The objective of this audit is to assess the effectiveness of cyber security risk mitigation strategies implemented by selected non-corporate Commonwealth entities to meet mandatory requirements under the Protective Security Policy Framework (PSPF), and the support provided by the responsible cyber policy entities.

Audit criteria

The ANAO proposes to examine whether:

  • the selected entities have fully implemented the Top Four cyber security risk mitigation strategies or otherwise adopted strategies and actions to progress towards full implementation; and
  • the three entities responsible for cyber policy in the Commonwealth (the Australian Signals Directorate, the Attorney-General’s Department and Department of Home Affairs) have worked together to support accurate self-assessment and reporting by non-corporate Commonwealth entities, and to improve those entities’ implementation of cyber security requirements under the PSPF.


  • Attorney-General’s Department
  • Australian Signals Directorate
  • Australian Trade and Investment Commission
  • Department of Education, Skills and Employment
  • Future Fund Management Agency
  • Department of Health  
  • Department of Home Affairs
  • IP Australia
  • Department of the Prime Minister and Cabinet