Agencies must provide a yearly report to Cyber Security NSW on their compliance with this policy in a format provided by Cyber Security NSW by 31 August each year. This will largely be a maturity-based assessment on the items listed as mandatory requirements including the ACSC Essential 8. It is possible to have a response of “not applicable” with an appropriate explanation that is acceptable to your Agency.
The reports will be summarised and provided to the relevant governance bodies including the Cyber Security Senior Officers Group (CSSOG) and the ICT and Digital Leadership Group (IDLG) and used to identify common themes and areas for improvement across NSW Government.
Cyber security must be addressed in Agency annual reports or in Department annual reports if the Agency does not have a dedicated annual report. The attestation should address the following items:
- the Agency has assessed its cyber security risks
- cyber security is appropriately addressed at Agency governance forums
- the Agency has a cyber incident response plan, it is integrated with the security components of business continuity arrangements, and has been tested over the previous 12 months (involving senior business executives)
- certification of the Agency’s Information Security Management System(ISMS) is in place or an alternative independent review or audit has been undertaken
The template below is a suggestion only and should be updated to reflect the appropriate wording for the Agency’s situation. The attestation must also be provided to Cyber Security NSW.
Annual attestation template
The following attestation can be adapted to accurately reflect the circumstances of the Agency or Cluster.
Cyber Security Annual Attestation Statement for the 20XX-20XX Financial Year for [Department or Statutory Body]
I, [name of Department Head or Governing Board of the Statutory Body], am of the opinion that [name of Department or Statutory Body] have managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy.
Risks to the information and systems of [name of Department or Statutory Body] have been assessed and are managed.
Governance is in place to manage the cyber-security maturity and initiatives of [name of Department or Statutory Body].
There exists a current cyber incident response plan for [name of Department or Statutory Body] which has been tested during the reporting period.
An independent review/audit/certification of the Agency’s ISMS or effectiveness of controls or reporting against the mandatory requirements of the NSW Cyber Security Policy was undertaken by [review or audit provider] and found to be adequate or being properly addressed in a timely manner.