On this page
The PSR describes when your organisation needs to consider specific security measures – also called “controls” – to comply with mandatory requirements. The security measures required depend on the level of risk that an organisation has determined it needs to manage and on its risk tolerance.
Required measures
A measure expressed with ‘must’ or ‘must not’ is mandatory for all levels of risk. An organisation must implement or follow mandatory requirements unless it can demonstrate that a measure is not relevant in its context.
If a mandatory measure cannot be directly implemented, suitable compensating measures must be in place to manage identified risks.
Recommended measures
A measure expressed with ‘should’ or ‘should not’ is recommended for organisations with moderate and above risks. A measure expressed with ‘could’ is recommended for organisations with high and above risks.
Valid reasons for not implementing recommended measures could include:
- a measure is not relevant because there is no apparent risk, or
- the residual risk is acceptable, or
- an alternative measure of equal strength is in place.
Consider which measures to implement
Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.
Pose the following questions before you choose not to implement a measure.
- Is your organisation willing to accept additional risk? If so, what is the justification for your choice?
- Has the organisation considered the implications for all-of-government security? If so, what is the justification for this choice?
A formal auditable record of how an organisation considers and decides which measures to adopt is required as part of the governance and assurance processes.
Comply with legislation relating to security
When legislation requires your organisation to manage protective security in a way that is different to the PSR, that legislation takes precedence.
Some examples of legislation that might apply to some organisations are:
- Crimes Act 1961
- Criminal Disclosure Act 2008
- Customs and Excise Act 2018
- Defence Act 1990
- Employment Relations Act 2000
- Health and Safety at Work Act 2015
- Income Tax Act 2007
- Official Information Act 1982
- Privacy Act 2020
- Public Finance Act 1989
- Public Records Act 2005
- State Sector Act 1988
- Summary Offences Act 1981.