Cyber Security Policy

Summary of Your Agency’s Reporting Obligations

  • By 31 August each year, submit a report to your Agency head and Cyber Security NSW, in a template provided by Cyber Security NSW, covering the following:
    1. Assessment against all mandatory requirements in this policy for the previous financial year, including a maturity assessment against the Australian Cyber Security Centre (ACSC) Essential 8
    2. Cyber security risks with a residual rating of high or extreme
    3. A list of the Agency’s “crown jewels”
  • Include an attestation on cyber security in your annual report and provide a copy to Cyber Security NSW


Strong cyber security is an important component of the NSW Digital Government Strategy. Cyber security covers all measures used to protect systems - and information processed, stored or communicated on these systems - from compromise of confidentiality, integrity and availability.

Cyber security risks have continued to evolve in recent years and rapid technological change has resulted in increased cyber connectivity and more dependency on cyber infrastructure.

The word “systems” in this policy refers to: software, hardware, communications, networks and includes specialised systems such as industrial and automation control systems, telephone switching and PABX systems, building management systems and internet connected devices.

The NSW Cyber Security Policy (the policy) replaces the NSW Digital Information Security Policy 2015 and is part of the action plan outlined in the 2018 NSW Cyber Security Strategy. Key improvements include strengthening cyber security governance, identifying an Agency’s most valuable or operationally vital systems or information (also called the “crown jewels”), strengthening cyber security controls, developing a cyber security culture across all staff, working across government to share security and threat intelligence and a whole of government approach to cyber incident response.

Agencies must establish effective cyber security policies and procedures and embed cyber security into risk management practices and assurance processes. When cyber security risk management is done well, it underpins organisational resilience because entities know their risks, make informed decisions in managing those risks, identify opportunities and continuously improve. This is reinforced with meaningful training, communications and support across all levels of the Agency.


The policy outlines the mandatory requirements to which all NSW Government Departments and Public Service Agencies must adhere, to ensure cyber security risks to their information and systems are managed. This policy is designed to be read by Agency Heads, Chief Information Officers, Chief Information Security Officers (or equivalent), Audit and Risk teams and all Executives.


This policy applies to all NSW Government Departments and Public Service Agencies (Government Sector Employment Act 2013 Schedule 1 Public Service agencies). In this policy, references to “lead cluster Departments” or “clusters” mean the Departments listed in Part 1, Schedule 1. The term “Agency” is used to refer to any or all NSW Government Departments and Public Service Agencies.

This policy applies to:

  • information and communications technology (ICT) systems, and
  • industrial automation and control systems (IACS) that handle government or citizen data or provide critical government services

This policy mandates a number of requirements that are a minimum that all agencies must implement. There is flexibility in some of the requirements to make an informed, risk-based decision on the type and number of controls that are implemented by an Agency.

Agencies that provide higher risk services and hold higher risk information should implement a wider range of controls and be aiming for broader coverage and higher maturity levels. It is recommended that Agencies seek additional guidance, strategies and controls from supplementary sources mentioned in the useful links section.

In accordance with Premier’s Memorandum M1999-19 Applicability of Memoranda and Circulars to State Owned Corporations, this policy does not apply to State Owned Corporations. This policy is however recommended for adoption in State Owned Corporations, as well as local councils and universities.


Exemptions to any part of this policy may be sought by Agency heads from the Government Chief Information and Digital Officer (GCIDO) who will be advised by the NSW Chief Cyber Security Officer (NSW CCSO). Please contact

Cyber Security NSW
Digital.nsw and Customer Service ICT
Department of Customer Service