Reporting and Attestation Under the NSW Cybersecurity Policy: What Organisations Need to Know?

The Importance of Transparent Reporting in Cybersecurity Governance

Across New South Wales, government agencies and portfolios are held to a high standard in managing cyber risks. The NSW Cybersecurity Policy sets clear expectations around accountability, resilience, and transparency, three pillars that underpin trust in the public sector’s ability to protect digital services.

Central to this framework are reporting and attestation requirements, which ensure that agencies not only implement controls but also demonstrate their effectiveness through evidence-based assurance. Organisations need to recognise that these obligations reinforce consistency across portfolios and give NSW Cybersecurity a comprehensive view of the state’s cyber resilience.

Annual Reporting Obligations: Setting the Baseline

Each year, agencies must fulfil specific reporting duties under the policy. By 30 June, portfolio Chief Information Security Officers (CISOs) provide NSW Cybersecurity with an updated list of all agencies under their portfolio, along with confirmation of how each intends to report.

By 31 October, a detailed report for every agency must be submitted, either through the portfolio CISO or directly to NSW Cybersecurity. This submission includes:

• An assurance assessment against all Mandatory Requirements of the NSW Cybersecurity Policy for the previous financial year.
• A register of high or extreme residual cyber risks, alongside their treatment and review mechanisms.
• A formal attestation on the agency’s cybersecurity governance and performance.

These annual deadlines create consistency across government operations, while also embedding a structured cycle of self-assessment and external accountability.

View Essential Eight & State Government Cyber Security Requirements

Mandatory Requirement Reporting: Evidence-Based Assurance

The reporting process is designed to go beyond checklists. Agencies are expected to provide assurance assessments that reflect the real state of implementation, backed by verifiable evidence. This includes compiling accessible documentation to demonstrate compliance, resolving discrepancies between reported and actual control implementations, and acknowledging where requirements have not yet been met.

Importantly, the framework allows for “not applicable” responses when justified, for example, where a control does not align with the agency’s function. However, these exemptions must be explained and documented, ensuring clarity and preventing misuse.

Risk Reporting: Capturing High and Extreme Threats

Risk reporting forms another critical component of the NSW Cybersecurity Policy. Agencies must provide a list of high or extreme residual risks each year, capturing those that remain after mitigation efforts. These risks are tracked in a risk register and reviewed under the agency’s broader enterprise risk management framework.

Where risks exceed the organisation’s appetite or tolerance, escalation is mandatory. This means direct involvement of the Agency Head or authorised officer, ensuring senior leadership takes responsibility for risk acceptance.

Agencies are also encouraged to report on key threats and mitigations as part of the policy’s threat-based risk management approach. This proactive reporting ensures visibility of both present vulnerabilities and the measures being applied to reduce them.

Annual Attestation: Accountability at the Highest Level

Perhaps the most critical element of the policy is the annual attestation. Signed by the Agency Head, this attestation serves as a formal declaration of the agency’s cybersecurity status for the previous financial year.

The attestation must address whether:

• Cybersecurity risks have been formally assessed.
• Any residual risks exceed the organisation’s appetite.
• All mandatory assessments and reporting obligations have been met.
• Cybersecurity governance is represented appropriately at agency forums.
• Continuous improvement measures are being pursued.

In cases where mandatory requirements are “not met” or “partially met,” the Agency Head must sign off directly, ensuring that responsibility sits squarely with senior leadership. This top-down accountability is vital to maintaining trust and ensuring transparency across the public sector.

Why do these Requirements Matter?

The NSW Cybersecurity Policy is designed to do more than satisfy compliance checkboxes. It is a framework for building resilience, improving governance, and reinforcing public confidence. By embedding reporting, assurance, and attestation into its core, the policy ensures that cybersecurity remains visible at all levels of decision-making.

The 2023–2024 reporting year serves as a baseline, recognising that not all requirements will be fully met at this stage. However, it sets the stage for agencies to track progress, identify gaps, and demonstrate improvements in subsequent years.

Conclusion: A Framework for Continuous Improvement

Cybersecurity governance in NSW is being shaped not only by technical controls but also by accountability measures that require agencies to show, not just tell, how secure they are. Reporting and attestation processes ensure that resilience is evidence-based and endorsed at the highest levels of leadership.

By adopting this structured approach, NSW positions itself to address both current and emerging threats with clarity, transparency, and trust, laying the foundation for stronger digital services and safer public-sector operations.

FAQs – Frequently Asked Questions