Mandatory Requirements

1. Planning and Governance


Agencies must implement cyber security planning and governance. Agencies must:

1.1 Allocate roles and responsibilities as detailed in this policy.
1.2 Ensure there is a governance committee at the executive level (dedicated or shared) to be accountable for cyber security including risks, plans and meeting the requirements of this policy. Agencies need to consider governance of ICT systems and IACS to ensure no gaps in cyber security related to items such as video surveillance, alarms, life safety and building management systems that use automated or remotely controlled or monitored assets including industrial Internet of Things (IoT) devices.
1.3 Have an approved cyber security plan to manage the Agency’s cyber security risks, integrated with business continuity arrangements. This must include consideration of threats, risks and vulnerabilities that impact the protection of the Agency’s information and assets, and services and initiatives to improve.
1.4 Conduct cyber security risk assessments and include identified risks in the Agency’s overall risk management framework.
1.5 Be accountable for the cyber risks of their ICT service providers and ensure the providers comply with the applicable parts of this policy and any other relevant Agency security policies. This must include providers notifying the Agency quickly of any suspected or actual security incidents and following reasonable direction from the Agency arising from incident investigations.








2. Cyber Security Culture


Agencies must build and support a cyber security culture across their Agency and NSW government more broadly. Agencies must:

2.1 Implement regular cyber security education for all employees, contractors and outsourced ICT service providers.
2.2 Increase awareness of cyber security risk across all staff including the need to report cyber security risks and running exercises such as simulations.
2.3 Foster a culture where cyber security risk management is an important and valued aspect of decision-making and where cyber security risk management processes are understood and applied.
2.4 Ensure that people who have access to sensitive or classified information or systems and those with privileged system access have appropriate security screening, and that access is removed when they no longer need to have access or their employment is terminated.
2.5 Share information on security threats and intelligence with Cyber Security NSW and cooperate across NSW Government to enable management of government-wide cyber risk.


3. Manage cyber security risks

Prevent Chevron

Agencies must manage cyber security risks to safeguard and secure their information and systems. Agencies must:

3.1 Implement an Information Security Management System (ISMS) or Cyber Security Management System (CSMS) that is compliant with recognised standards such as ISO/IEC27001 or ISA/IEC62443 (for IACS) and implement the relevant controls based on their requirements and risk appetite.
At a Cluster or Agency level, there must be:
  • ISO27001 certification of the ISMS with scope at least covering systems identified as an Agency’s “crown jewels” and including annual surveillance audits, or
  • An annual, independent review or audit of the management system and/or the effectiveness of the controls covered by the management system
  • An annual, independent review or audit of reporting against the mandatory requirements in this policy
3.2 Implement and report against the ACSC Essential 8.
  • the Agency’s current maturity levels for each control
  • the Agency’s target maturity levels and target date for each control, based on the Agency’s risk tolerance. 
3.3 Classify information and systems according to their importance (i.e. the impact of loss of confidentiality, integrity or availability) and
  • assign ownership 
  • implement controls according to their classification and relevant laws and regulations
  • Identify the Agency’s “crown jewels” and report them to Cyber Security NSW as per mandatory requirement 5.3.
3.4 Ensure cyber security requirements are built into procurements and into the early stages of projects and the system development life cycle (SDLC), including agile projects.
3.5 Ensure new ICT systems or enhancements include processes for audit trails and activity logging to assess the accuracy and integrity of data including processes for internal fraud detection.

4. Resilience

Respond Chevron
Recover chevron

Agencies must improve their resilience including their ability to rapidly detect cyber incidents, and respond appropriately. Agencies must:

4.1 Have a current cyber incident response plan that integrates with the Agency incident management process, the NSW Government Cyber Incident Response Plan.
4.2 Test their cyber incident response plan at least every year, and involve their senior business and IT executives, functional area coordinators (if applicable), as well as media and communication teams.
4.3 Deploy monitoring processes and tools to allow for adequate incident identification and response.
4.4 Report cyber security incidents to Cyber Security NSW according to the NSW Cyber Security Response Plan. 
4.5 Participate in whole of government cyber security exercises as required.

5. Report against the requirements


Agencies must report against the requirements outlined in this Policy and other cyber security measures. Agencies must:

5.1 Report annually by 31 August to Cyber Security NSW and their Agency Head on compliance with this policy in the format provided by Cyber Security NSW.
5.2 Ensure cyber security risks with a residual rating of high or extreme are reported to Cyber Security NSW.
5.3 Ensure the Agency’s “crown jewels” are identified and reported to Cyber Security NSW.
5.4 Provide an attestation on cyber security in annual reports as outlined in section 4 and provide a copy to Cyber Security NSW.