This policy is current as at 23/03/2018 06:44am, AEDT. Please refer to policy library website ( for an updated version.

Information Security Policy

Information that is fit for purpose, secure, available, and accessible, and complies with applicable laws and regulations, enables staff to make everyday decisions and assists the Department to realise its strategic objectives.

1. Policy statement


The department is committed to ensuring an appropriate level of security is applied to protect the confidentiality, integrity and availability of its information and will satisfy applicable requirements.


All departmental information assets, in electronic, paper, audio or video form, whether located in schools, institutes, corporate units or other locations, will be secured according to the information’s level of sensitivity, criticality and risk.

2. Audience and applicability


This policy applies to all departmental:

  • staff (fulltime, casual, temporary or contractors) and parties that access or use the department’s information assets
  • processes and operations
  • locations where departmental information is stored temporarily or permanently. This includes but is not restricted to the department’s schools and other departmental worksites; and non-departmental sites and private residences (only in relation to any departmental information assets at those locations)
  • information assets, in any form, such as: paper, electronic, audio, video, etc.

These assets may also include:

  • data, as described in the Enterprise Data Policy
  • information held and maintained by the department for, or on behalf of, other government agencies or private entities
  • information held and maintained for the department by external parties
  • information and communications technology (ICT) infrastructure owned or leased by the department and any ICT connecting to, or residing on, the department’s ICT infrastructure.

3. Context


The implementation of an Information Security Policy and an Information Security Management System (ISMS), along with effective governance, will enable the department to identify, manage and achieve its information security objectives.


The department will protect its information assets by:

  • Identifying information assets that are critical and/or sensitive and classifying them in accordance with the security classification framework, as directed by the Enterprise Data Policy.
  • Performing risk assessments in accordance with the Enterprise Risk Management Policy.
  • Applying appropriate information security controls to reduce risks to an acceptable level. Controls will be described in various information security standards, procedures and guidelines.
  • Continually improving the Information Security Management System (ISMS) including information security processes, techniques and controls.


This Policy supports the Department of Finance and Services directive that all agencies appropriately protect information by establishing an Information Security Management System (ISMS). The ISMS should be developed in accordance with the following Standards for Information Security:

  • ISO/IEC 27001 ISMS Requirements.
  • ISO/IEC 27002 ISMS Code of Practice.

An ISMS is a framework and methodology used to manage information security risks. For further information refer to the Information Security Policy - Guideline document (PDF 155.23 KB).


This policy is guided by the following relevant legislation, memoranda, circulars and departmental policies:

  • NSW State Records Act, 1998
  • NSW Privacy and Personal Information Protection Act 1998
  • NSW Workplace Surveillance Act 2005
  • Department of Premier and Cabinet Memorandum M2012-15 Digital Information Security Policy
  • Office of Finance and Services Circular C2013-5 Information Classification and Labelling Guidelines
  • DoE Code of Conduct Policy
  • DoE Enterprise Data Policy
  • DoE Enterprise Risk Management in the Department of Education Policy
  • DoE Business Continuity Management Policy
  • DoE Privacy Management Plan
  • DoE Privacy Code of Practice
  • DoE Communication Devices and Associated Services Policy

4. Responsibilities and delegations

4.1 Secretary

The Secretary is responsible for establishing auditable governance and management accountabilities for the Information Security Management System and related activities; and for establishing appropriate monitoring and auditing measures to ensure these accountabilities are discharged effectively.

4.2 Chief Information Officer

The Chief Information Officer (CIO) is responsible for the management and maintenance of the Information Security Management System.

4.3 Management

All managers, including school principals, are responsible for ensuring that this policy and associated standards and procedures are effectively communicated and implemented throughout all areas of their control.

4.4 Staff

All staff are responsible for:

  • familiarisation with the information security policy and the relevant standards and procedures
  • exercising duty of care to protect information assets
  • reporting suspected breaches, in accordance with incident management procedures.

5. Monitoring, evaluation and reporting requirements


The Chief Information Officer is responsible for the monitoring, evaluation and reporting of compliance to this policy.


This policy will be reviewed each year by the Chief Information Officer and when significant legislation or organisational changes require an update.

6. Contact

For further information, contact the Information Security Unit.

Phone (02) 9302 7115.

E-mail to:

Return to top of page