Security maturity is a meaningful way of measuring an agency’s overall security capability in line with the risk environment and the agency’s risk tolerances. Maturity recognises the inherent differences between agencies, functions, risk environments and security risks, and acknowledges the journey agencies may need to take to achieve their security goals and objectives, while helping to identify areas for improvement.

This policy ensures that agencies develop and implement processes to routinely monitor and assess their security maturity in line with the security goals of their security plan. An agency’s security maturity includes the ability to actively respond to changes in the agency’s security risk environment, including to new and emerging threats or vulnerabilities, to ensure the ongoing protection of its people, information and assets.

Core requirement

Monitor security maturity against the security plan

Supporting requirements

To monitor security maturity against the security plan, agencies* must:

  1. seek, identify and document evidence of the agency’s security maturity
  2. assess progress to achieving the security goals and maturity targets of the security plan
  3. amend the security plan in accordance with changes to the risks, threats, vulnerabilities or criticalities of the agency.

GOVESEC3 Guidance (PDF, 702.7 KB)

*This policy applies to all South Australian public sector agencies (as defined in section 3(1) of the Public Sector Act 2009) and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in this policy as “Agencies”.