Protective Security Policy Framework
The framework that sets how Commonwealth entities protect people, information and assets from trusted-insider and external threats.
What PSPF actually is.
The PSPF is the Australian Government's policy framework for protective security. It sets out the government's expectations for managing security risks across four outcomes: governance, information, personnel and physical security. For cybersecurity, the PSPF requires non-corporate Commonwealth entities to apply the ACSC's ISM controls and the Essential Eight. Each entity's Accountable Authority is responsible for attesting annual compliance.
Mandatory for non-corporate Commonwealth entities. Corporate Commonwealth entities and state/territory agencies apply the PSPF as good-practice guidance.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Security governance
Establish accountabilities, reporting and a risk-managed approach to protective security.
-
02
Information security
Classify, protect and share official information in line with its sensitivity and business impact.
-
03
Personnel security
Vet personnel, manage insider risk, and maintain ongoing suitability for access to classified resources.
-
04
Physical security
Protect people, information and physical assets in line with business impact levels and threat.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
Protective Security Policy Framework
protectivesecurity.gov.au
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against PSPF.
Assessment, engineering and operational services that line up with the framework's control areas.
IRAP Assessment
PROTECTED-certified assessors for Australian government and regulated entities.
ASD Essential Eight
Reach Maturity Level 3 across the ACSC's eight prioritised mitigation strategies.
Virtual CISO
Fractional security leadership embedded with your executive team.
Where PSPF shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.