Cyber Resilience

Cyber Resilience

Country : Australia

Year Published: 2016

Language: English

Sector: Agriculture, Industry, Science & Technology

Issue: Cybersecurity


In June 2014, the Australian National Audit Office tabled in Parliament ANAO Audit Report No.50 2013–14, Cyber Attacks: Securing Agencies’ ICT Systems. The report examined implementation of the mandatory strategies in the Australian Government Information Security Manual (ISM).

The Joint Committee of Public Accounts and Audit (JCPAA) held a public hearing to examine Report No.50 on 24 October 2014. The Committee was concerned that the seven entities audited were not compliant with the ‘Top Four’ strategies in the ISM. And that none of the entities were expected to achieve compliance by the mandated target date of 30 June 2014.

In light of concerns about entities’ shortcomings to achieve compliance, the JCPAA asked the Auditor-General to extend the coverage of the audit to include other entities. In response to the JCPAA, a performance audit was scheduled to assess another four selected entities’ compliance with Australian Government requirements.1 This report is the outcome of the audit.

For some years, the Australian Government has established both an overarching protective security policy framework, and promulgated specific ICT risk mitigation strategies and related controls, to inform the ICT security posture6 of agencies. In 2013, the Government mandated elements of the framework, in response to the rapid escalation, intensity and sophistication of cyber crime and other cyber security threats.



All entities made efforts to achieve compliance with the mandated strategies in the ISM. Two of the four selected entities achieved compliance—AUSTRAC and the Department of Agriculture and Water Resources. Two entities did not achieve compliance—Australian Federal Police and the Department of Industry, Innovation and Science.

The ANAO has made three recommendations aimed at achieving compliance with mandated strategies in the ISM. The recommendations are likely to apply to other Australian Government entities not specifically examined in this audit.