Customer Service RGB

Department of Customer Service

Department of Customer Service Circular

DCS-2021-02 NSW Cyber Security Policy


Ongoing implementation of mandatory cyber security requirements for all NSW government departments and public service agencies to ensure an integrated approach to preventing and responding to cyber security threats.

Function and Subject

Governance (2)
Risk Management

Detailed Outline

On 1 February 2019, the Digital Information Security Policy was replaced by the NSW Cyber Security Policy (the Policy)

All NSW government departments and public service agencies (Government Sector Employment Act 2013 Schedule 1 Public Service agencies) MUST comply with the Policy. This includes statutory authorities and all NSW government entities that submit an annual report to a Secretary of a lead department or cluster, or direct to a Minister, or direct to the Premier.

All NSW government departments and Public Service agencies must report to Cyber Security NSW by 31 August each year.

On 30 April each year, Cluster Chief Information Security Officers are to provide Cyber Security NSW with an updated list of all agencies in their cluster and whether they will be providing their reporting to the CISO or directly to Cyber Security NSW, as per Section 1.6 of the Policy.

The Policy is recommended for adoption in State Owned Corporations, as well as local councils and universities as a foundation of strong practice, in accordance with associated regulations and guidelines.

Mandatory requirements include:

  • Identification of an agency’s most valuable or operationally vital systems or information (“crown jewels”) implementing regular cyber security education for all employees, contractors and outsourced ICT service providers

  • Implementation and provision of a maturity assessment against the Australian Cyber Security Centre (ACSC) ‘Essential 8’ strategies to mitigate cyber security incidents

  • Inclusion of requirements for industrial automation and control systems (IACS) / operational technology (OT) and the internet of things (IoT)

  • Reporting cyber security incidents to the Chief Cyber Security Officer

The Policy includes a requirement for agencies to provide a cyber security attestation in their annual reports.

Exemptions to this policy will only be considered in exceptional circumstances. To seek an exemption, contact your cluster CISO in the first instance. If the exemption request is deemed valid by your cluster CISO they will contact Cyber Security NSW on your behalf.

The date of adoption for this Policy and its requirements is 1 February 2019, with reporting due on 31 August every year.

Cyber Security NSW is available for support and guidance regarding implementation of this Policy.


Who needs to know and/or comply with this?

Executive agencies related to Departments
Separate agencies
Statutory Authorities/Bodies

AR Details

Date Issued
Apr 1, 2021
Review Date
Apr 1, 2022
Replaced By


0436 816 171
Publishing Entity
Department of Customer Service
Issuing Entity
Department of Customer Service