1. Security maturity is a meaningful way of measuring an agency’s overall security capability in line with the risk environment and the agency’s risk tolerances. Maturity recognises the inherent differences between agencies, functions, risk environments and security risks, and acknowledges the journey agencies may need to take to achieve their security goals and objectives, while helping to identify areas for improvement.
  2. This policy ensures that agencies develop and implement processes to routinely monitor and assess their security maturity in line with the security goals of their security plan. An agency’s security maturity includes the ability to actively respond to changes in the agency’s security risk environment, including to new and emerging threats or vulnerabilities, to ensure the ongoing protection of its people, information and assets.

Monitor security maturity against the security plan

  1. To monitor security maturity against the security, agencies must: [1]
    1. seek, identify and document evidence of the agency's security maturity
    2. assess progress to achieving the security goals and maturity targets of the security plan
    3. amend the security plan in accordance with changes to the risks, threats, vulnerabilities or criticalities of the agency

[1] This policy applies to all South Australian public sector agencies (as defined in section 3 (1) of the Public Sector Act 2009) and to any other person or organisation that is generally subject to the direction of a Minister of the Crown; all of which are referred to in this policy as “Agencies”.


  1. Security maturity is measure of an agency’s capability to identify, assess and treat security risks specific to its risk environment and risk tolerances. Effective security maturity assessments identify the success of South Australian Protective Security Framework (SAPSF) implementation as well as areas requiring improvement.
  2. Security maturity is a reflection of how an agency:
    1. implements and meets the SAPSF core and supporting requirements
    2. minimises harm to its people and assets
    3. fosters a positive security culture
    4. responds to and learns from security incidents
    5. understands and manages security risks
    6. achieves security outcomes while delivering business objectives.

Security culture

  1. A positive security culture is an effective measure of an agency’s security maturity. It is reflective of the behaviours, attitudes and understanding of security by an agency’s employees and underpins the agency’s ability to identify, manage and treat security risks effectively. The importance of security culture is reflected in SAPSF principle 5 ‘a positive security culture empowers personal accountability, promotes ownership and management of risk and supports continuous improvement’.
  2. It should be an objective of all agencies to develop a security culture where leadership and employees:
    1. comprehensively understand the agency’s security risks
    2. understand their collective and individual security responsibilities
    3. proactively manage the security risks relevant to their work environment
    4. embed good security practices in their day-to-day activities
    5. use risk management to inform decision that might affect the agency’s security
    6. promote good security practices both internally and externally of the agency.

Gathering evidence of security maturity

  1. Security maturity can be highly subjective and difficult to compare across business units, let alone agencies of varied size and function, so what information is required to assist in assessing an agency’s maturity may not be obvious or evident. Therefore, when setting security goals and maturity targets, agencies must seek, identify and document evidence which supports the agency’s present security maturity assessment.
  2. This information can then be utilised to inform ongoing assessments and contribute to identifying new sources of information to further enhance and enrich maturity assessments.
  3. Information which can contribute to security maturity assessments and monitoring may include:
    • engagement with, and decisions on, security risk and risk tolerances
    • risk mitigation strategies
    • frequency and/or response to security incidents (including learnings)
    • employee security behaviours (including security incidents)
    • security training programs
    • systematic and routine audits of security practices/procedures (including access controls)
    • security issues reported (internally or externally)
    • internal focus groups or security questionnaires
    • horizon scanning for emerging or evolving threats, risks and vulnerabilities
    • provision of security advice or services (for Lead Security Agencies)

Assessing progress to security goals and maturity targets

  1. The information collected can then be used to validate the maturity level of the agency and determine progress toward the maturity targets identified in the security plan. Agencies should use the maturity level indicators described in SAPSF policy Security planning (see Annex A) to guide planning and assessment of maturity.

Amending the security plan

  1. Security plans are only required to be reviewed every two years, however, changes in the risks, threats, vulnerabilities or capabilities of an agency may mean the security plan, or parts of the security plan, are no longer accurate or fit for purpose.
  2. Agencies must consider amendments to their security plan where:
    • new or changing risks, threats, vulnerabilities or capabilities are identified (including shared risks)
    • significant discrepancies are identified between assessed and actual security maturity
    • the agency’s risk tolerance changes
    • the agency’s function changes significantly (e.g. machinery of government changes).

Approved by: Chief Executive, Department of the Premier and CabinetDate of first approval: 20 April 2020
Revision number: 2.0Date of review: 26 October 2022
Next review date: December 2024Contact sapsf@sa.gov.au

Change log

1.020/04/2020First issue of policy
1.121/08/2020Definition of 'personal' added
2.026/10/2022Policy reviewed, no changes