SecurityPolicy.com.au
Home/ Australia/ Policy Library/ Information security policy
Australia Policy Library Policy template Reviewed 2026-07-12

Information Security Policy: A Practical Guide for Australian Businesses

1
master policy linking security rules and responsibilities
8
Essential Eight mitigation strategies
>A$3m
general Privacy Act organisation threshold
30 days
maximum suspected NDB assessment period
Why this guide exists

Australian operators most often ask what the policy must contain, whether a template is enough, who signs it and what evidence proves it is operating. A high-demand question missing from the fixed 10 is whether a customer, insurer or tender requires a particular framework, policy wording, approval level or independent assessment.

What is an information security policy, and does my business actually need one?

An information security policy is the business's approved, high-level rulebook for protecting information, systems, devices and services from unauthorised access, loss, misuse, alteration and disruption. It normally sets the purpose, scope, principles, responsibilities and mandatory outcomes, then points to more detailed standards, procedures and sub-policies. No universal Australian law requires every private business to maintain a document with this exact title, but government guidance recommends a written cyber security policy, particularly where employees handle business information and technology. The need becomes stronger where the business holds sensitive information, has staff or contractors, depends on suppliers, faces contractual assurance requests or is subject to privacy, critical-infrastructure or sector obligations.

How this differs by situation
  • A$3m or less annual turnover — Most small businesses are outside the general Privacy Act APP regime, but statutory exceptions, contracts, professional duties and operational risks may still make a policy necessary.
  • more than A$3m annual turnover — The business is generally covered by the Privacy Act and should use the policy to support APP 11 technical and organisational security measures.
  • business with employees, contractors or volunteers — A written policy provides common rules for information sharing, technology use, incident reporting, access and responsibilities.
  • government, regulated or contract-bound organisation — The policy may need to meet a named framework, approval, evidence, scope or review requirement rather than functioning only as an internal guide.
PUT THIS IN YOUR POLICY, EXACTLY

Purpose. This policy establishes the principles, responsibilities and mandatory requirements for protecting the confidentiality, integrity and availability of the organisation's information, systems and services. It applies to all workers, contractors, suppliers, information formats, locations and technologies within the approved scope.

What must it contain — the non-negotiable sections?

The policy should identify its purpose, objectives, scope, protected information and systems, governing principles, owner, approver and the people and suppliers who must follow it. It should establish mandatory rules for access, acceptable use, information handling, devices, remote work, email, cloud services, suppliers, backups, secure configuration, incident reporting, retention, destruction, exceptions, training, compliance and review. Detailed technical settings and task instructions should sit in linked standards and procedures so the master policy remains readable and stable. Every rule should identify an accountable owner and a form of evidence that can demonstrate implementation.

How this differs by situation
  • sole trader or microbusiness — Related sections can be combined into a concise document, but scope, ownership, incident contacts, access, backups, suppliers and review should still be explicit.
  • business with staff, contractors or BYOD — Include onboarding, acceptable use, personal devices, remote access, monitoring, information sharing, offboarding and incident-reporting rules.
  • cloud-dependent business — Address identity, approved services, provider access, data location, logging, backups, exports, incident notification and exit arrangements.
  • regulated or high-sensitivity environment — Add classification, restricted access, retention authority, legal notifications, supplier assurance, testing and exception governance.
PUT THIS IN YOUR POLICY, EXACTLY

Policy contents. This policy must define its purpose, scope, information and systems covered, governing principles, roles, mandatory control outcomes, approved exceptions, incident escalation, compliance evidence, document owner, approval authority, effective date and review triggers. Detailed control requirements and operating steps are maintained in linked standards, sub-policies, plans and procedures.

What does the law or a framework require here?

APP 11 does not prescribe a document title, but it requires covered entities to take reasonable technical and organisational measures to secure personal information, and the OAIC expressly includes policies, procedures, systems and training among those measures. The Privacy Act generally covers organisations with annual turnover above A$3 million and specified smaller organisations, while most businesses at A$3 million or less remain exempt unless an exception applies. Under the NDB scheme, a covered entity must take all reasonable steps to complete a suspected eligible-breach assessment within 30 calendar days and then notify as soon as practicable if the breach is eligible. The ISM is ASD guidance rather than a universal private-sector law unless legislation or another lawful authority makes it compulsory. The Essential Eight is a technical maturity model and minimum preventative baseline, not a replacement for the broader governance and policy system.

How this differs by situation
  • more than A$3m annual turnover — The organisation is generally an APP entity and the policy should support APP 11 security and NDB readiness.
  • A$3m or less annual turnover — Check health, personal-information trading, credit, Commonwealth contract, AML/CTF and other exceptions before assuming the Privacy Act does not apply.
  • ISM adoption — The ISM is advisory unless made binding by legislation, direction, policy, contract or other lawful authority.
  • Essential Eight target — Use the policy to establish governance and responsibility, then implement the eight technical strategies through standards, configurations and evidence.
PUT THIS IN YOUR POLICY, EXACTLY

Legal and framework obligations. The organisation must identify and maintain all security obligations arising from law, regulation, contract and adopted frameworks. This policy does not replace those requirements. Where an external framework is adopted, its scope, version, target level, exceptions, evidence and assurance requirements must be recorded in the obligations register.

Who owns it, and who has to sign it off?

The organisation owns the policy and the risks it governs; responsibility does not transfer to an MSP, template supplier or consultant. A board member, owner or senior executive should approve the policy at a level matching its business impact, while a named policy owner maintains it and control owners implement its requirements. Legal, privacy, people, technology, risk and operational leaders should review the sections relevant to them. The ISM assigns organisational-document approval to the CISO and system-specific approval to an authorising officer, but that is government and large-organisation guidance rather than a compulsory role structure for every small business. Small firms may combine roles, but accountability, delegated authority and backup decision-makers should still be documented.

How this differs by situation
  • sole trader or owner-managed business — The proprietor may own and approve the policy but should still identify technical, privacy, incident and legal advisers.
  • company with a management team — Senior management or the board should approve the risk position, with named policy and control owners below that level.
  • outsourced IT or MSP — The provider implements agreed controls and supplies evidence; the business retains legal, financial, customer and risk accountability.
  • ISM-aligned organisation — Organisational documentation is approved by the CISO and system-specific documentation by the authorising officer under current ISM guidance.
PUT THIS IN YOUR POLICY, EXACTLY

Ownership and approval. The governing body and senior management retain accountability for information security risk. The Policy Owner maintains this document, nominated Control Owners implement and evidence its requirements, and the approving authority accepts the policy's scope, priorities, exceptions and residual risks. Outsourcing does not transfer the organisation's accountability.

How does it actually get used by the team?

The policy should give each worker a small number of clear decisions: what they may use, what information they must protect, what is prohibited, where exceptions are requested and how concerns or incidents are reported. It should be introduced during onboarding, reinforced with role-specific scenarios, made easy to find and supported by practical procedures and approved tools. Managers need to model the rules and remove obstacles that encourage workarounds. A signed acknowledgement or completed training module proves distribution or completion, not understanding or control effectiveness. Exercises, spot checks, reporting data, questions, exception patterns and incident lessons provide stronger evidence that the team can apply the policy.

How this differs by situation
  • all workers — Teach the common rules for accounts, information handling, devices, email, suspicious activity and incident reporting.
  • finance, HR, administrators or privileged users — Provide additional role-specific controls, procedures, simulations and access reviews.
  • contractors and suppliers — Include obligations in onboarding and contracts and provide a usable incident and exception contact.
  • remote or distributed workforce — Make the policy, emergency contacts and essential procedures available when the office or primary systems are unavailable.
PUT THIS IN YOUR POLICY, EXACTLY

Communication and use. All personnel must receive security requirements relevant to their role, know where the current policy and procedures are located, complete required training, report suspected incidents promptly and request approval before departing from a requirement. Managers must reinforce the policy and must not direct personnel to bypass approved controls.

What evidence proves it's real to an auditor or insurer?

Start with the approved document, scope, owner, version history, effective date, review record and evidence that affected people and suppliers received the current version. Then link each policy requirement to operating evidence such as system configurations, access reviews, patch records, backup and restoration tests, training results, supplier assessments, incident records, exception approvals, vulnerability findings and corrective actions. Evidence must cover the full stated scope, including cloud services, non-Windows systems, remote workers and outsourced providers. The ISM's security-assessment model records assessment scope, strengths, weaknesses, risks, control effectiveness and remediation. An auditor or insurer applies its own criteria, so a policy file alone should not be assumed to satisfy an assurance request or insurance condition.

How this differs by situation
  • document evidence — Keep approval, owner, version, current-as-at date, distribution record, acknowledgements and change history.
  • control evidence — Retain configurations, logs, reports, tickets, test results, access reviews, backup restores, supplier evidence and incident records.
  • exceptions and weaknesses — Record approval, risk, scope, compensating controls, expiry, review and remediation milestones.
  • outsourced environment — Contracts should provide timely access to evidence held by MSPs, cloud providers and other suppliers.
PUT THIS IN YOUR POLICY, EXACTLY

Evidence. Every mandatory requirement must have a nominated Control Owner and an evidence source showing its implementation and effectiveness. Evidence must identify the relevant systems, people, suppliers, collection date, review frequency and retention location. Gaps and exceptions must be recorded with accountable remediation actions and due dates.

How often must it be reviewed — and what triggers an off-cycle review?

There is no universal Australian private-sector law requiring every information security policy to be reviewed at one fixed interval. Business.gov.au recommends regular review for new threats and system changes, while the ISM uses at least annual review and a current-as-at date as its government and large-organisation baseline. Review the policy sooner after a security or privacy incident, audit finding, failed control, legal or framework change, new technology, AI deployment, material supplier change, restructure, acquisition, major system change or evidence that staff cannot apply the rule. Review should result in a recorded decision, even where no wording changes are required.

How this differs by situation
  • ordinary private business — Annual review is a sensible baseline but is not a universal statutory period; contract and risk may require more frequent review.
  • ISM-aligned organisation — Review cyber security documentation at least annually and include a current-as-at date or equivalent.
  • contract, tender or insurer requirement — Follow the specified review, approval, attestation and testing cadence where it is more demanding.
  • after a material change or incident — Run an off-cycle review and document lessons, decisions and corrective actions.
PUT THIS IN YOUR POLICY, EXACTLY

Review. This policy is reviewed at least annually and whenever there is a material incident, legal or framework change, audit finding, control failure, organisational restructure, new technology, major system change, significant supplier change or evidence that a requirement is unclear or ineffective. Each review must be recorded, including reviews that result in no amendment.

How does it relate to the sub-policies (access control, acceptable use, incident response)?

The information security policy should sit at the top of a controlled document hierarchy and state the organisation's objectives, principles, authority and mandatory outcomes. Sub-policies and standards translate those outcomes into topic-specific requirements, such as who may receive access, which technology uses are acceptable, how devices are secured and how suppliers are managed. Procedures and plans explain the operational steps, including account provisioning, backup restoration and incident response. The ISM documentation guidance separately references system-usage, AI-usage, web-usage, mobile-device, media, supplier, email and incident-management documentation, showing why one master policy cannot contain every detail. All documents should share definitions, owners, scope and exception rules so they do not contradict one another.

How this differs by situation
  • access-control policy or standard — Defines identity, authentication, least privilege, approvals, privileged access, reviews and offboarding.
  • acceptable-use policy — Defines permitted and prohibited use of systems, internet, email, devices, printing, removable media, AI and personal accounts.
  • incident-response plan — Defines incidents, contacts, authority, escalation, evidence, regulatory reporting, containment, recovery and lessons learned.
  • Essential Eight standards — Translate technical maturity requirements into configurations, operational processes, exceptions and evidence below the master policy.
PUT THIS IN YOUR POLICY, EXACTLY

Document hierarchy. This policy sets organisation-wide security direction and authority. Supporting policies and standards define mandatory topic-specific requirements. Procedures and plans define approved operating steps. Registers and records provide evidence. Where documents conflict, the higher-authority document applies and the conflict must be escalated to the Policy Owner for correction.

The common gaps and red flags?

Red flags include a generic template with the wrong organisation name, no defined scope, no owner or approver, stale dates, unsupported legal claims and rules that do not match the systems people actually use. Other gaps include missing supplier and cloud coverage, no incident contact, no access-review process, no retention or destruction rule, unapproved exceptions, no evidence mapping and no link to usable procedures. Requirements that are impractical, contradictory or more intrusive than necessary can train people to bypass the policy or disclose information in unsafe ways. A policy that exists only for an audit, tender or insurance application is also a warning sign. The document should be tested against real scenarios and revised when staff cannot make a clear, safe decision from it.

How this differs by situation
  • template red flags — Look for foreign law, irrelevant controls, undefined terms, inconsistent roles, missing systems and unedited placeholders.
  • operational red flags — Look for shadow IT, policy workarounds, unclear incident reporting, unmanaged exceptions and controls that cannot produce evidence.
  • supplier and cloud red flags — Look for missing contracts, unknown data locations, unclear access, no incident timeframes, no backups and no exit plan.
  • assurance red flags — Look for claims of compliance based only on policy documents, training completion or a narrow checklist that omitted material systems.
PUT THIS IN YOUR POLICY, EXACTLY

Control quality. Security requirements must be lawful, proportionate, technically achievable and consistent with approved business processes. A requirement that cannot be followed, evidenced or enforced must be corrected or managed through a documented exception. Staff must report contradictory, obsolete or impractical requirements without fear of retaliation.

What's my next step?

Common misconceptions

  • Every Australian business is legally required to maintain a document specifically titled 'Information Security Policy'. INFERRED
  • An information security policy and a public-facing privacy policy are the same document. INFERRED
  • APP 11 is satisfied by technical tools alone and does not require organisational measures such as policies, procedures, governance and training. VERIFIED
  • A business with annual turnover of A$3 million or less can never be covered by the Privacy Act. VERIFIED
  • The ISM is legally compulsory for every Australian private business. VERIFIED
  • The Essential Eight is a complete information security policy and removes the need for broader governance, risk, people, supplier, detection and response controls. VERIFIED
  • Outsourcing IT or cloud storage transfers all information-security and APP 11 accountability to the provider. INFERRED
  • Every Australian private business has a statutory obligation to review its information security policy exactly once each year. INFERRED
  • Every technical setting and operating step should be placed in the master policy itself. INFERRED
  • A signed acknowledgement or completed training course proves that the policy is understood and operating effectively. INFERRED
  • Downloading an Australian template is sufficient without tailoring, approval, implementation, evidence or review. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
APP 11 security of personal information Office of the Australian Information Commissioner An APP entity holds personal information, including information stored by a third party where the entity retains possession or control. Ongoing throughout the information lifecycle; take reasonable technical and organisational security measures and destroy or de-identify information when no longer needed, subject to lawful-retention exceptions. Privacy Act investigation, determinations, enforceable remedies and civil penalties may apply depending on the provision, conduct and seriousness; maintaining a policy does not itself establish compliance.
Privacy Act organisational coverage Office of the Australian Information Commissioner The organisation generally has annual turnover above A$3 million or falls within another covered category, including specified health, personal-information trading, credit, Commonwealth-contract and AML/CTF activities. Assess on establishment, at least annually and whenever turnover, services, contracts or regulated activities change. Privacy Act regulatory and civil consequences depend on the particular obligation and contravention.
Notifiable Data Breaches scheme Office of the Australian Information Commissioner A Privacy Act-covered entity suspects an eligible personal-information breach or reasonably believes that an eligible breach likely to cause serious harm has occurred. Take all reasonable steps to complete the suspected-breach assessment within 30 calendar days; notify the OAIC and affected individuals as soon as practicable once an eligible breach is established. Failure can constitute an interference with privacy and attract Privacy Act regulatory action and civil remedies according to the circumstances.
ISM cyber security documentation controls Australian Signals Directorate or the authority making the ISM requirement binding The organisation is required by legislation, lawful direction, government policy or contract to apply the ISM, or voluntarily adopts the relevant controls. Under current ISM guidance, documentation is reviewed at least annually, carries a current-as-at date, receives appropriate approval and is communicated to stakeholders. The ISM itself does not impose a universal private-sector penalty; consequences arise from the legislation, direction, contract or authority that makes compliance compulsory.
Essential Eight target and exception governance Australian Signals Directorate or the customer, regulator or authority requiring the target The organisation adopts an Essential Eight target or is required to meet one by policy, regulation, government direction or contract. Progressively implement the target maturity level across all eight strategies; document, approve and regularly review exceptions and compensating controls. No universal Essential Eight statutory penalty or independent-certification requirement applies; consequences depend on the directive, regulator, contract or assurance arrangement.

Sources

  1. Create a cyber security policy primary
  2. Using the Information Security Manual primary
  3. Guidelines for cyber security documentation primary
  4. Essential Eight maturity model primary
  5. Essential Eight maturity model and ISM mapping primary
  6. Chapter 11: APP 11 Security of personal information primary
  7. The Privacy Act primary
  8. Small business and the Privacy Act primary
  9. Part 4: Notifiable Data Breach scheme primary
  10. Cyber Security Policy template primary
  11. Latitude Financial hacked; 328,000 customer IDs stolen forum
  12. Smart Glasses in the office? forum
  13. How email a zip file past IT security block? forum
  14. Mandatory cyber security training 'The Inside Man' forum
  15. Glad that we discuss more real-world security in this sub forum
  16. Printing personal docs at work — yay or nay? forum
  17. Coles Mastercard discussion forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.