NSW Cyber Security Policy

Strong cyber security is an important component of the NSW Digital Government Strategy.

The NSW Department of Finance, Services and Innovation (DFSI) has implemented a Cyber Security Policy to replace the NSW Digital Information Security Policy 2015. Key improvements include strengthening cyber security governance, identifying an Agency’s most valuable or operationally vital systems or information (also called the “crown jewels”), strengthening cyber security controls, developing a cyber security culture across all staff, working across government to share security and threat intelligence and a whole of government approach to cyber incident response.

What are the requirements?

The mandatory requirements are:

Planning and Governance

  • Ensure that a governance committee is in place to be accountable for cyber security policies, risk and compliance.

Cyber Security Culture / Awareness

  • Increase cyber security awareness/training to all Also, privilege systems must be tightly controlled to ensure they are accessed on a needs basis.

Manage Cyber Security Risks

  • Implement an Information Security Management System (ISMS) as well as implementing and reporting on the maturity against the ACSC Essential 8.

Resilience against cyber attack

  • Cyber Incident Response plan that integrates with the agency incident management process

Report against the requirements

  • Annual Report must be submitted by August 31 to GCISO and agency head.

For more information visit NSW Cyber Security Policy

How can SOS help?

Sense of Security’s Governance, Risk and Compliance Practice employs experienced ISO 27001 Lead Auditors and Implementors that can assist any organisation develop and implement an effective security strategy that aligns to the latest NSW Cyber Security Policy.

SOS’s roadmap strategy to achieve compliance to NSW Cyber Security Policy is as follows:


  • Security forum and governance structure
  • Cyber Security Risk Assessment and remediation plan
  • ISMS Framework
  • Roles and Responsibilities


  • Cyber Security Awareness Program
  • Review Access Control to sensitive information
  • Support in communicating security threat to other agencies to manage cyber-risk


  • Maturity assessment based on ACSC Essential 8
  • Document policies, standards and processes
  • Risk Treatment: This may include Vulnerability management Program, SDLC, Fraud detection
  • System Classification and identification of ‘Crown Jewels’

Detect, Respond & Recover

  • Develop Cyber Security Incident Plan
  • Annual Cyber Security Incident Plan testing
  • Deploy monitoring process for identification of incidents


  • Assist in preparing Annual Report by August 31 to GCISO and agency head

To discuss how we can can assist your organisation with cloud security please contact us on 1300 922 923 or complete the enquiry form by pressing the button below.

  • Contact Us