Skip to content

NSW CSP compliance tips for government departments

Andrew Robinson |

February 4, 2020
NSW CSP compliance tips for government departments

Contents

We’ve added the NSW Cyber Security Policy (CSP) to the 6clicks Marketplace.

6clicks is coming to the rescue in NSW!

Thanks to the release of the NSW Cyber Security Policy (NSW CSP) Assessment in the 6clicks Marketplace, NSW government departments and agencies have a much easier way to complete the assessments necessary as a part of their reporting obligations, which are due by 31 August each year.

 
NSW Cyber Security Policy
 
 
 
 

Cyber security has fast become an issue for governments (and companies) at every level. And with cyber now seen as the #1 risk according to global insurance giant Allianz – it is now more important than ever to make the switch to a better compliance solution, reduce the hassle and demonstrate improvement.

Break it down now…

State governments particularly play a vital role in ensuring security of health, transport, education, justice and many other critical public services in each state. Increasing digitisation of these services needs to be underpinned by strong cyber security and hence, in NSW, strong cyber security is an important part of its NSW Digital Government Strategy.

The reporting obligations span four categories, which are:

1. Assessment against NSW CSP requirements

2. Assessments against the ‘ASD Essential 8’

3. A list of your agency’s ‘crown jewels’ (read as; significant information assets)

4. A summary of cyber security risks with a residual rating of high or extreme

The assessment against NSW CSP requirements are further broken down into four categories:

1. Planning and Governance

2. Cyber Security Culture

3. Safeguarding Information and Systems

4. Cyber Incident Management

Keen to get started already? Click here for your free trial! …or keep reading 🤓

The requirements found in these four categories of the NSW CSP assessment relate to security management activities that are also found (albeit worded differently) in the industry standard for information security management systems (ISMS); ISO/IEC 27001.

In case you didn’t already know that, clause 3.1 specifically calls out the requirement for NSW government departments and agencies to have an ISMS based on ISO/IEC 27001. Although certification isn’t always required – sometimes an annual, independent review or audit will suffice.

For us, there’s a lot of overlap between the NSW CSP requirements and those found inside ISO/IEC 27001. Perhaps there is some value in calling out 20 or so requirements for reporting purposes.

The augmentation of reporting with an assessment against the ‘ASD Essential 8’ is quite useful though, as it cuts straight to technical maturity, which can sometimes be vague in ISO/IEC 27001!

Here’s the bit about how we help you…

With 6clicks, you can quickly and easily perform assessments of compliance against the NSW CSP requirements.

Assessment can be conducted by your own organisation or by working collaboratively with any number of Service Providers (consultancies) that now choose 6clicks when performing assessments for you. 

Use of a service provider can help bring independence, expert opinion and credibility to your assessments (and is indeed required by clause 3.1 of the NSW CSP requirements).

Our platform can also help you: 

1. Implement an ISMS (which is also required by clause 3.1 of the NSW CSP requirements).

2. Record your information assets and classifications (your “Crown Jewels”), risks and treatment plans (including those with residual rating of high or extreme).

3. Report progress of control implementation and security incidents and issues including assessment results.

4. The combined assessment and management system functionality will help you continually improve over time.

5. You can also easily translate between the NSW CSP and other frameworks.

Get started with a free trial at the link below. We’re here to help!

Book your demo




Andrew Robinson

Written by Andrew Robinson

Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.