Streamline ISO Consultants

By

The Quick Guide to Australian Cyber Security Policies

Many State governments have recently undergone a change in policies surrounding cybersecurity as a result of increasing cybercrimes.

Published in January 2020, the Australian Government Information Security Manual outlines a risk-based framework that organisations can apply to protect their systems and information from cyber risks. Its principles have been grouped into four key activities:

  • Govern: Identify and manage security risks
  • Protect: implement controls to reduce security risks
  • Detect: detect and understand incidents and events
  • Respond: Respond and recover from incidents

The manual is not a mandatory requirement and does not override legislative or legal obligations.

To help government departments and public service agencies understand their state requirements, a summary has been provided.

New South Wales

Effective from February 2019, the NSW Cyber Security Policy replaces the NSW Digital Information Security Policy 2015.

The policy aims to protect systems from a compromise of confidentiality, integrity, and availability of data, by strengthening cyber security governance and controls, identifying operationally vital systems, developing a cyber security culture and implementing an all-of-government approach to cyber incident response.

Mandatory for all NSW Government Departments and Public Service Agencies, the policy covers information and communication technology (ICT) systems and industrial automation and control systems (IACS) that handle government or citizen data or provide government services.

The policy contains five key requirements:

  1. Planning and Governance
    Centered around leadership’s commitment, government departments and public service agencies must provide adequate support throughout the management framework and cybersecurity plan.
  2. Cyber Security Culture
    Adequate staff awareness of cybersecurity risks, regular training, proper screening is needed to foster a cybersecurity culture.
  3. Manage Cyber Security Risks
    Agencies must implement an information security management system (ISMS) or cybersecurity management system (CSMS) compliant to recognized standards such as ISO/IEC 27001 or ISA/IEC62443 (for IACS). Implement and report against the ACSC Essential 8
  4. Resilience
    As cyber risks evolve, organisational resilience must evolve too. An up-to-date cyber incident response plan must be maintained and tested at least annually. Any cyber incidents must be reported according to the NSW Cyber Security Response Plan.
  5. Report Against the Requirements
    All requirements must be reported annually by August 31 to Cyber Security NSW and their Agency Head of compliance.

Queensland

Effective from October 2018, the Queensland Government Information Security Policy (IS18:2018) seeks to ensure all departments apply a risk-based approach to information security, maintaining confidentiality, integrity, and availability.

Applicable for all Queensland Government departments, the policy aims to enable an appropriate response to the changing environment by aligning to international best practice approaches. Public Services must also reference the policy in the context of internal controls, financial information management systems and risk management.

The policy contains five key requirements:

  1. Departments must implement an ISMS based on ISO 27001
    Aligning to international best practices, departments must implement, operate and maintain an ISMS based on the current version of ISO 27001.
  2. Departments must apply a systematic and repeatable approach to risk management
    A risk management framework must be integrated into the core corporate risk management processes.
  3. Departments must meet minimum security requirements
    ​Compliance must be met with the: 
  4. Departments accountable officers must obtain security assurance for systems
    Accountable officers must apply security assurance to systems based on the criticality and significance of the system.
  5. Accountable officers must attest to the appropriateness of departmental information security
    Departmental accountable officers must provide evidence of the performance of the management system. This must be publicly accessible, through the website or annual report.

Victoria

On October 28, 2019, The Victorian Protective Data Security Standards were revoked in accordance with sections 86 and 87 of the Privacy and Data Protection Act 2014. This has led to the development of the Victorian Protective Data Security Standards V2.0.

V2.0 will be updated in early 2020.

For more information, visit the Victorian Protective Data Security Standards V2.0 website.

South Australia

Effective from December 2019, the South Australian Cyber Security Framework (SACSF) replaces the Information Security Management Framework (ISMF).

Mandatory for all South Australian Government public sector agencies, suppliers and service providers to government agencies, Agencies will have until December 2020 to be compliant to the framework.

The framework adopts a risk-based approach to cybersecurity management to ensure cybersecurity risks are managed in an acceptable manner.

The framework contains 21 policy statements that grouped into four principles: 

  1. Principle One: Governance
    Senior leadership must be held accountable for the implementation and success of the management system, ensuring clear roles and responsibilities are put in place to effectively manage cyber security risks.
  2. Principle Two: Information
    Maintain the confidentiality, integrity, and availability of information and systems through current incident response plans, supporting business resilience plans and controlled access to information.
  3. Principle Three: Personnel
    Ensure employees and contractors are the right people for the job. This can be achieved through screening, continual education, and awareness of cyber risks.
  4. Principle Four: Physical
    Provide a safe and secure location for people, information and assets.

Tasmania

Effective from April 2011, the Tasmanian Government Information Security Framework applies a risk management approach for all agencies to implement.

The Information Security Policy Manual serves as the primary document that outlines the high-level requirements. The policy is based upon the availability, integrity, confidentiality, and proportionality of information.

The policy contains 7 key requirements:

  1. Information Security Governance and Management
    The Agency should implement an information security management system (ISMS) using the ISO 27001 framework. A committee of senior management and leaders must be formed to implement and maintain the management system.
  2. Risk Management
    Regular information security risk assessments should be conducted to ensure an appropriate risk management strategy is implemented.
  3. Resource Management
    Appropriate resource management must be implemented to protect business activity records, control physical access to information and control the use of ICT.
  4. Identify and Access Management
    Agencies must protect information by ensuring only those authorised can access information assets. Authorised personnel must be screened, prior to access, using the Tasmanian Government Identity and Access Management Toolkit.
  5. Personnel and Awareness
    Clear roles and responsibilities must be assigned and understood by all staff to minimise the risk of information misuse. Staff need to be appropriately equipped to carry out their responsibilities.
  6. Incident Management
    Information security incidents and events must be managed through an up-to-date structured approach.
  7. Business Continuity Management
    Agencies must implement a structured approach to business continuity management based on an information security risk assessment.

Western Australia

The Western Australian Digital Security Policy provides direction for public sector agencies to manage digital security risks. It ensures confidentiality, integrity and availability of digital information.

Updated in June 2017, the policy is applicable for whole-of-government and public sector agencies.

The policy contains 4 key requirements:

  1. Implement an Information Security Management System
    Agencies must implement an information security management system that is aligned to its broader risk management plan.
  2. Governance and Accountability
    Clear roles and responsibilities need to be defined and implemented in line with the agencies risk and ICT governance frameworks to ensure consistency and support from executive leaders.
  3. Assess and Treat Security Risks
    A process must be defined that identifies and assesses digital security risks within the agency’s risk appetite.
  4. Continuous Improvement
    Agencies need to support a continuous improvement of digital risk processes. Processes should be routinely monitored, reviewed and tested, ensuring that employee skills and capabilities are simultaneously improved.

This article published by SAI Global

Contact Us Today

Please use the form to the right and one of our Information Security Consultants will contact you within one business day. Alternatively, you are welcome to contact us directly by emailing [email protected] or by calling:

We look forward to hearing from you and answering any questions you may have.

More ISO Certification Information

Brisbane ISO Consultants

Level 14, 167 Eagle St
Brisbane Queensland 4000
Phone: 07 3667 8280
Email: [email protected]

Sydney ISO Consultants

Level 5, 20 Bond Street,
Sydney NSW 2000
Phone: 02 8315 7780
Email: [email protected]

Melbourne ISO Consultants

Level 8, 350 Collins Street
Melbourne, Victoria 3000
Phone: 03 9034 3990
Email: [email protected]

SAI Global Consultant Affiliate Program
Smartsheet Platinum Partner

KEY ISO ARTICLES

Articles, Deep Dives & More
Frequently Asked Questions
Quality Quotes
Funding Grants for ISO Certification
ISO Consultants
Strategic Planning - Mystical Art?
ISO Certification Auditors
How to get ISO 9001 Certification
ISO Certification Cost
How to tell if your ISO Cert is fake
4-year-olds and Root Cause Analysis
Fast ISO 9001 Certification
The Ultimate Guide to ISO 9001 Audit
Certification - How Much and How Long?
Who's Interested in a Party?
How to use Smartsheet for ISO
Smarter Quality Objectives
Local Government QMS
Quality Assurance, Quality Control or QMS
ISO Certification in Sydney
ISO Certification in Melbourne
ISO Certification in Brisbane
blank

QUICKLINKS TO ISO INFO

ISO 9001 Quality Management
ISO 45001 Health & Safety
ISO 14001 Environment
ISO 50001 Energy Management
ISO 55001 Asset Management
ISO 17025 Testing & Calibration
ISO 27001 Information Security
ISO 22000 HACCP Food Safety

Tags

#9001QMS #howmuchdoesitcosttogetiso9001certified #howtoimplementiso9001 #howtotransistionfromiso9001 #iso9001 #ISO9001:2015 #iso9001context #iso9001policies #iso9001procedures #iso9001scope #ISO9001sections #iso9001successfactors #iso9001version2008 #ISO90012015 #ISOConsultant #QualityAssurance #QualityManagementSystems #qualityquote #risksofiso9001 #startingiso9001 #theimportanceofiso9001 #whatarethesuccessfactorsofiso9001 #whatisiso9001 #whatisiso9001version2008 #whyiso9001isimportant

GET SOCIAL!

Facebooktwitterlinkedintumblr