Australian Government - Attorney-General's Department

Security Policy

Achieving a Just and Secure Society

Skip breadcrumbHome » Governance » Governance requirements

Governance requirements

Non-corporate Commonwealth entities (agencies) must implement protective security governance arrangements and are required to:

  • use risk management principles and policies appropriate to entity functions and the security threats faced in developing, implementing and maintaining:
    • protective security measures
    • business continuity management plans
    • fraud control plans
  • prepare, monitor and review their security plans to ensure they are complying with the mandatory requirements
  • report annually to their portfolio Minister on the level of agency compliance with the PSPF
  • develop a culture of security through strong programs of security awareness and education to ensure employees fully understand their security responsibilities
  • remain accountable for the efficient and secure performance of outsourced functions
  • investigate security incidents promptly and with sensitivity.

There are 13 overarching mandatory requirements covering governance which are set out below. These requirements are underpinned by high level controls which are detailed on the linked pages.



Agencies must provide all staff, including contractors, with sufficient information and security awareness training to ensure they are aware and meet the requirements of the Protective Security Policy Framework.


To fulfil their security obligations, agencies must appoint:

  • a member of the Senior Executive Service as the security executive, responsible for the agency protective security policy and oversight of protective security practices
  • an agency security adviser (ASA) responsible for the day-to-day performance of protective security functions
  • an information technology security adviser (ITSA) to advise senior management on the security of the agency’s Information Communications Technology (ICT) systems.


Agencies must ensure that the agency security adviser (ASA) and information technology security adviser (ITSA) have detailed knowledge of agency-specific protective security policy, protocols and mandatory protective security requirements in order to fulfil their protective security responsibilities.


Agencies must prepare a security plan to manage their security risks. The security plan must be updated or revised every two years or sooner where changes in risks and the agency’s operating environment dictate.


Agencies must develop their own set of protective security policies and procedures to meet their specific business needs.


Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the Australian Standards AS/NZS ISO 31000:2009 Risk management—Principles and guidelines and HB 167: 2006 Security risk management.


For internal audit and reporting, agencies must:

  • undertake an annual security assessment against the mandatory requirements detailed within the Protective Security Policy Framework
  • report their compliance with the mandatory requirements to the relevant portfolio Minister.

The report must:

  • contain a declaration of compliance by the agency head
  • state any areas of non‑compliance, including details on measures taken to lessen identified risks.

In addition to their portfolio Minister, agencies must send a copy of their annual report on compliance with the mandatory requirements to:

  • the Secretary, Attorney-General’s Department
  • the Auditor General.

Agencies must also advise any non-compliance with mandatory requirements to:

  • the Director, Australian Signals Directorate for matters relating to the Australian Government Information Security Manual (ISM).
  • the Director-General, Australian Security Intelligence Organisation for matters relating to national security
  • the heads of any agencies whose people, information or assets may be affected by the non-compliance.


Agencies must ensure investigators are appropriately trained and have procedures in place for reporting and investigating security incidents and taking corrective action, in accordance with the provisions of the:

  • Australian Government protective security governance guidelines—Reporting incidents and conducting security investigations, or
  • Australian Government Investigations Standards.


Agencies must give all employees, including contractors, guidance on Sections 70 and 79 of the Crimes Act 1914, section 91.1 of the Criminal Code Act 1995, the Freedom of Information Act 1982 and the Information Privacy Principles contained in the Privacy Act 1988, including how this legislation relates to their role.


Agencies must adhere to any provisions concerning the security of people, information and assets contained in multilateral or bilateral agreements and arrangements to which Australia is a party.


Agencies must establish a business continuity management (BCM) program to provide for the continued availability of critical services and assets, and other services and assets when warranted by a threat and risk assessment.


Agencies must ensure the contracted service provider complies with the requirements of this policy and any protective security protocols.


Agencies must comply with section 10 of the Public Governance, Performance and Accountability Rule 2014 and the Commonwealth Fraud Control Policy.

Featured Links

Other Links