Overview

This Circular mandates that all departments & agencies must:

1. From 4 August 2025, report all cyber security incidents via the Cyber Security NSW Cyber Portal within 24 hours of detection and classification. This extends the existing obligations under Mandatory Requirement 2.3 of the NSW Cyber Security Policy.

2. Establish processes to maintain an inventory for all Crown Jewel assets, as required by Mandatory Requirements 1.6 and 1.7 of the NSW Cyber Security Policy, by 30 June 2026. Processes should support the periodical reconciliation of the accuracy and completeness of the inventory.

3. Develop and document a lifecycle management plan for all ICT (including cloud), software, OT, IoT, and network assets, as required by Mandatory Requirement 1.6 the NSW Cyber Security Policy.
   
   The plan must outline how the agency will focus its asset management to avoid future additional technology debt, including outlining requirements to ensure no third-party or new assets are onboarded without an approved lifecycle management plan.
   
   Agencies must ensure that, at a minimum, all Crown Jewel assets are covered by the scope of an approved lifecycle management plan by 30 June 2026.

4. Implement third-party risk management practices, as required by Mandatory Requirement 1.10 of the NSW Cyber Security Policy, including the establishment and maintenance of an inventory of third-party service providers (including ICT service providers). The inventory must:

             i.         identify the level of risk assessed relating to the vendor’s access to NSW Government systems and information; and

            ii.         identify or link to information regarding the assurance undertaken to ensure the vendor’s adherence to the cyber security requirements of the contract commensurate with the risks of the vendors’ engagement.

Agencies must ensure that, at a minimum, all third-party service providers that manage Crown Jewel assets, and/or that provide services that materially interact with Crown Jewel assets, are documented in the inventory by 30 June 2026.

5. By 31 October 2025, provide Cyber Security NSW with their existing inventory of Crown Jewel assets, in accordance with Mandatory Requirement 1.7 of the NSW Cyber Security Policy, in the format provided by Cyber Security NSW.  

6. By 31 October 2025, conduct a risk assessment against a defined list of cyber security risks, in accordance with the agency’s enterprise risk management framework, and submit to Cyber Security NSW in a format provided.
   
   Note: This requirement is in addition to, not replacement of, risk reporting obligations outlined under section 2.3 of the NSW Cyber Security Policy.

7. Provide Cyber Security NSW with access to any evidence or information supporting the NSW Cyber Security Policy assurance assessment, or information in compliance with this Circular, upon request.
   
   Note: This requirement is in addition to reporting obligations outlined under section 2.1 of the NSW Cyber Security Policy.

8. The roles and responsibilities for the Secretary of a department, as outlined in section 6.1 of the NSW Cyber Security Policy, are expanded to include:

   • Ensuring that the Portfolio Chief Information Security Officers (CISOs) or Chief Cyber Security Officers (CCSOs), or senior executive band officer accountable for cyber security at the portfolio level, supports agencies within the Portfolio in meeting compliance reporting obligations under the NSW Cyber Security Policy.

9. The roles and responsibilities for CISOs or CCSOs, as outlined in section 6.4 of the NSW Cyber Security Policy, are expanded to include:

   • Engaging with Portfolio CISOs or CCSOs within their portfolio, where applicable, to collaborate on matters related to the responsibilities of Portfolio CISOs and CCSOs as detailed under section 6.4 of the NSW Cyber Security Policy.

   • Ensuring that evidence or information supporting the NSW Cyber Security Policy assurance assessment is maintained in accordance with Reporting obligations under the NSW Cyber Security Policy.

   • Ensuring that an agency consuming shared services managed by a NSW Government department or agency, have appropriate Memorandums of Understanding (MOUs) or contracts in place to govern their use, ensuring these agreements stipulate adherence to cyber security standards and compliance with the NSW Cyber Security Policy.

   • Reporting all cyber security incidents to Cyber Security NSW via the Cyber Security NSW Cyber Portal within 24 hours of detection and classification.

10. The roles and responsibilities for Portfolio CISOs and CCSOs, as outlined in section 6.4 of the NSW Cyber Security Policy, are expanded to include:

    • Supporting agencies in their portfolio to implement and maintain an effective cyber security strategy and program (e.g. via effective collaboration and/or governance forums, advice on budgeting, resourcing, providing information to support agencies in meeting compliance reporting obligations under the NSW Cyber Security Policy and so forth).

    • Ensuring that agencies consuming shared services provided by the Portfolio CISO or CCSO have appropriate Memorandums of Understanding (MOUs) or contracts in place to govern their use, ensuring these agreements stipulate adherence to cyber security standards and comply with the NSW Cyber Security Policy.

This Circular complements NSW Cyber Security Policy. Where the NSW Cyber Security Policy differs from this Circular, this Circular takes precedence.

Cyber Security NSW will provide guidance and documentation to assist agencies in meeting the requirements under this Circular. This information will be made available on the Community of Practice SharePoint.