This section has information and tools to help your organisation set up effective organisational governance of protective security to protect your people, information, and assets.


Why governance matters

Managing security risks proportionately and effectively enables organisations to protect people, information and assets. To successfully manage security risks organisations must ensure security is part of their organisational culture, practices and operational plans

Mandatory requirements

The 20 mandatory requirements that mandated government agencies must follow and other organisations should consider as best practice.

Implementing a risk-based approach to protective security

Understand how to develop policies, plans and processes for protective security, using a consistent, structured approach.

Protective security roles and responsibilities

Guidelines for planning and assigning responsibilities for protective security.

Applying Business Impact Levels

Assign Business Impact Levels (BILs) to your organisation’s security risks as part of your risk assessment process. BILs are used to consistently assess the likely impacts of security breaches.

Developing security alert levels

Use this guidance to help you develop the alert levels your organisation needs to move to heightened security in case of emergency or increased threat.

Build security awareness

Build security awareness with everyone in your organisation, so they’re aware of your security risks and follow your security processes

Reporting incidents and conducting security investigations

Understand how to report, manage, and investigate security incidents using a consistent, structured approach

Business continuity management

Enhance your organisation’s resilience and strengthen your security measures with a business continuity management programme.

Supply chain security

Protect your organisation’s information and assets. Identify and manage risks that arise from working with external suppliers.

Working away from the office

Adopt a consistent and structured approach to protecting your people, information, and assets when people are working away from the office.