Policy Statement


Having strong cyber security capability and a culture of responsibility is an important component of the NSW Beyond Digital Strategy. It enables the effective use of emerging technologies and ensures confidence in the services provided by NSW Government. Cyber security covers all measures used to protect systems and information processed, stored or communicated on these systems from compromise of confidentiality, integrity and availability.

Cyber security is becoming more important as cyber risks continue to evolve. Rapid technological change in the past decade has resulted in increased cyber connectivity and more dependency on cyber infrastructure.

The NSW Cyber Security Policy (the Policy) replaced the NSW Digital Information Security Policy on 1 February 2019. The Policy is reviewed annually and updated based on agency feedback and emerging cyber security threats and trends.


This Policy outlines the mandatory requirements to which all NSW Government departments and Public Service agencies must adhere to ensure cyber security risks to their information and systems are appropriately managed. This Policy is designed to be read by Agency Heads and all Executives, Chief Information Officers, Chief Information Security Officers (or equivalent) and Audit and Risk teams.


This Policy applies to all NSW Government departments and Public Service agencies, including statutory authorities and all NSW Government entities that submit an annual report to a Secretary of a lead department or cluster, direct to a Minister or direct to the Premier. In this Policy, references to “lead cluster departments” or “clusters” mean the departments listed in Part 1, Schedule 1 of the Government Sector Employment Act 2013. The term “agency” is used to refer to any or all NSW Government departments, Public Service agencies and statutory authorities. Email [email protected] for a copy of the guidance documents.

This Policy applies to:

  • Information, data and digital assets created and managed by the NSW public sector, including outsourced information, data and digital assets;
  • information and communications technology (ICT) systems managed, owned or shared by the NSW public sector, and
  • Operational Technology (OT) and Internet of Things (IoT) devices that handle government data, government held citizen data or provide government services.

This policy is not mandatory for state owned corporations, local councils and universities however, it is recommended for adoption by these organisations as a foundation of strong cyber security practice. Cyber Security NSW can work with these types of organisations to help implement the Policy.

For the purposes of this policy, references to employees and contractors applies to people who have access to NSW Government systems and/or ICT.

Risk Based Implementation of the Policy

This policy is risk based and agencies must identify target maturity levels appropriate to their risks, including the type of information they hold and services they provide.

Agencies that provide critical or higher risk services and hold higher risk information must implement a wider range of controls and aim for broader coverage and higher maturity levels. Agencies implementing projects with higher cyber security risks must seek additional guidance, strategies and controls when implementing their security plan, including from supplementary sources mentioned in the useful links section.

The Agency Head must sign off on any target maturity levels below a level 3 (and/or E8 level 0 or 1). Residual risks must be tracked and managed in the risk register with the Agency Head responsible for risk acceptance and the risk register being reviewed quarterly.

Assistance implementing the Policy

Cyber Security NSW may assist agencies with their implementation of the Policy with an FAQ document and guidelines on several cyber security topics. NSW Government entities may contact [email protected] for copies of these documents or for advice regarding the Policy.

Agencies must identify their central cluster Chief Information Security Officer (CISO) and maintain contact with them throughout the Policy reporting period, especially if they require assistance meeting the reporting and maturity requirements outlined below.

If you are a contractor or third party undertaking work on behalf of a NSW Government agency, please ask the entity to contact Cyber Security NSW on your behalf.

Exemptions and extensions

Exemptions to this policy and extensions to reporting will only be considered in exceptional circumstances. To seek an exemption or extension, contact your cluster CISO in the first instance. If the exemption request is deemed valid by your cluster CISO they will contact Cyber Security NSW on your behalf.

Independent agencies may seek to raise exemption or extension requests directly to Cyber Security NSW, but are expected to still advise their parent cluster of the request.

Requests must be made in writing to Cyber Security NSW at [email protected], prior to 30th September.

Last updated