Evaluating your personnel security

Evaluate your organisation’s personnel security measures to make sure they meet your current needs and evolve as your risk environment changes over time

PER023

Use several review activities to inform improvement

To evaluate how effectively you are managing your risks, adopt a layered approach.  Use several review activities to inform improvements to your security measures. Review activities help your organisation find out: 

  • how effective and efficient your current systems and practices are
  • which areas you need to improve
  • how your security capability is maturing over time.

Follow the mandatory governance requirements

To evaluate how effective your security measures are and whether they need updating, follow the relevant mandatory governance requirements:

  • carry out personnel security risk reviews (GOV2)
  • review your protective security policies and plans (GOV8)
  • complete annual self-assessments against the mandatory protective security requirements (GOV8)
  • report and investigate security incidents (GOV6)

Report and investigate security incidents

Managing security incidents effectively is a basic part of good security practice.

Information you gather when you report on and investigate security incidents may highlight when your organisation needs to reassess the effectiveness of current practices.

Reporting and investigating security incidents drives your security measures to continuously improve.

Complete annual self-assessments

Government organisations must assess themselves annually against the mandatory protective security requirements. This self-assessment is recommended as good practice for all organisations and businesses.

 Self-assessment helps your organisation to:

  • evaluate the effectiveness of your protective security controls
  • identify and address areas of non-compliance with mandatory protective security requirements
  • improve your protective security policies and procedures.

Undertake a risk review every two years 

Your organisations should review its risks from personnel security every two years in line with:

  • HB 167:2006: Security Risk Management
  • AS/NZS 31000:2009 Risk Management — Principles and Guidelines.

Government organisations must review all their protective security policies and plans every two years, or sooner if changes in your organisational or operating environment changes the risks (GOV4).