The Protective Security Policy Framework

The Protective Security Policy Framework (PSPF) assists Australian Government entities to protect their people, information and assets, both at home and overseas.

It sets out government protective security policy and supports entities to effectively implement the policy across the following outcomes:

  • security governance
  • information security
  • personnel security
  • physical security

In 2018, the Attorney-General reissued the Directive on the Security of Government Business to reflect the updated PSPF. The directive establishes the PSPF as an Australian Government policy, and sets out the requirements for protective security to ensure the secure and continuous delivery of government business. It details the mandatory core and supporting requirements for protective security and provides guidance to support effective implementation.

As a Government policy, non-corporate Commonwealth entities must apply the PSPF as it relates to their risk environment. It represents better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies. The PSPF is also considered better practice for state and territory agencies.

The PSPF is applied through a security risk management approach with a focus on fostering a positive culture of security within an entity and across the government.

Content of the PSPF

The PSPF consists of:

Five principles that apply to every area of security. These are fundamental values that represent what is desirable for all entities – security principles guide decision making.

  • Security is everyone's responsibility. Developing and fostering a positive security culture is critical to security outcomes.
  • Security enables the business of government. It supports the efficient and effective delivery of services.
  • Security measures applied proportionately protect entities' people, information and assets in line with their assessed risks.
  • Accountable authorities own the security risks of their entity and the entity's impact on shared risks.
  • A cycle of action, evaluation and learning is evident in response to security incidents.

The PSPF structure comprises:

Four outcomes that outline the desired end-state results the Government aims to achieve. The protective security outcomes relate to security governance, information security, personnel security and physical security.

Sixteen core requirements that articulate what entities must do to achieve the government's desired protective security outcomes.

Most core requirements have a number of supporting requirements that are intended to facilitate a standardised approach to implementing security across government.

Guidance that provides advice on how PSPF core and supporting requirements can be effectively implemented.