Information Security Officer (CISO) or directly.
Agencies must report:
- their assurance assessment against all mandatory requirements in the NSW Cyber Security Policy for the previous financial year
- any cyber security risks with a residual rating of high or extreme
- an attestation on their cyber security posture
- an assessment against all-of-government cyber security risks
- a crown jewel asset inventory.
Tools and resources
Cyber Security NSW can provide guidance documents and toolkits to assist agencies with implementation of the NSW Cyber Security Policy. For copies of these documents, or for advice regarding the policy, please contact info@cyber.nsw.gov.au.
Cyber Security NSW Circulars
Cyber Security NSW assists with the development of Circulars to advise of and/or mandate certain cyber security practices for NSW Government entities and staff, as required.
- DCS-2021-02 NSW Cyber Security Policy – requires all NSW Government departments and agencies to implement the NSW Cyber Security Policy, to ensure an integrated approach to preventing and responding to cyber security threats
- DCS-2022-03 Accessing NSW Government digital systems while overseas – mandates staff seeking approval from their department/agency cyber security team if they intend to access their NSW Government ICT accounts while overseas
- 22-39 Release of Cyber Security Guidelines for NSW Local Government – outlines cyber security standards and controls recommended by Cyber Security NSW of NSW local government entities
- DCS-2025-01 Cyber Security NSW Directive - Restricted Applications List – restricts access to products, applications and web services from NSW Government-issued devices, or personal devices that are used for government business, that are identified as posing unmanageable foreign ownership, control or influence risks.
- DCS-2025-04 - Cyber Security NSW directive– Targeted Initiatives for NSW Government – mandates expectations for agencies to prioritise uplift to achieve compliance against key Mandatory Requirements set out in the NSW Cyber Security Policy and details additional requirements for agencies to provide information to Cyber Security NSW.
- DCS-2025-06 Managing Cyber Security Incident Information: Limited Use Obligations for NSW Government – sets mandatory requirements for NSW Government agencies on handling ‘limited use’ cyber security incident information under the Intelligence Services Act 2001 (Cth) and Cyber Security Act 2024 (Cth).