Skip to main content

Policy 4: Security maturity monitoring

  • Security governance
Publication date


This policy describes how an entity monitors and assesses the maturity of their security risk culture and their ability to actively respond to emerging threats and changes in their security environment, while protecting their people, information and assets.


Monitoring security maturity is a continuous cycle. It involves using a set of indicators to assess an entity's risk culture and security capability. Information collected through security maturity monitoring informs updates to the entity security plan and the entity’s annual PSPF assessment report.

Security capability maturity

Entities must assess the maturity of their security capability, including considering their implementation of PSPF requirements and highlighting areas for improvement.

Security risk culture

Having a mature risk culture is a fundamental enabler of good government business. It involves the entity's system of values and its personnel's behaviours, attitudes and understanding to security risk that shapes the risk decisions of the entity leadership and personnel.

    Return to the Security governance page