
Governance
This section has information and tools to help your organisation set up effective organisational governance of protective security to protect your people, information, and assets.
GOV023
Why governance matters
Managing security risks proportionately and effectively enables organisations to protect people, information and assets. To successfully manage security risks organisations must ensure security is part of their organisational culture, practices and operational plans
Mandatory requirements
The 20 mandatory requirements that mandated government agencies must follow and other organisations should consider as best practice.
Implementing a risk-based approach to protective security
Understand how to develop policies, plans and processes for protective security, using a consistent, structured approach.
Protective security roles and responsibilities
Guidelines for planning and assigning responsibilities for protective security.
Applying Business Impact Levels
Assign Business Impact Levels (BILs) to your organisation’s security risks as part of your risk assessment process. BILs are used to consistently assess the likely impacts of security breaches.
Developing security alert levels
Use this guidance to help you develop the alert levels your organisation needs to move to heightened security in case of emergency or increased threat.
Build security awareness
Build security awareness with everyone in your organisation, so they’re aware of your security risks and follow your security processes
Reporting incidents and conducting security investigations
Understand how to report, manage, and investigate security incidents using a consistent, structured approach
Business continuity management
Enhance your organisation’s resilience and strengthen your security measures with a business continuity management programme.
Supply chain security
Protect your organisation’s information and assets. Identify and manage risks that arise from working with external suppliers.
Working away from the office
Adopt a consistent and structured approach to protecting your people, information, and assets when people are working away from the office.