Complying with the Protective Security Requirements

When your organisation needs to put protective security measures in place

ABOUT006

On this page:

The Protective Security Requirements describe when your organisation needs to consider specific security measures to comply with mandatory requirements.


Identify mandatory measures

A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory requirements unless you can demonstrate that a measure is not relevant in your context.


Identify good-practice measures

A security measure with a ‘should’ or ‘should not’ requirement is considered good and recommended practice. Valid reasons for not implementing a security measure could exist, including:

  • a measure is not relevant because the risk does not exist
  • you’re substituting a process or measure of equal strength.

Consider which measures to implement

Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head. 

Pose the following questions before you choose not to implement a measure.

  1. Is your organisation willing to accept additional risk? If so, what is the justification for your choice?
  2. Have you considered any implications for all-of-government security? If so, what is the justification for your choice?

A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.


Comply with legislation relating to security

The mandatory requirements and security measures are based on legislation relating to protective security and reflect government objectives.

When legislation requires your organisation to manage protective security in a way that is different to the PSR, that legislation takes precedence.

Some examples of legislation that might apply to some organisations are:

  • Crimes Act 1961
  • Criminal Disclosure Act 2008
  • Customs and Excise Act 2018
  • Defence Act 1990
  • Employment Relations Act 2000
  • Health and Safety at Work Act 2015
  • Income Tax Act 2007
  • Official Information Act 1982
  • Privacy Act 2020
  • Public Finance Act 1989
  • Public Records Act 2005
  • State Sector Act 1988
  • Summary Offences Act 1981.