Logo of Centium
Contact Us

Are you CSP (cyber security) ready?

June 8, 2022

All NSW State Government agencies are required to develop and maintain an ISO 27001 compliant Information Security Management System (ISMS), under the requirements of the State’s Cyber Security Policy (CSP).

Agencies must also definitively and positively attest to the CSP as part of their Annual Reporting process.

What is required?

By 31 October each year, agencies must submit a report to their cluster CISO, or Cyber Security NSW. This same attestation must be provided in the Agency's annual report. The report includes an assessment against the mandatory requirements of the CSP and a maturity assessment against the Australian Cyber Security Centre’s (ACSC) Essential 8.

Non or partial compliance with this requirement may be difficult to explain to senior management and oversight bodies, such as the agency’s Audit & Risk Committee.

Some tips for CSP readiness…

Start early. In our experience agencies do not start the attestation process early enough to ensure an improvement on last year.  As such, there is often insufficient time to complete relatively simple remedial actions that might mitigate serious cyber risks.  

Review your ISMS. An agency’s Information Security Management System should be risk-based and fit for purpose.  It should be reviewed annually to ensure that it remains current and reflects any changes that may have occurred within and external to the agency (e.g. Machinery of Government, ICT systems, contracts/outsourcing, third party supplier arrangements, risk appetite/profile, policy changes, etc.)

Conduct a Mock Audit. A number of agencies have introduced a “mock audit” phase into their CSP attestation process. Using this approach, the agency has time to rectify easy-to-fix remedial issues before the attestation is due, thereby lifting their overall security posture (and CSP score).

Test your Cyber Security Incident Response Plan. A Response Plan and well-facilitated simulation exercise can tick quite a few boxes and should not be left to the last minute. Agencies are required to attest that they have an up-to-date Plan. Importantly, in demonstrating cyber maturity they are also required to attest that the Plan has actually been tested within the past year.

Deliver Awareness and Training sessions. A significant proportion of cyber incidents are caused by human factors, many of which could be avoided by ongoing cyber training and awareness sessions. Such training should be mandatory, engaging, relevant…and most importantly, regular.

How Centium can help

We have a team of ISMS experts and cybersecurity specialists who have worked with dozens of State Government agencies across NSW over the past three years. During that time, Centium has assisted numerous agencies to migrate from the DISP to the CSP and to update their ISMSs to meet the new obligations. We have also mapped across the Essential 8 and have many shortcuts and helpful “lessons learnt” to share with our clients.

We can help you be CSP Ready by:

  • Reviewing/updating your ISMS so that it is risk-based, fit for purpose and aligned with the CSP
  • Undertaking an ISMS independent internal audit per CSP requirements
  • Conducting mock audits to identify any gaps that may prevent you from demonstrating CSP and Essential 8 improvement
  • Undertaking remedial actions to comply with the CSP’s mandatory requirements
  • Testing your Cyber Security Incident Response Plan
  • Testing your Business Continuity and ICT Recovery Plans
  • Reviewing your third party supplier arrangements
  • Facilitating face-to-face and e-Learning cybersecurity sessions for staff and contractors.

And, when the time comes, we can provide an independent assessment of your CSP performance, which entails:

  • Preparing your attestation against the CSP mandatory requirements
  • Undertaking an Essential 8 maturity assessment
  • Ensuring that you meet the 31 October reporting deadline each year.

Contact us

For more information, please contact Scott Thomson, Director, Cyber & IT on 0412 562 797 or scott.thomson@centium.com.au.

Explore Centium's robust and proven Cyber, IT & Business Continuity for small and medium Government organisations.

Our Clients