Verify Your PSPF Compliance: Independent Audit and Assurance

The PSPF is the Australian Government's framework for securing its people, information, and assets. Our PSPF Audit provides the independent verification required to assure government partners and senior leadership that your entire security and risk framework is fully compliant and effective.

GET Free Consulting READY TODAY

Why an Independent PSPF Audit is a GRC Essential

The PSPF is mandatory for non-corporate Commonwealth entities and is a critical assurance standard for contractors. An independent audit is necessary to validate your commitment to the framework's policies.

Executive Governance

Accountability: Provides the definitive, auditable evidence that senior leaders are fulfilling their responsibilities for managing security risks under the PSPF's policies.

Contractual Assurance

Partner Trust: Demonstrates to government agencies that your organization's security posture extends beyond technical IT and covers personnel, physical, and governance security.

Risk Measurement

Holistic View: Assesses the effectiveness of policies across all four PSPF pillars (Governance, Personnel, Physical, and Information Security), identifying blind spots technical audits miss.

Continuous Improvement

Strategic Roadmap: The audit findings serve as the authoritative baseline for your PSPF maturity improvement plan.

Our PSPF Audit Process

Our methodology is based on the four pillars of the PSPF, ensuring a comprehensive, non-technical, and technical review of your entire protective security framework.

Phase 1: Planning and Policy Review
Scope Definition: Confirm the scope of the audit, including the specific PSPF policies being assessed (e.g., Mandatory Requirements for Governance or Personnel Vetting).
Policy Verification: Review all documented PSPF policies, procedures, and controls to ensure they are formally approved, current, and mapped to the PSPF's mandatory requirements.
Phase 2: Evidence Collection & Verification
Personnel Security: Audit processes for security vetting, continuous monitoring, and security clearances.
Physical Security: Review controls for securing facilities, assets, and entry points.
Information Security: Assess the implementation of controls (aligned with the ISM) for classifying, handling, and storing sensitive and classified information.
Effectiveness Testing: Interview staff and management across departments (HR, IT, Legal, Executive) to verify that policies are operational, understood, and effectively enforced across the organization.
Phase 3: Formal Reporting and Sign-Off
Audit Findings Report: A formal report detailing compliance status against each audited PSPF policy, identifying gaps in documentation, implementation, or enforcement.
Executive Summary: A high-level briefing for senior management that translates audit findings into strategic business risk.
Remediation Recommendations: Delivery of prioritized, practical recommendations for achieving full PSPF compliance.

Key Audit Scope: The PSPF Pillars

Our audit provides assurance across the four mandatory pillars of the Protective Security Policy Framework:

Governance

A formal, signed document stating your confirmed E8 Maturity Level and the technical evidence for the score.

Personnel

Security Vetting Procedures, Ongoing Suitability of Personnel, Separation of Duties, Staff Security Awareness Training.

Information

Data Classification, Information Handling Procedures, Storage and Destruction Protocols (aligned with ISM controls).

Physical

Physical Security Plans, Access Control Procedures, Intrusion Detection Systems, Asset Protection.

FAQs

What is the PSPF?

The Protective Security Policy Framework (PSPF) is a mandatory security framework for Australian Government entities. It sets out the government's requirements for how these entities should protect their people, information, and assets. It establishes security expectations across four key pillars: Governance, Personnel, Physical, and Information Security.

What are the Key Components of a PSPF Assessment?

The assessment is structured around the four mandatory PSPF pillars, with the Information Security pillar heavily relying on the ISM (Information Security Manual).
Governance: Review of security management structures, risk management, and planning.
Personnel Security: Assessment of security vetting, clearances, and ongoing suitability.
Physical Security: Audit of controls for securing facilities, assets, and restricted access areas.
Information Security: Verification of policies and controls for classifying, handling, storing, and communicating government data (this component checks compliance with the ISM).

Who is required to comply with the PSPF?

The PSPF is mandatory for all non-corporate Commonwealth entities (government agencies) and is a critical requirement for many contractors and supply chain partners who handle government information or assets.

What is the difference between PSPF and ISM?

The PSPF is a policy framework that covers all aspects of protective security: governance, personnel, physical, and information. The ISM (Information Security Manual) is the technical manual that specifies the security controls required to meet the PSPF's Information Security policy.

Is this a technical audit or a governance audit?

Our PSPF Audit is holistic. It covers the non-technical policies (Governance, Personnel, Physical) and verifies that the technical security policies (Information Security, using the ISM as a baseline) are documented and operational.

How long does a PSPF audit typically take?

The duration is highly dependent on the scope and complexity of the organisation, but typically ranges from 4 to 8 weeks, including evidence gathering, staff interviews, and final report delivery.

What is the most common PSPF audit finding?

The most common findings relate to Governance and Personnel Security, specifically the lack of formally approved, current policies and the failure to demonstrate ongoing suitability (continuous monitoring) of personnel with high-level access.

Gain independent assurance that your entire security governance framework meets the demands of the Australian Government.

Schedule Your PSPF Compliance Audit