In 2023, the NSW Cyber Security Policy underwent a significant refresh. The changes include additional requirements based on the evolving threat landscape, improvements to self-assessment reporting and the incorporation of recommendations from the Audit Office of NSW.

All NSW Government departments and public service agencies (Government Sector Employment Act 2013 Schedule 1 public service agencies) must comply with the NSW Cyber Security Policy. This includes statutory authorities and all NSW Government entities that submit an annual report directly to a Minister, directly to the Premier, or to a Secretary of a lead department or portfolio.

The NSW Cyber Security Policy is recommended for adoption by state-owned corporations, non-government organisations, local government and universities as a foundation of strong cyber security practice, in accordance with associated regulations and guidelines.

By 30 June each year, portfolio Chief Information Security Officers (CISOs) must provide Cyber Security NSW with an updated list of all agencies in their portfolio, with confirmation of whether they will be providing their reporting to the CISO or directly to Cyber Security NSW, as per Section 2.1 of the NSW Cyber Security Policy. 

All NSW Government departments and public service agencies must report the following to Cyber Security NSW by 31 October each year, in a format provided by Cyber Security NSW:

• an assurance assessment against all Mandatory Requirements in the NSW Cyber Security Policy for the previous financial year

• cyber security risks with a residual rating of high or extreme, and

• an attestation on cyber security of the reporting entity including adherence to the requirements of the NSW Cyber Security Policy.

All NSW Government departments and public service agencies must compile and retain, in accessible form, evidence that demonstrates the basis of their Assurance Assessment against the Mandatory Requirements.  

Note: while the NSW Cyber Security Policy applies across the entire agency and sets out minimum requirements for agencies, not all requirements can be uniformly implemented across the defined scope. For the scope of the Mandatory Requirements, agencies should ensure any use of exceptions for a system are documented, approved by an appropriate authority through a formal process and retained in accessible form.

Exemptions to the NSW Cyber Security Policy and extensions to reporting will only be considered in exceptional circumstances. To seek an exemption or extension, contact your portfolio CISO in the first instance. If the exemption or extension request is deemed valid by your portfolio CISO, they will contact Cyber Security NSW on your behalf. 

Independent agencies may seek to raise an exemption or extension request directly with Cyber Security NSW but are expected to advise their portfolio CISO of the request.

The NSW Cyber Security Policy and its requirements must be adopted from the date this Circular is released. Reporting for the period 1 July 2023 to 30 June 2024 is due by 31 October.

Agencies are not expected to have fully met all Mandatory Requirements in the 2023-2024 financial year of NSW Cyber Security Policy reporting. This reporting year is intended to be a transition period and will serve as a baseline only.

Cyber Security NSW is available for support and guidance regarding implementation of the NSW Cyber Security Policy.