Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, from the Attorney-General’s Department to the Department of Home Affairs. These Machinery of Government (MOG) changes began on 4 August 2023.

The PSPF Reporting Portal will transfer to the Department of Home Affairs on 24 May 2024. Before 24 May 2024, all entities and users must set up new authentication credentials through VANguard. You can get more information by contacting the Government Protective Security Policy section at or the PSPF hotline on 02 5127 9999.

Policy 15: Physical security for entity resources

  • Physical security
Publication date
Last updated


This policy describes the physical protections required to safeguard people, information and assets (including ICT equipment) to minimise or remove security risk.


Entities must implement physical security measures that minimise or remove the risk of harm to people, information, and physical assets.

In doing so, entities must consider the expected business impact if those resources were compromised, lost or damaged.

When determining the appropriate business impact level for a physical asset, it can be useful for entities to consider its value, classification, importance or attractiveness.

After entities have considered the security risks to their resources, they must choose appropriate containers, cabinets, secure rooms and strong rooms to protect them. In certain instances, it is mandatory to use security equipment that the Security Construction and Equipment Committee has approved.

Entities must implement physical security measures to prevent sensitive and classified discussions from being overheard (either deliberately or accidentally). Entities can minimise the risk of being overheard by implementing audio security measures and controlling the environment in which the discussion takes place.

Entities must identify the appropriate physical security measures to protect ICT assets and the information held or communicated on ICT equipment. The required level of protection is based on either the highest business impact level identified if the ICT assets were compromised, or the aggregate of information held or communicated on the ICT equipment.

At the end of the useable life of physical assets, entities must ensure they are disposed of securely, in line with the PSPF.

When working away from the office, entities must consider the security risks of the environments in which their personnel operate.

Return to the Physical security page