Mandatory Requirements

1. Planning and Governance



Agencies must implement cyber security planning and governance. Agencies must:


Allocate roles and responsibilities as detailed in this policy.


Ensure there is a governance committee at the executive level (dedicated or shared) to be accountable for cyber security including risks, plans and meeting the requirements of this policy. Agencies need to consider governance of ICT systems and OT to ensure no gaps in cyber security related to items such as video surveillance, alarms, life safety and building management systems that use automated or remotely controlled or monitored assets including industrial Internet of Things (IoT) devices.


Develop, implement and maintain an approved cyber security plan that is integrated with your agency’s business continuity arrangements. This must include consideration of cyber security threats, risks and vulnerabilities that impact the protection of the agency’s information, ICT assets and services.


Include cyber security in their risk management framework and consider cyber security threats when performing risk assessments.


Be accountable for the cyber risks of their ICT service providers and ensure the providers understand and comply with the cyber security requirements of the contract including the applicable parts of this policy (Section 2.10) and any other relevant agency security policies. This must include providers notifying the agency quickly of any suspected or actual security incidents and following reasonable direction from the agency arising from incident investigations. 

2. Cyber Security Culture



Agencies must build and support a cyber security culture across their agency and NSW Government more broadly. Agencies must:


Implement regular cyber security awareness training for all employees, contractors and outsourced ICT service providers. 


Increase awareness of cyber security risk across all staff including the need to report cyber security risks.


Foster a culture where cyber security risk management is an important and valued aspect of decision-making and where cyber security risk management processes are understood and applied.


Ensure that people who have access to sensitive or classified information or systems and those with privileged system access have appropriate security screening, and that access is removed when they no longer need to have access, or their employment is terminated.


Share information on security threats and intelligence with Cyber Security NSW and cooperate across NSW Government to enable management of government-wide cyber risk.


3. Manage cyber security risks

Prevent Chevron


Agencies must manage cyber security risks to safeguard and secure their information and systems. Agencies must:


Implement an Information Security Management System (ISMS), Cyber Security Management System (CSMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as an agency’s “crown jewels”. The ISMS, CSMS or CSF should be compliant with, or modelled on, one or more recognised ICT, OT or IoT standard (see guideline for more information).


Implement the ACSC Essential 8[1].


Classify information[2]  and systems according to their business value (i.e. the impact of loss of confidentiality, integrity or availability), adhere to the requirements of the NSW Government Information Classification Labelling and Handling Guidelines and

  • assign overall responsibility for information asset protection and ownership 
  • implement controls according to their classification and relevant laws and regulations
  • identify the agency’s “crown jewels” and report them to Cyber Security NSW as per mandatory requirement 5.4.


Ensure cyber security requirements are built into procurements and into the early stages of projects and the system development life cycle (SDLC), including agile projects. Any upgrades to existing systems must incorporate appropriate controls to ensure the solution remains within the organisation’s cyber risk tolerance.


Ensure new ICT systems or enhancements include processes for audit trails and activity logging to assess the accuracy and integrity of data including processes for internal fraud detection.

4. Resilience

Respond Chevron
Recover chevron

Agencies must improve their resilience including their ability to rapidly detect cyber incidents and respond appropriately. Agencies must:


Have a current cyber incident response plan that integrates with the agency incident management process and the NSW Government Cyber Incident Response Plan.


Test their cyber incident response plan at least every year and involve their senior executives responsible for the management of media and external communications. 


Deploy monitoring processes and tools to allow for adequate incident identification and response. Ensure monitoring and scanning actions from advisories and alerts issued by Cyber Security NSW and/or clusters are undertaken in the advised time period.


Report cyber security incidents to their Cluster CISO and/or Cyber Security NSW according to the NSW Cyber Security Response Plan. 


Participate in whole of government cyber security exercises as required.

5. Report against the requirements



Agencies must report against the requirements outlined in this policy and other cyber security measures for the previous financial year. Agencies must:


Report annually to their cluster CISO, or Cyber Security NSW, their compliance with the mandatory requirements in this policy, in the format provided by Cyber Security NSW. Cluster CISOs must provide all reports to Cyber Security NSW by 31 August.


Report annually to their cluster CISO, or Cyber Security NSW, their maturity against the ACSC Essential 8, in the format provided by Cyber Security NSW. Cluster CISOs must provide all reports to Cyber Security NSW by 31 August.


Report annually to their cluster CISO, or Cyber Security NSW, the agency’s cyber security risks with a residual rating of high or extreme[1], in the format provided by Cyber Security NSW by 31 August.


Report annually to their cluster CISO, or Cyber Security NSW, the agency’s “crown jewels”. Cluster CISOs must provide all reports to Cyber Security NSW by 31 August.


Provide a signed attestation to Cyber Security NSW by 31 August each year and include a copy of your attestation in your annual report, as outlined in section 4. If your agency does not complete an annual report, an attestation must still be completed and signed off by your agency head and submitted to your cluster CISO.


[1] As sourced from the agency’s risk register or equivalent and as required in TPP20-08 Internal Audit and Risk Management Policy for the NSW Public Sector: