CISOs made mandatory in Australian government agencies

Australian Government's Protective Security Policy Framework amended to mandate cybersecurity  leadership

The Australian Department of Home Affairs' Protective Security Policy Framework has introduced policy changes that will mandate the appointment of a Chief Information Security Officer for government entities.

A number of Protectuve Security Policy Framework amendments were approved by the Government Security Committee in late August.

Related to management structures and responsibilities, PSPF policy 2 was amended to, specifically:

• require Chief Security Officers (CSOs) hold a minimum Negative Vetting Level 1 security clearance, and
• mandate the appointment of a Chief Information Security Officer (CISO) to be responsible for cyber security leadership in the entity.

In addition to requiring a minumum Negative Vetting Level 1 clearance, a news release highlighting the change noted that the qualifications and experience of appointed CISOs would vary based on the size and needs of the organisation's cyber security structure. 

"The CISO does not have to be appointed at the SES level – the role is best performed by an officer with the appropriate combination of experience, technical skills and other skills such as business acumen, leadership, communications and relationship building," the release noted.

The Protective Security Policy Framework, is a security framework and resource for Australian government entitities. It sets out government security policy and supports agencies in implementing those policies.

Any non-corporate Commonwealth entities subject to the Public Governance, Performance and Accountability Act 2013 must apply the PSPF.