If you’re a state government agency, contractor or supplier: this is what you need to do.
Check out our free ISO 27001 Gap Analysis Checklist here.
The NSW State Government has released its updated Cyber Security Policy, and as is plain to be seen, the NSW Government isn’t interested in working with agencies that haven’t implemented an information security system.
They are, in fact, shutting all possible doors to agencies wanting to work with the government if they haven’t already implemented a system like ISO27001.
The policy replaces the outgoing NSW Digital Information Security Policy (2015), and included in a raft of changes is the requirement that any agency working in partnership with the government in any form must have the backing of a quality management system directly targeting their information security processes.
“The word ‘systems’,” according to the NSW Government, “in this policy refers to: software, hardware, communications, networks and includes specialised systems such as industrial and automation control systems, telephone switching and PABX systems, building management systems and internet connected devices.”
As stated, the updated NSW government policy is designed to ensure five criteria are met by its agencies and contractors; these include the confidentiality of personal and proprietary information, integrity of that data collected, availability of that data to be passed on to requisite services, compliance with relevant legislation and regulations, as well as an assurance to “NSW Parliament and the people of NSW that information held by the government is appropriately protected and handled.”
According to the State Government, “cyber security risks have continued to evolve in recent years and rapid technological change has resulted in increased cyber connectivity and more dependency on cyber infrastructure.”
In acknowledgement of this, the updated policy requires a “summary of your agency’s reporting obligations”, which mandates that by 31st of August each year, an agency must “submit a report to your Agency head and the GCISO, in a template provided by GCISO, covering the following:
Assessment against all mandatory requirements in this policy for the previous financial year, including a maturity assessment against he Australian Cyber Security Centre (ACSC) Essential 8.
Cyber security risks with a residual rating of high or extreme
A list of the Agency’s ‘crown jewels’.
It’s also mandated that agencies must manage cyber security risks to safeguard and secure their information and systems. According to section 3.1 of the document, “Agencies must implement an Information Security Management System (ISMS) or Cyber Security Management System (CSMS) that is compliant with recognised standards such as ISO/IEC27001… and implement the relevant controls based on their requirements and risk appetite.
“Agencies must establish effective cyber security policies and procedures and embed cyber security into risk management practices and assurance processes,” the policy explains. “When cyber security risk management is done well, it underpins organisational resilience because entities know their risks, make informed decisions in managing those risks, identify opportunities and continuously improve. This is reinforced with meaningful training, communications and support across all levels of the Agency,” said the NSW Government.
At a cluster or agency level, there must be: ISO27001 certification of the ISMS with scope at least covering systems identified as an Agency’s ‘crown jewels’ and including annual surveillance audits, or an annual, independent review or audit of the management system and/or the effectiveness of the controls covered by the management system or an annual, independent review or audit of reporting against the mandatory requirements in this policy.