Cyber Security Policy

The policy outlines the requirements NSW government departments and agencies must adhere, to ensure cyber security risks are appropriately managed

Summary of Your Agency's Reporting Obligations

Cluster Chief Information Security Officers (CISOs) and/or central cluster cyber security teams, are to coordinate policy reporting across the entirety of their cluster. In April each year, Cluster CISOs are to provide Cyber Security NSW with an updated list of all agencies in their cluster and how they will be reporting, in a template provided by Cyber Security NSW.

By 31 October each year, agencies must submit a report to their cluster CISO, or Cyber Security NSW, in a template provided by Cyber Security NSW, covering the following:

1. Maturity reporting against all mandatory requirements in this policy and the Australian Cyber Security Centre (ACSC) Essential Eight for the previous financial year. The reporting template to be provided by Cyber Security NSW
2. Cyber security risks with a residual rating of high or extreme and a list of the agencies' "crown jewels"
3. An attestation on cyber security to also be included in each agency's individual annual report. If your agency does not complete an annual report, an attestation must still be completed and signed-off by your Agency Head.

NSW Government agencies can request the Policy Maturity Reporting Template from policy@cyber.nsw.gov.au.

 

NSW Cyber Security Policy (PDF, 662.51 KB)

Tools and Resources

Some tools and resources have been produced to assist with reporting requirements for the Cyber Security Policy. These documents have been listed below. NSW Government agencies can request these documents from policy@cyber.nsw.gov.au

If you are a contractor or third-party undertaking work on behalf of a NSW Government agency, please ask the entity to contact Cyber Security NSW on your behalf.