NSW Cyber Security Policy (NSW CSP) Compliance Tips for Government Department & Agencies
We’ve added the NSW Cyber Security Policy (CSP) to the 6clicks Marketplace.
6clicks is coming to the rescue in NSW!
Thanks to the release of the NSW Cyber Security Policy (NSW CSP) Assessment in the 6clicks Marketplace, NSW government departments and agencies have a much easier way to complete the assessments necessary as a part of their reporting obligations, which are due by 31 August each year.
Cyber security has fast become an issue for governments (and companies) at every level. And with cyber now seen as the #1 risk according to global insurance giant Allianz – it is now more important than ever to make the switch to a better compliance solution, reduce the hassle and demonstrate improvement.
Break it down now…
State governments particularly play a vital role in ensuring security of health, transport, education, justice and many other critical public services in each state. Increasing digitisation of these services needs to be underpinned by strong cyber security and hence, in NSW, strong cyber security is an important part of its NSW Digital Government Strategy.
The reporting obligations span four categories, which are:
1. Assessment against NSW CSP requirements
2. Assessments against the ‘ASD Essential 8’
3. A list of your agency’s ‘crown jewels’ (read as; significant information assets)
4. A summary of cyber security risks with a residual rating of high or extreme
The assessment against NSW CSP requirements are further broken down into four categories:
1. Planning and Governance
2. Cyber Security Culture
3. Safeguarding Information and Systems
4. Cyber Incident Management
The requirements found in these four categories of the NSW CSP assessment relate to security management activities that are also found (albeit worded differently) in the industry standard for information security management systems (ISMS); ISO/IEC 27001.
In case you didn’t already know that, clause 3.1 specifically calls out the requirement for NSW government departments and agencies to have an ISMS based on ISO/IEC 27001. Although certification isn’t always required – sometimes an annual, independent review or audit will suffice.
For us, there’s a lot of overlap between the NSW CSP requirements and those found inside ISO/IEC 27001. Perhaps there is some value in calling out 20 or so requirements for reporting purposes.
The augmentation of reporting with an assessment against the ‘ASD Essential 8’ is quite useful though, as it cuts straight to technical maturity, which can sometimes be vague in ISO/IEC 27001!
Here’s the bit about how we help you…
With 6clicks, you can quickly and easily perform assessments of compliance against the NSW CSP requirements.
Assessment can be conducted by your own organisation or by working collaboratively with any number of Service Providers (consultancies) that now choose 6clicks when performing assessments for you.
Use of a service provider can help bring independence, expert opinion and credibility to your assessments (and is indeed required by clause 3.1 of the NSW CSP requirements).
Our platform can also help you:
1. Implement an ISMS (which is also required by clause 3.1 of the NSW CSP requirements).
2. Record your information assets and classifications (your “Crown Jewels”), risks and treatment plans (including those with residual rating of high or extreme).
3. Report progress of control implementation and security incidents and issues including assessment results.
4. The combined assessment and management system functionality will help you continually improve over time.
5. You can also easily translate between the NSW CSP and other frameworks.
Get started with a free trial at the link below. We’re here to help!