In November 2024, the Australian government launched a new series of annual iterations of the Protective Security Policy Framework (PSPF). Dubbed PSPF Release 2024, the new Framework includes resilience management planning requirements for Australian government agencies.
What are the new requirements? We delve into them, here.
Introducing the Protective Security Policy Framework (PSPF)
But first, what’s the Protective Security Policy Framework (PSPF)?
Well, the Department of Home Affairs, back in 2018, developed the Protective Security Policy Framework (PSPF,) a series of reforms intended to clarify, streamline, and encourage a strengthened security culture across government agencies.
Since that time, numerous policies within the PSPF have changed. However, it was only last year when the government made the decision to consolidate PSPF policy changes into yearly updates. The thinking was affected entities could more easily anticipate potential policy updates and prepare to update their own processes.
Dissecting the new resilience management planning requirements for Australian government agencies
This latest iteration, PSPF Release 2024 caught the attention of the resilience community, because it included significant resilience management planning requirements. Two of the requirements focus on business continuity and emergency management planning.
To begin, the new Framework mandates affected entities develop, implement, and maintain business continuity plans (BCPs). Per the new requirements, a compliant business continuity plan must:
- Lay out actions the entity will engage with before, during, and after an unexpected incident occurs to minimize the degree of damage and the time required to recover
- Document a set of planned procedures through which the entity can continue or recover its services to the Government
- Detail post-incident actions the entity can take to limit loss or damage
- Include provisions accounting for significant business disruptions to:
- Reduce the immediate impact on the entity and provide lower yet acceptable levels of service, or;
- Enable the entity to resume normal operations within an acceptable period of time
Resilience management planning requirements for emergencies
This resilience management planning requirement is intended to minimize the impact of significant business disruptions to both critical services and assets and to an entity’s other services and assets when a threat or security risk assessment indicates that it’s needed.
And to that end, entities must also include within their BCPs, discrete plans to initiate in the event of different emergency scenarios. Emergency management plans (or playbooks) must be developed for the following scenarios:
- Bombs and bomb threats
- Potentially hazardous substances or hoaxes
- Failure of essential services
- Fire and explosions
- Cyberattacks and serious cybersecurity incidents (noting National Coordination requirements)
- Major accidents
- Natural disasters
- Disruptive/dangerous visitors, including active shooter
- Threatening telephone calls, emails, and letters
- Suspicious packages or deliveries
PSPF Release 2024 also specifies that emergency response teams should run security awareness trainings, exercises, and rehearsals of their resilience management plans to guarantee their efficacy and confirm the readiness of key personnel to execute the plan as the situation demands.
How to know if you’re on the right track to compliance, though? Beyond implementing emergency management software, agencies should be looking to follow best-practice resilience management standards like ISO 22301, as recommended in the Framework itself.
To learn more about the business continuity management system (BCMS) standard, check out our guide to ISO 22301.
.svg)
.svg)
.svg)