The South Australian Cyber Security Framework (SACSF) is a cabinet approved, whole of government approach designed to ensure cyber security is adequately managed in each agency, while also ensuring there is the adequate flexibility in the way each organisation specifically addresses the policies.

The framework:

  • makes sure cyber security risks are managed in an acceptable way
  • reassures the public and other interested parties that the information in the government’s care is properly protected
  • maintains the confidentiality, integrity and availability of information assets according to policy, legal and regulatory requirements
  • maintains the reputation of the individual agencies and the broader South Australian Government
  • helps make cyber risk management part of an agency’s existing risk management framework
  • demonstrates alignment to internationally recognised good practice in cyber risk management.

The Framework has 21 policy statements that agencies must address as part of their cyber security program. Each policy statement defines a fairly wide-ranging cyber security principle that agencies must consider. The precise approach organisations and agencies adopt to achieve each policy will vary. Agencies have the flexibility to choose the way they address any policy statement that aligns to their own risk profile.

The SACSF applies to South Australian Government public sector agencies (agencies), that is, administrative units, bodies corporate, statutory authorities, and instrumentalities of the Crown as per the Public Sector Act 2009. It also applies to suppliers to the South Australian Government and non-government personnel that provide services to government agencies.

The SACSF is a complete replacement for the Information Security Management Framework (ISMF). The ISMF will be superseded as of December 2019, however will be available as reference material until December 2020.

The South Australian Cyber Security Framework (SACSF) F1.0 (PDF, 553.6 KB)

Executive guidance

An executive guide provides an overview of the South Australian Cyber Security Framework (SACSF) for agency executives. It outlines:

  • An overview of SACSF
  • who the SACSF applies to
  • the framework and tier model
  • annual attestations
  • responsibilities of the chief executive.

SACSF G1.0 executive guide (PDF, 137.5 KB)

SACSF guidance and supporting documentation


SACSF rulings are specific applications of security policy that must be adhered to by all agencies.

SACSF R1.0 Security management requirements for critical ICT (coming soon, please refer to ISMF Ruling 1 (PDF, 74.5 KB) Security management requirements for critical information and communication technology)

SACSF R2.0 Storage and Processing of Information in Outsourced or Offshore ICT Arrangements (PDF, 184.3 KB) (under review)