Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, to the Department of Home Affairs from the Attorney-General’s Department. These Machinery of Government (MOG) changes commenced on 4 August 2023.

Policy 11: Robust ICT systems

  • Information security
Publication date
Last updated


This policy describes how to safeguard information and communication technology (ICT) systems to support the secure and continuous delivery of government business.


An ICT system is a related set of hardware and software that processes, stores or communicates information, as well as the governance framework in which it operates.

To safeguard ICT systems from cyber threats, entities must effectively implement the Australian Government Information Security Manual (ISM) cyber security principles:

  • Govern: Identifying and managing security risks.
  • Protect: Implementing security controls to reduce security risks.
  • Detect: Detecting and understanding cyber security events.
  • Respond: Responding to and recovering from cyber security incidents.

Entities must only use ICT systems that the determining authority has authorised.

The ISM provides a 6-step, risk-based approach for cyber security. Entities must consider this before they authorise or re-authorise the use of systems.

Australian Government information that is processed, stored or communicated via an outsourced information technology or cloud service provider is protected in the same way as an internal entity service. The same authorisation to operate a framework to manage security risks during the life of the ICT system/service still applies.

A gateway is an information flow control mechanism that manages information flows between connected networks from different security domains. Entities must implement secure internet gateways that meet the Australian Signals Directorate requirements.

Return to the Information security page