About the PSR


Complying with the PSR

The PSR describes when your organisation needs to consider specific security measures to comply with mandatory requirements.

Identifying mandatory measures

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory requirements unless you can demonstrate that a measure is not relevant in your context.

Identifying good-practice measures

A security measure with a ‘should’ or ‘should not’ requirement is considered good and recommended practice. Valid reasons for not implementing a security measure could exist, including:

  • a measure is not relevant because the risk does not exist
  • you’re substituting a process or measure of equal strength.

Considering which measures to implement

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head. 

Pose the following questions before you choose not to implement a measure.

  1. Is your organisation willing to accept additional risk? If so, what is the justification for your choice?
  2. Have you considered any implications for all-of-government security? If so, what is the justification for your choice?

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.

Complying with legislation relating to security

The mandatory requirements and security measures are based on legislation relating to protective security and reflect government objectives.

When legislation requires your organisation to manage protective security in a way that is different to the PSR, that legislation takes precedence.

Some examples of legislation that might apply to some organisations are:

  • Crimes Act 1961
  • Criminal Disclosure Act 2008
  • Customs and Excise Act 2018
  • Defence Act 1990
  • Employment Relations Act 2000
  • Health and Safety at Work Act 2015
  • Income Tax Act 2007
  • Official Information Act 1982
  • Privacy Act 2020
  • Public Finance Act 1989
  • Public Records Act 2005
  • State Sector Act 1988
  • Summary Offences Act 1981.

Page last modified: 17/02/2021