A NSW Government website

NSW Government
Digital NSW

Threat-based cyber risk management

Each agency has its own unique operational context that influences the threats and risks they are exposed to. Likewise, the business objectives and constraints of an agency will also inform how risks are managed and which mitigation strategies should be prioritised. 

Using the cyber security risk management program established through implementation of the Mandatory Requirements, agencies are best placed to manage key risks aligned to business objectives and make continuous improvements. This includes identification, prioritisation and implementation of additional controls beyond the Mandatory Requirements.

Agencies that provide critical or higher-risk services and hold higher-risk information should implement a wider range of controls and aim for broader coverage and effective implementation of those controls. Agencies implementing projects with higher cyber security risks must seek additional guidance, strategies and controls when implementing their security strategy and plan, including from supplementary sources mentioned in Useful links.

As part of a risk-based approach to cyber security, Cyber Security NSW recommends agencies update their risk management program for cyber security to incorporate consideration of key threats, including:

  • establishing threat modelling processes to inform cyber security risk assessments
  • implementing appropriate mitigation strategies to address the identified threat and risk controls, with prioritisation aligned to the business objectives and organisational context of the agency
    • this may include consideration of:
      • ACSC Essential Eight controls at Level 2 and Level 3 maturity 
      • zero-trust principles and related implementation strategies e.g. NIST SP800-207, CISA Zero Trust Maturity Model, etc
      • environment specific mitigation strategies (including cloud, enterprise mobility, OT and IoT assets)
      • commonly used good practice control frameworks, e.g. ISO 27002:2022, Australian Signals Directorate (ASD) ISM, etc.
      • criticality of services provided by the agency and sensitivity of information held or processed by the agency.

Cyber Security NSW provides optional threat reporting templates to assist agencies in sharing information on key threats and risks. For copies of these templates please contact info@cyber.nsw.gov.au.

Establishing effective threat modelling and risk management practices is an ongoing journey involving continuous improvement and will require effective implementation of multiple Mandatory Requirements in order to support these practices. As such, agencies that are not at a level of capability to begin establishing threat modelling processes should identify and assess the longer-term uplift required as part of their cyber security strategy development, to support threat-based risk management and to support the alignment with business objectives in risk management processes.

Cyber Security NSW has threat modelling resources available to support agencies with establishing threat modelling in their entity. These resources are optional for agencies to use and not a requirement for implementing the threat-based requirements.