All NSW State Government agencies are required to develop and maintain an ISO 27001 compliant Information Security Management System (ISMS), under the requirements of the State’s Cyber Security Policy (CSP).
Agencies must also definitively and positively attest to the CSP as part of their Annual Reporting process.
By 31 October each year, agencies must submit a report to their cluster CISO, or Cyber Security NSW. This same attestation must be provided in the Agency's annual report. The report includes an assessment against the mandatory requirements of the CSP and a maturity assessment against the Australian Cyber Security Centre’s (ACSC) Essential 8.
Non or partial compliance with this requirement may be difficult to explain to senior management and oversight bodies, such as the agency’s Audit & Risk Committee.
Start early. In our experience agencies do not start the attestation process early enough to ensure an improvement on last year. As such, there is often insufficient time to complete relatively simple remedial actions that might mitigate serious cyber risks.
Review your ISMS. An agency’s Information Security Management System should be risk-based and fit for purpose. It should be reviewed annually to ensure that it remains current and reflects any changes that may have occurred within and external to the agency (e.g. Machinery of Government, ICT systems, contracts/outsourcing, third party supplier arrangements, risk appetite/profile, policy changes, etc.)
Conduct a Mock Audit. A number of agencies have introduced a “mock audit” phase into their CSP attestation process. Using this approach, the agency has time to rectify easy-to-fix remedial issues before the attestation is due, thereby lifting their overall security posture (and CSP score).
Test your Cyber Security Incident Response Plan. A Response Plan and well-facilitated simulation exercise can tick quite a few boxes and should not be left to the last minute. Agencies are required to attest that they have an up-to-date Plan. Importantly, in demonstrating cyber maturity they are also required to attest that the Plan has actually been tested within the past year.
Deliver Awareness and Training sessions. A significant proportion of cyber incidents are caused by human factors, many of which could be avoided by ongoing cyber training and awareness sessions. Such training should be mandatory, engaging, relevant…and most importantly, regular.
We have a team of ISMS experts and cybersecurity specialists who have worked with dozens of State Government agencies across NSW over the past three years. During that time, Centium has assisted numerous agencies to migrate from the DISP to the CSP and to update their ISMSs to meet the new obligations. We have also mapped across the Essential 8 and have many shortcuts and helpful “lessons learnt” to share with our clients.
We can help you be CSP Ready by:
And, when the time comes, we can provide an independent assessment of your CSP performance, which entails:
For more information, please contact Scott Thomson, Director, Cyber & IT on 0412 562 797 or email@example.com.
Explore Centium's robust and proven Cyber, IT & Business Continuity for small and medium Government organisations.