ABOUT006
On this page:
The Protective Security Requirements describe when your organisation needs to consider specific security measures to comply with mandatory requirements.
A security measure with a ‘must’ or ‘must not’ compliance requirement is mandatory. You must implement or follow mandatory requirements unless you can demonstrate that a measure is not relevant in your context.
A security measure with a ‘should’ or ‘should not’ requirement is considered good and recommended practice. Valid reasons for not implementing a security measure could exist, including:
Not using a security measure without due consideration may increase residual risk for your organisation. This residual risk needs to be agreed and acknowledged by your organisation head.
Pose the following questions before you choose not to implement a measure.
A formal auditable record of how you considered and decided which measures to adopt is required as part of the governance and assurance processes within your organisation.
The mandatory requirements and security measures are based on legislation relating to protective security and reflect government objectives.
When legislation requires your organisation to manage protective security in a way that is different to the PSR, that legislation takes precedence.
Some examples of legislation that might apply to some organisations are: