How to measure performance of the classification system

Use the Protective Security Requirements assurance and reporting tools below to assess the maturity of your organisation’s classification capability alongside your other protective security capabilities.

The PSR assurance tools have been updated to include additional maturity indicators related to the Classification System across different capability dimensions. These tools are available to any organisation to measure their performance in the use of the Classification System.

 

Tool Usage

Protective Security Capability Maturity Model [PDF, 542 KB] (July 2022)

The model enables you to assess the maturity of your classification capability alongside your other protective security capabilities and help you to identify how you could develop them further.
The model recognises that each organisation has a unique combination of security risks and areas it needs to protect and enables organisations to use a risk-based approach to managing their security risks.
The model assesses capability across 12 dimensions and 4 maturity levels. The model is guided by the PSR’s mandatory requirements. While the 20 mandatory requirements are ‘baseline’ objectives, the model helps all types of organisations to set maturity targets based on their own security risk profile. One size does not fit all.
PSR Moderation Framework [PDF, 315 KB] (July 2022) Agencies need to provide the underlying evidence to support their self-assessment against the Capability Maturity Model. The evidence is broken down into evidence of policy and processes versus evidence of practice (such as registers, logs, or reports) showing the outcomes of the policy and processes and how they are used to improve on outcomes.
The framework can be used by agencies themselves for informal self-assessment or by independent auditors for formal audit of the self-assessment (see the All of Government protective security panel for more information).
PSR Roadmap template [XLSX, 66 KB] The PSR Roadmap template can be used to capture your organisation’s goals and improvement plans across the 20 PSR mandatory requirements.
Self-assessment report template The report template can be used annually to report back on your organisation’s protective security capability and improvement plans to agency leaders and directors as well as to government leads.
If your organisation is mandated to follow the Protective Security Requirements, this reporting is mandatory and shared with the PSR/GPSL and GCSB/GCISO.
Classification System changes to CMM & Moderation Framework [PDF, 92 KB] (July 2022) This document provides the changes specifically related to measuring the performance of the Classification System. Use this guidance to understand what additional capabilities and evidence you will need to demonstrate good practice in the Classification System.

 

Classification capability is measured under Mandatory Requirement (INFOSEC2)

The Classification System is part of the Protective Security Requirements Mandatory Requirement INFOSEC2.

When undertaking your self-assessment against this mandatory requirement in the October 2023 to March 2024 period, you will need to also consider the additional Classification System requirements to determine how well you meet this mandatory requirement.  

For example, if you previously rated yourself as ‘Meets’ for INFOSEC2 but as at March 2024, you have not yet put in place all of the additional capability as defined in the July 2022 updates, then the status of your compliance with this mandatory requirement must reduce (‘Mostly meets’ or lower) as you no do not meet the updated mandatory requirement.

 

Examples for new Classification capability under the CMM dimensions 

Below are a couple examples of the Leadership and Culture capabilities you will need to have in place be considered ‘Managed’.

Dimension Capability (Managed) Examples of Evidence
Monitoring and assurance You are auditing and recording the quality of classification decisions
You apply evidence-based performance measures to help track and assess the ongoing success of the information sharing and declassification
Reporting in outcomes of audit and review of classification
Evidence of business change based on classification audit and review
Process for monitoring classification, declassification,
information sharing
Audit and review of classification procedures
Chief Archivist and Ombudsman feedback
Culture and behaviours Your people regularly review and challenge classification decisions and learn from mistakes
Your people make classification decisions that effectively manage the tension between needing to know (withhold) versus needing to share (open)
You understand all the information you hold, and have systems and mechanisms in place to enable sharing to occur with any appropriate partner (including emergency management, communities, and social services)
Your staff understand the value of information sharing and are formally empowered to share information appropriately where of value to other agencies
Classification System (including Information sharing and declassification) awareness campaign
Information Sharing Plan
Information Sharing culture survey
Measurement of changes in classification rates, volumes of declassification, decrease in complaints, positive ombudsman reporting