Cyber Security Policy

Summary of Your Agency’s Reporting Obligations

Cluster Chief Information Security Officers (CISOs) and/or central cluster cyber security teams, are to coordinate policy reporting across the entirety of their cluster. In April each year, Cluster CISOs are to provide Cyber Security NSW with an updated list of all agencies in their cluster and how they will be reporting, in a template provided by Cyber Security NSW.

  • By 31 August each year, agency’s must submit a report to their cluster CISO, or Cyber Security NSW, in a template provided by Cyber Security NSW, covering the following:
    1. Assessment against all mandatory requirements in this policy for the previous financial year
      Summary of the 'Mandatory 25' Requirements for Cyber Security.
      Summary of the 'Mandatory 25' Requirements for Cyber Security. Click for larger version.


    2. A maturity assessment against the Australian Cyber Security Centre (ACSC) Essential 8
    3. Cyber security risks with a residual rating of high or extreme
    4. A list of the agency’s “crown jewels”
  • Agencies are to include an attestation on cyber security in their annual report and provide a copy to Cyber Security NSW by 31 August each year. If your agency does not complete an annual report, an attestation must still be completed and signed off by your Agency Head and submitted to your cluster CISO.

CSP Maturity Reporting Template can be requested from


Strong cyber security is an important component of the NSW Beyond Digital Strategy, enabling the effective use of emerging technologies and ensuring confidence in the services provided by NSW Government. Cyber security covers all measures used to protect systems – and information processed, stored or communicated on these systems – from compromise of confidentiality, integrity and availability.

Cyber security is becoming more important as cyber risks continue to evolve. We have also had rapid technological change resulting in increased cyber connectivity and more dependency on cyber infrastructure.

The NSW Cyber Security Policy (the policy) replaced the NSW Digital Information Security Policy from 1 February 2019. New requirements of the policy include strengthening cyber security governance, identifying an agency’s most valuable or operationally vital systems or information (“crown jewels”), strengthening cyber security controls, developing a cyber security culture across all staff, working across government to share security and threat intelligence and a whole of government approach to cyber incident response.  The policy is reviewed annually and updated based on agency feedback and emerging cyber security threats.

Agencies must establish effective cyber security policies and procedures and embed cyber security into risk management practices and assurance processes. When cyber security risk management is done well, it reinforces organisational resilience, making entities aware of their risks and helps them make informed decisions in managing those risks. This should be complemented with meaningful training, communications and support across all levels of the agency.


The policy outlines the mandatory requirements to which all NSW government departments and Public Service agencies must adhere, to ensure cyber security risks to their information and systems are appropriately managed. This policy is designed to be read by Agency Heads and all Executives, Chief Information Officers, Chief Information Security Officers (or equivalent) and Audit and Risk teams.


This policy applies to all NSW government departments and Public Service agencies, including statutory authorities and all NSW government entities that submit an annual report to a Secretary of a lead department or cluster, direct to a Minister, or direct to the Premier. In this policy, references to “lead cluster departments” or “clusters” mean the departments listed in Part 1, Schedule 1 of the Government Sector Employment Act 2013. The term “agency” is used to refer to any or all NSW government departments, Public Service agencies and statutory authorities.

This policy applies to:

  • Information, data and digital assets created and managed by the NSW public sector;
  • information and communications technology (ICT) systems, and
  • Operational Technology (OT) that handle government or citizen data or provide critical government services

This policy mandates a number of requirements all agencies MUST implement. There is flexibility to make an informed, risk-based decision on the type and number of controls that are implemented by an agency as part of its Information Security Management System or Cyber Security Framework.

Agencies that provide critical or higher risk services and hold higher risk information should implement a wider range of controls and be aiming for broader coverage and higher maturity levels. It is recommended that agencies seek additional guidance, strategies and controls from supplementary sources mentioned in the useful links section.

This policy is not mandatory for state owned corporations, however it is recommended for adoption in state owned corporations, as well as local councils and universities.

Assistance implementing the Policy

Cyber Security NSW can assist agencies implementing the policy, with an FAQ document and guidelines on several cyber security topics. For copies of these documents or for advice regarding the policy please contact

Agencies must identify their central cluster Chief Information Security Officer (CISO) and maintain contact with them throughout the policy reporting period, especially if they require assistance meeting the reporting and maturity requirements outlined.


Exemptions to this policy will only be considered in exceptional circumstances. To seek an exemption, contact your cluster CISO in the first instance. If the exemption request is deemed valid by your cluster CISO they will contact Cyber Security NSW on your behalf.

Cyber Security NSW
Digital.nsw and Customer Service ICT
Department of Customer Service