Department of Finance, Services and Innovation Circular

DFSI-2019-02 NSW Cyber Security Policy



Introduction of mandatory cyber security requirements for NSW Public Service Agencies to ensure an integrated approach to preventing and responding to cyber security threats.

Detailed Outline

From 1 February 2019, the Digital Information Security Policy will be replaced by the NSW Cyber Security Policy.

All NSW Public Service Agencies must comply with the Policy and it is recommended for adoption in State Owned Corporations, as well as local councils and universities.

New mandatory requirements include:

  • identification of an Agency’s most valuable or operationally vital systems or information (“crown jewels”)
  • implementing regular cyber security education for all employees, contractors and outsourced ICT service providers
  • implementation and provision of a maturity assessment against the Australian Cyber Security Centre (ACSC) ‘Essential 8’ strategies to mitigate cyber security incidents
  • inclusion of requirements for industrial automation and control systems (IACS) / operational technology (OT) and the internet of things (IoT)
  • reporting cyber security incidents to the Government Chief Information Security Officer

The Policy includes a requirement for Agencies to provide a cyber security attestation in their annual reports.

Exemptions to any part of this Policy may be sought by Agency heads and sent to the Government Chief Information Security Officer for consideration, prior to Government Chief Information and Digital Officer approval.

The date of adoption for this Policy and its requirements is 1 February 2019, with reporting for the 2018/19 financial year due on 31 August 2019.

The NSW Government Chief Information Security Officer is available for support and guidance regarding implementation of this Policy.

Contact: [email protected]

Link: https://www.digital.nsw.gov.au/cybersecuritypolicy


Who needs to know and/or comply with this?

Executive agencies related to Departments
Separate agencies
Statutory Authorities/Bodies



AR Details

Date Issued
Feb 1, 2019
Review Date
Feb 1, 2020
Replaced By


Publishing Entity
Department of Premier and Cabinet
Issuing Entity
Department of Finance, Services and Innovation