Skip to content

Impending VPDSS 2.0 reporting deadline!

Andrew Robinson Jan 22, 2020
Impending VPDSS 2.0 Reporting Deadline!

Work with VicGov on VPDSS assessment & implementation.


Well…it’s almost been 2 years. OVIC are asking ‘what have you done for me lately?’. 

2019 ended with a significant update to the Victorian Protective Data Security Standards (VPDSS), now known colloquially as VPDSS 2.0.

It brings into sharper focus the need for Victorian departments and agencies to assess the impact of these changes across their organisations and to have adequate information and assurance.

Here’s the fun part! They’ll need to provide a copy of their reporting to the Office of the Victorian Information Commissioner (OVIC) by 31 August 2020…Tick tock!



Heads up: The Subtle Changes. 

Taking a look, we can see how it’s been simplified. OVIC has reduced the number of Standards from 18 to 12, as well as cutting the number of associated Elements from 117 to 95.  

OVIC have also used crisper language, free from the shackles previously imposed by legacy ‘must’ and ‘should’ statements. Compliance is dead. Long live… risk management!  

Side note: compliance is not dead…ahem. 

Certainly, compliance is still necessary and apparent but is gratefully no longer used as a driving force for the adoption of arbitrary security controls. You determine what is applicable and not.


Good Controversy: The Dramatic Changes 

OVIC has raised the bar, as any good regulator should, by lifting the VPDSS Elements up from a supporting document and into the standards themselves. 

We think this is somewhat controversial, as it appears to make the VPDSS more prescriptive, owing to it taking away some of the flexibility for Victorian departments/agencies to adopt an alternative (i.e. a more mature and stable control framework) to achieve the same – or indeed better – outcomes.

But wait, there’s more. The increased emphasis on the VPDSS Elements continues, with updated PDSP Protective Data Security Plan reporting. Instead of a high-level summary for each of the 18 standards used previously, you will need to assess (and provide) the status of all 95 Elements… by 31 August 2020…surprise!

Oh, don’t forget to prepare a Security Risk Profile Assessment (SRPA) that supports the PDSP you submit to OVIC. You can find threquirements for an SRPA and PDSP in the Victorian Privacy and Data Protection Act (2014). That’s the compliance bit that remains steadfast.


Don’t worry, it’s good news!

We’re happy that the reporting against VPDSS Elements is very much the equivalent of a Statement of Applicability (SOA) used by industry for ISO/IEC 27001 and by the Australian Government in its information security assessments. That’s a good thing in our book! It makes the uplift workable.


Here’s how to make your VPDSS task easier…much easier. 

Get yourself a combined assessment and management system (as a service) functionality that will help you help Victorian departments/agencies and drive repeat custom.

With 6clicks for Service Providers, you can quickly and easily perform assessments of Victorian departments and agencies against the VPDSS 2.0.

Use our built-in question set available from the 6clicks Marketplace or, create your own.

When you help client’s complete assessments of their third parties, you can refer customers using your unique 6clicks Referral URL – giving you easy access to customer accounts to work with them, similar accountants and their customers on Xero.

Our platform can also help you:

– Implement the requirements of VPDSS 2.0 for Victorian departments/agencies.

– Record your information assets and classifications,

Develop risks and treatment plans,

Report progress of control implementation and security incidents and issues

– Map VPDSS requirements against other frameworks such as ISO/IEC 27001 and the NIST Cyber Security Framework


For more information, Book a Demo with us today! 


Leave a Comment

Register for webinars, watch replays and download our ebooks

eBooks & Guides


Our blog and 6clicks TV

Latest articles and interviews with our partners and thought leaders


Our blog

6clicks TV

Top analysts and customers have spoken.

They genuinely love 6clicks.

"The best cyber GRC platform for businesses and advisors."


"We chose 6clicks not only for our clients, but also our internal use”

Partner | Big 4

"With 6clicks we can simply close deals much faster"

CEO | Startup

6clicks Reviews

"The 6clicks solution simplifies and strengthens risk, compliance, and control processes across entities and can grow and adapt as the organization changes and evolves."

Michael Rasmussen | GRC 20/20 Research LLC


Why businesses and advisors choose 6clicks

It's faster, easier and more cost effective than any alternative.

6clicks Enterprise Risk Management

Powered by artificial

Experience the magic of Hailey, our artificial intelligence engine for risk and compliance.

What's the best GRC software?

Unique Hub & Spoke architecture

Deploy multiple teams all connected to a hub - perfect for federated, multi-team structures.

Best software for ISO 27001 compliance

Fully integrated
content library

Access 100's of standards, control sets, assessment templates, libraries and playbooks.

Are you ready to experience AI-powered GRC?