Cyber Security Policy

Summary of Your Agency’s Reporting Obligations

Cluster Chief Information Security Officers (CISOs) and/or central cluster cyber security teams, are to coordinate policy reporting across the entirety of their cluster. In April each year, Cluster CISOs are to provide Cyber Security NSW with an updated list of all agencies in their cluster and how they will be reporting, in a template provided by Cyber Security NSW.

  • By 31 August each year, agencies must submit a report to their cluster CISO, or Cyber Security NSW, in a template provided by Cyber Security NSW, covering the following:
    1. Assessment against all mandatory requirements in this policy for the previous financial year
      Summary of the 'Mandatory 25' Requirements for Cyber Security.
      Summary of the 'Mandatory 25' Requirements for Cyber Security. Click for larger version.


    2. A maturity assessment against the Australian Cyber Security Centre (ACSC) Essential 8
    3. Cyber security risks with a residual rating of high or extreme
    4. A list of the agencies' “crown jewels”
  • Agencies are to include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year. If your agency does not complete an annual report, an attestation must still be completed and signed off by your Agency Head and submitted to your cluster CISO.

CSP Maturity Reporting Template can be requested from [email protected]


Strong cyber security is an important component of the NSW Beyond Digital Strategy, enabling the effective use of emerging technologies and ensuring confidence in the services provided by NSW Government. Cyber security covers all measures used to protect systems – and information processed, stored or communicated on these systems – from compromise of confidentiality, integrity and availability.

Cyber security is becoming more important as cyber risks continue to evolve. We have also had rapid technological change resulting in increased cyber connectivity and more dependency on cyber infrastructure.

The NSW Cyber Security Policy (the policy) replaced the NSW Digital Information Security Policy from 1 February 2019. New requirements of the policy include strengthening cyber security governance, identifying an agency’s most valuable or operationally vital systems or information (“crown jewels”), strengthening cyber security controls, developing a cyber security culture across all staff, working across government to share security and threat intelligence and a whole of government approach to cyber incident response.  The policy is reviewed annually and updated based on agency feedback and emerging cyber security threats.

Agencies must establish effective cyber security policies and procedures and embed cyber security into risk management practices and assurance processes. When cyber security risk management is done well, it reinforces organisational resilience, making entities aware of their risks and helps them make informed decisions in managing those risks. This should be complemented with meaningful training, communications and support across all levels of the agency.


The policy outlines the mandatory requirements to which all NSW government departments and Public Service agencies must adhere, to ensure cyber security risks to their information and systems are appropriately managed. This policy is designed to be read by Agency Heads and all Executives, Chief Information Officers, Chief Information Security Officers (or equivalent) and Audit and Risk teams.


This policy applies to all NSW government departments and Public Service agencies, including statutory authorities and all NSW government entities that submit an annual report to a Secretary of a lead department or cluster, direct to a Minister, or direct to the Premier. In this policy, references to “lead cluster departments” or “clusters” mean the departments listed in Part 1, Schedule 1 of the Government Sector Employment Act 2013. The term “agency” is used to refer to any or all NSW government departments, Public Service agencies and statutory authorities. Please see guidance for more information.

This policy applies to:

  • Information, data and digital assets created and managed by the NSW public sector, including outsourced information, data and digital assets;
  • information and communications technology (ICT) systems, and
  • Operational Technology (OT) and Internet of Things (IoT) devices that handle government or citizen data or provide critical government services

This policy specifies 25 mandatory requirements that all agencies MUST implement.

Agencies must continually improve their cyber security program. Uplift of cyber security policy maturity should be approached through risk-based decision making to prioritise higher risks.

Agencies that provide critical or higher risk services and hold higher risk information should implement a wider range of controls and be aiming for broader coverage and higher maturity levels. Agencies implementing high risk projects must seek additional guidance, strategies and controls when implementing their security plan, including from supplementary sources mentioned in the useful links section.

This policy is not mandatory for state owned corporations, however it is recommended for adoption in state owned corporations, as well as local councils and universities as a foundation of strong practice.

For the purposes of this policy, references to employees and contractors only applies to people who have access to organisation systems and/or ICT.

Assistance implementing the Policy

Cyber Security NSW can assist agencies implementing the policy, with an FAQ document and guidelines on several cyber security topics. For copies of these documents or for advice regarding the policy please contact [email protected]

Agencies must identify their central cluster Chief Information Security Officer (CISO) and maintain contact with them throughout the policy reporting period, especially if they require assistance meeting the reporting and maturity requirements outlined.


Exemptions to this policy will only be considered in exceptional circumstances. To seek an exemption, contact your cluster CISO in the first instance. If the exemption request is deemed valid by your cluster CISO they will contact Cyber Security NSW on your behalf.


[email protected]
Cyber Security NSW
Digital.nsw and Customer Service ICT
Department of Customer Service