Compliance Reporting and Attestation

Compliance reporting

Agencies must provide a yearly report for the previous financial year to their cluster CISO, or Cyber Security NSW, on their compliance with this policy in a format provided by Cyber Security NSW by 31 August each year. This will largely be a maturity-based assessment on the items listed as mandatory requirements as well as the ACSC Essential 8. It is possible to have a response of “not applicable” with an appropriate explanation that is acceptable to your agency.

The reports will be summarised and provided to the relevant governance bodies including the Cyber Security Steering Group (CSSG), Secretaries Board, Delivery and Performance Committee of Cabinet (DaPCo), Cyber Security Senior Officers Group (CSSOG) and the ICT and Digital Leadership Group (IDLG) and used to identify common themes and areas for improvement across NSW Government.

Annual attestation

Agencies must provide a signed annual attestation for the previous financial year to Cyber Security NSW by 31 August each year. This same attestation must be provided in agency annual reports or in department annual reports, if applicable. If your agency does not complete an annual report, an attestation must still be completed and signed off by your agency head and submitted to your cluster CISO. If more than one agency is included in the attestation, a list of all the agencies should be detailed within the attestation itself. The attestation should address the following items:

  • the agency has assessed its cyber security risks
  • cyber security is appropriately addressed at agency governance forums
  • the agency has a cyber incident response plan, it is integrated with the security components of business continuity arrangements, and has been tested over the previous 12 months (involving senior business executives)
  • confirmation of the agency’s Information Security Management System/s (ISMS),  Cyber Security Management Framework/s and/or Cyber Security Framework (CSF) including certifications or independent assessment where available
  • what the agency is doing to continuously improve the management of cyber security governance and resilience

Example attestation

The following attestation is a suggestion only and can be adapted to accurately reflect the circumstances of the agency or cluster.

Cyber Security Annual Attestation Statement for the 20XX-20XX Financial Year for [Department or Statutory Body]

I, [name of Department Head or Governing Board of the Statutory Body], am of the opinion that [name of Department or Statutory Body] have managed cyber security risks in a manner consistent with the Mandatory Requirements set out in the NSW Government Cyber Security Policy.

Governance is in place to manage the cyber security maturity and initiatives of [name of Department or Statutory Body].

Risks to the information and systems of [name of Department or Statutory Body] have been assessed and are managed.

There exists a current cyber incident response plan for [name of Department or Statutory Body] which has been tested during the reporting period.

[name of Department or Statutory Body] has an Information Security Management System (ISMS), Cyber Security Management System (CSMS) or Cyber Security Framework (CSF) in place.

[name of Department or Statutory Body] is doing the following to continuously improve the management of cyber security governance and resilience:

This attestation covers the following agencies: [list of agencies]

See guidance documents for more information and/or email the Cyber Security NSW Policy team ([email protected])