Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, from the Attorney-General's Department to the Department of Home Affairs. These Machinery of Government (MOG) changes began on 4 August 2023.

The PSPF Reporting Portal will transfer to the Department of Home Affairs on 11 June 2024. Before 11 June 2024, all entities and users must set up new authentication credentials through VANguard. You can get more information by contacting the Government Protective Security Policy section at pspf@homeaffairs.gov.au or the PSPF hotline on 02 5127 9999.

Policy 3: Security planning and risk management

  • Security governance
Publication date
Last updated

Purpose

This policy describes how to establish effective security planning, embed security into risk management practices and use security planning risk management to help make decisions.

Overview

To successfully manage security risks and protect people, information and assets, an entity must understand:

  • what needs protecting
  • what the threat is
  • how people, information and assets will be protected.

Security risks

A security risk is something that could cause harm to people or that exposes information or assets to compromise, loss, unavailability or damage.

Shared security risks are risks that extend across:

  • entities
  • premises
  • the community
  • industry
  • international partners
  • other jurisdictions.

Stakeholders must cooperate to effectively understand and manage shared risks.

Entities must identify a risk steward (or manager) who is responsible for each security risk or category of security risk. This includes shared risks.

Under their Chief Security Officer's direction, entities must apply a risk-based approach to implementing the PSPF that considers their size, operations and risk environment.

A risk-based approach means that if an entity cannot implement a particular PSPF requirement, they can use an alternative mitigation strategy that achieves the same level of protection or better.

Security planning

Security planning considers how security risk management practices are designed, implemented, monitored, reviewed and continually improved.

Entities must develop a security plan that sets out how they will manage their security risks and how security aligns with their priorities and objectives.

The plan must include scalable control measures to respond to increases or decreases in risk when a threat to the entity changes.

Return to the Security governance page