NSW Cyber Security Policy (NSW CSP) Question Set

This download includes the NSW CSP Maturity Reporting requirements and questions to perform an assessment. This policy applies to all NSW government departments and Public Service agencies, including statutory authorities and all NSW government entities that submit an annual report to a Secretary of a lead department or cluster, direct to a Minister, or direct to the Premier.

In this policy, references to “lead cluster departments” or “clusters” mean the departments listed. The NSW CSP Maturity Reporting is an annual assessment of cyber security required to be undertaken by NSW government entities.

The requirements are closely aligned with ISO/IEC 27001 and require NSW government entities to have an effective Information Security Management System (ISMS). For the ASD Essential 8 reporting requirements, please refer to our separate ASD Essential 8 assessment.

The NSW CSP Maturity Reporting includes 20 requirements across 4 domains, which are:

• Planning and Governance
• Cyber Security Culture
• Safeguarding Information and Systems
• Cyber Incident Management