Protective Security Policy Framework Assurance and Essential Eight Audit 2026

⁠⁠⁠The Protective Security Policy Framework (PSPF) has been developed to assist Australian Government entities to protect their people, information and assets, at home and overseas. The PSPF sets out government protective security policy and supports entities to effectively implement the policy across the six protective security domains of Governance, Risk, Information, Technology, Personnel and Physical.

As non-Corporate Commonwealth entities subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) the Department of Employment and Workplace Relations (DEWR) and the Department of Education (DE) are required to apply the PSPF to their business to maintain the confidence of stakeholders and effectively manage protective security risks.

The department requires an independent audit of its protective security posture to:

1. Establish DEWR's and Department of Education's current level of protective security compliance in terms of the PSPF annual self-assessment.

2. Provide assurance the department has in place appropriate mechanisms to monitor the effective implementation of, and compliance with the policy detailed within the six PSPF protective security domains.

3. Identify gaps and detail the actions and activities the department should undertake to achieve them.

4. Assess DEWR's level of compliance with the ACSC Essential Eight in line with the guidance provided in ACSC's Essential Eight Audit Process Guide and to inform the department's response to the annual ASD survey in July.

5. Identify gaps and detail the actions and activities the department should undertake to achieve compliance with the cyber security requirement as per the Essential eight and ISM.