Streamline ISO Consultants

  • Home
  • About
    • ISO FAQs
    • Quality Policy
    • Client Testimonials
    • ISO 9001 Certificate
  • Auditing
    • Gap Analysis Audits
    • Internal Auditing
    • ISO Certification Auditors
  • ISO Standards
    • ISO 9001 Quality Management
    • ISO 45001 Occupational Health and Safety
    • ISO 14001 Environmental Management
    • ISO 50001 Energy Management
    • ISO 55001 Asset Management
    • ISO 17025 Testing and Calibration
    • ISO 27001 Information Security
    • HACCP Food Safety
  • Consulting
    • ISO Management System Design
    • Lean Management System
    • Management System Maintenance
    • Business Process Improvement
    • Root Cause Analysis and Corrective Action
    • Standard Operating Procedures
  • Products
    • Smartsheet
    • Electronic Forms
  • Articles
    • All Articles
    • Quality Quotes
  • Contact
    • Business Info
    • Privacy Policy

12/03/2020 By admin

The Quick Guide to Australian Cyber Security Policies

Many State governments have recently undergone a change in policies surrounding cybersecurity as a result of increasing cybercrimes.

Published in January 2020, the Australian Government Information Security Manual outlines a risk-based framework that organisations can apply to protect their systems and information from cyber risks. Its principles have been grouped into four key activities:

  • Govern: Identify and manage security risks
  • Protect: implement controls to reduce security risks
  • Detect: detect and understand incidents and events
  • Respond: Respond and recover from incidents

The manual is not a mandatory requirement and does not override legislative or legal obligations.

To help government departments and public service agencies understand their state requirements, a summary has been provided.

New South Wales

Effective from February 2019, the NSW Cyber Security Policy replaces the NSW Digital Information Security Policy 2015.

The policy aims to protect systems from a compromise of confidentiality, integrity, and availability of data, by strengthening cyber security governance and controls, identifying operationally vital systems, developing a cyber security culture and implementing an all-of-government approach to cyber incident response.

Mandatory for all NSW Government Departments and Public Service Agencies, the policy covers information and communication technology (ICT) systems and industrial automation and control systems (IACS) that handle government or citizen data or provide government services.

The policy contains five key requirements:

  1. Planning and Governance
    Centered around leadership’s commitment, government departments and public service agencies must provide adequate support throughout the management framework and cybersecurity plan.
  2. Cyber Security Culture
    Adequate staff awareness of cybersecurity risks, regular training, proper screening is needed to foster a cybersecurity culture.
  3. Manage Cyber Security Risks
    Agencies must implement an information security management system (ISMS) or cybersecurity management system (CSMS) compliant to recognized standards such as ISO/IEC 27001 or ISA/IEC62443 (for IACS). Implement and report against the ACSC Essential 8
  4. Resilience
    As cyber risks evolve, organisational resilience must evolve too. An up-to-date cyber incident response plan must be maintained and tested at least annually. Any cyber incidents must be reported according to the NSW Cyber Security Response Plan.
  5. Report Against the Requirements
    All requirements must be reported annually by August 31 to Cyber Security NSW and their Agency Head of compliance.

Queensland

Effective from October 2018, the Queensland Government Information Security Policy (IS18:2018) seeks to ensure all departments apply a risk-based approach to information security, maintaining confidentiality, integrity, and availability.

Applicable for all Queensland Government departments, the policy aims to enable an appropriate response to the changing environment by aligning to international best practice approaches. Public Services must also reference the policy in the context of internal controls, financial information management systems and risk management.

The policy contains five key requirements:

  1. Departments must implement an ISMS based on ISO 27001
    Aligning to international best practices, departments must implement, operate and maintain an ISMS based on the current version of ISO 27001.
  2. Departments must apply a systematic and repeatable approach to risk management
    A risk management framework must be integrated into the core corporate risk management processes.
  3. Departments must meet minimum security requirements
    ​Compliance must be met with the: 
    • Queensland Government Information Security Classification Framework (QGISCF)
    • Data encryption standard
    • Queensland Government Authentication Framework (QGAF)
    • Australian Signals Directorate (ASD) “Essential Eight” Strategies
  4. Departments accountable officers must obtain security assurance for systems
    Accountable officers must apply security assurance to systems based on the criticality and significance of the system.
  5. Accountable officers must attest to the appropriateness of departmental information security
    Departmental accountable officers must provide evidence of the performance of the management system. This must be publicly accessible, through the website or annual report.

Victoria

On October 28, 2019, The Victorian Protective Data Security Standards were revoked in accordance with sections 86 and 87 of the Privacy and Data Protection Act 2014. This has led to the development of the Victorian Protective Data Security Standards V2.0.

V2.0 will be updated in early 2020.

For more information, visit the Victorian Protective Data Security Standards V2.0 website.

South Australia

Effective from December 2019, the South Australian Cyber Security Framework (SACSF) replaces the Information Security Management Framework (ISMF).

Mandatory for all South Australian Government public sector agencies, suppliers and service providers to government agencies, Agencies will have until December 2020 to be compliant to the framework.

The framework adopts a risk-based approach to cybersecurity management to ensure cybersecurity risks are managed in an acceptable manner.

The framework contains 21 policy statements that grouped into four principles: 

  1. Principle One: Governance
    Senior leadership must be held accountable for the implementation and success of the management system, ensuring clear roles and responsibilities are put in place to effectively manage cyber security risks.
  2. Principle Two: Information
    Maintain the confidentiality, integrity, and availability of information and systems through current incident response plans, supporting business resilience plans and controlled access to information.
  3. Principle Three: Personnel
    Ensure employees and contractors are the right people for the job. This can be achieved through screening, continual education, and awareness of cyber risks.
  4. Principle Four: Physical
    Provide a safe and secure location for people, information and assets.

Tasmania

Effective from April 2011, the Tasmanian Government Information Security Framework applies a risk management approach for all agencies to implement.

The Information Security Policy Manual serves as the primary document that outlines the high-level requirements. The policy is based upon the availability, integrity, confidentiality, and proportionality of information.

The policy contains 7 key requirements:

  1. Information Security Governance and Management
    The Agency should implement an information security management system (ISMS) using the ISO 27001 framework. A committee of senior management and leaders must be formed to implement and maintain the management system.
  2. Risk Management
    Regular information security risk assessments should be conducted to ensure an appropriate risk management strategy is implemented.
  3. Resource Management
    Appropriate resource management must be implemented to protect business activity records, control physical access to information and control the use of ICT.
  4. Identify and Access Management
    Agencies must protect information by ensuring only those authorised can access information assets. Authorised personnel must be screened, prior to access, using the Tasmanian Government Identity and Access Management Toolkit.
  5. Personnel and Awareness
    Clear roles and responsibilities must be assigned and understood by all staff to minimise the risk of information misuse. Staff need to be appropriately equipped to carry out their responsibilities.
  6. Incident Management
    Information security incidents and events must be managed through an up-to-date structured approach.
  7. Business Continuity Management
    Agencies must implement a structured approach to business continuity management based on an information security risk assessment.

Western Australia

The Western Australian Digital Security Policy provides direction for public sector agencies to manage digital security risks. It ensures confidentiality, integrity and availability of digital information.

Updated in June 2017, the policy is applicable for whole-of-government and public sector agencies.

The policy contains 4 key requirements:

  1. Implement an Information Security Management System
    Agencies must implement an information security management system that is aligned to its broader risk management plan.
  2. Governance and Accountability
    Clear roles and responsibilities need to be defined and implemented in line with the agencies risk and ICT governance frameworks to ensure consistency and support from executive leaders.
  3. Assess and Treat Security Risks
    A process must be defined that identifies and assesses digital security risks within the agency’s risk appetite.
  4. Continuous Improvement
    Agencies need to support a continuous improvement of digital risk processes. Processes should be routinely monitored, reviewed and tested, ensuring that employee skills and capabilities are simultaneously improved.

This article published by SAI Global

Contact Us Today

Please use the form to the right and one of our Information Security Consultants will contact you within one business day. Alternatively, you are welcome to contact us directly by emailing [email protected] or by calling:

  • Brisbane ISO Consultants 07 3667 8280
  • Sydney ISO Consultants 02 8315 7780
  • Melbourne ISO Consultants 03 9034 3990

We look forward to hearing from you and answering any questions you may have.

More ISO Certification Information

  • Frequently Asked Questions - ISO FAQs
    Frequently Asked Questions - ISO FAQs
  • Links to Australian Safety Codes of Practice - What are they and who should use them?
    Links to Australian Safety Codes of Practice - What are they…
  • Looking for an ISO 9001 Consultant? Check the 10 Key Requirements First!
    Looking for an ISO 9001 Consultant? Check the 10 Key…
  • How Much Will it Cost & How Long Will it Take to get ISO 9001 Certification?
    How Much Will it Cost & How Long Will it Take to get ISO…
  • Who's Interested in a Party? A deep dive into clause 4.2 Understanding the needs and expectations of interested parties
    Who's Interested in a Party? A deep dive into clause 4.2…
  • The Definitive Guide to Certification Bodies in Australia
    The Definitive Guide to Certification Bodies in Australia
  • Local Government Quality Management Systems
    Local Government Quality Management Systems
  • The Ultimate Guide to ISO 9001 Audits
    The Ultimate Guide to ISO 9001 Audits
  • Strategic Plan - Mystical Art or Common Sense?
    Strategic Plan - Mystical Art or Common Sense?

Filed Under: Articles Tagged With: #cyberrisk, #cybersecurity, #informationsecurity, #iso27001

True ISO Professionals, don’t go past Streamline

Streamline ISO Consultants set up our Quality and Environmental Management System in 2011, and still help us out today with internal auditing and management system upgrades.

Having ISO 9001 & 14001 Certification is great but their simple and practical Integrated Management System adds real value to our business - much more than just an ISO Certificate.

profile-pic
Brett Hill
General Manager

Clearly experts in this field

"We worked with Streamline ISO Consultants on a gap analysis audit of both our Quality and Work, Health and Safety systems. They provided us with a detailed report and specific goals to improve our compliance. We were very happy with the recommendations. The service provided was flexible and responsive. Scott is clearly an expert in this field."

profile-pic
Rob Miles
Compliance Manager - Suncare Community Services

Very professional - Streamline did a great job

Streamline ISO Consultants have a professional approach and did a great job preparing our QMS documentation and providing training. I would recommend them to anyone who is looking for assistance with their ISO Certification. Thanks once again to the Streamline Team!

profile-pic
Raheem
Manager - Reliable Security Protection

Brisbane ISO Consultants

Level 14, 167 Eagle St
Brisbane Queensland 4000
Phone: 07 3667 8280
Email: [email protected]

Sydney ISO Consultants

Level 5, 20 Bond Street,
Sydney NSW 2000
Phone: 02 8315 7780
Email: [email protected]

Melbourne ISO Consultants

Level 8, 350 Collins Street
Melbourne, Victoria 3000
Phone: 03 9034 3990
Email: [email protected]

SAI Global Consultant Affiliate Program

Search

Smartsheet Platinum Partner

KEY ISO ARTICLES

Articles, Deep Dives & More
Frequently Asked Questions
Quality Quotes
Funding Grants for ISO Certification
ISO Consultants
Strategic Planning - Mystical Art?
ISO Certification Auditors
How to get ISO 9001 Certification
ISO Certification Cost
How to tell if your ISO Cert is fake
4-year-olds and Root Cause Analysis
Fast ISO 9001 Certification
The Ultimate Guide to ISO 9001 Audit
Certification - How Much and How Long?
Who's Interested in a Party?
How to use Smartsheet for ISO
Smarter Quality Objectives
Local Government QMS
Quality Assurance, Quality Control or QMS
ISO Certification in Sydney
ISO Certification in Melbourne
ISO Certification in Brisbane
blank

QUICKLINKS TO ISO INFO

ISO 9001 Quality Management
ISO 45001 Health & Safety
ISO 14001 Environment
ISO 50001 Energy Management
ISO 55001 Asset Management
ISO 17025 Testing & Calibration
ISO 27001 Information Security
ISO 22000 HACCP Food Safety

Tags

#9001QMS #howmuchdoesitcosttogetiso9001certified #howtoimplementiso9001 #howtotransistionfromiso9001 #iso9001 #ISO9001:2015 #iso9001context #iso9001policies #iso9001procedures #iso9001scope #ISO9001sections #iso9001successfactors #iso9001version2008 #ISO90012015 #ISOConsultant #QualityAssurance #QualityManagementSystems #qualityquote #risksofiso9001 #startingiso9001 #theimportanceofiso9001 #whatarethesuccessfactorsofiso9001 #whatisiso9001 #whatisiso9001version2008 #whyiso9001isimportant

GET SOCIAL!

Facebooktwitterlinkedintumblr

Copyright © 2022 Streamline · Log in