Our intentions: Cyber security governance in public organisations

4 April 2024: We are looking at whether cyber security risks are governed effectively in selected public organisations.

Effective cyber security is essential to protect the public sector’s critical information assets and systems. Security failures can also undermine public trust and confidence in the public sector.

Governing cyber security risks is becoming increasingly complex and challenging as technologies evolve.

We will examine how well a sample of public organisations govern their cyber security risk preparedness and response. This includes known and emerging risks from legacy systems and new technology, including generative artificial intelligence, cloud storage, and “as a service” activities.

What we are focusing on

We will focus on whether there is effective governance of cyber security risks in the selected public organisations. We have chosen these organisations to represent a range of organisational type, function, size, and location.

We will examine how well the governors of these organisations:

  • ensure that their organisation identifies and understands its cyber security risks and the vulnerabilities of its information and/or its services; and
  • enable, review, and monitor cyber security risk management within their organisation.

The difference we expect to make

We aim to provide assurance to Parliament and the public about how well cyber security risk is being governed in public organisations.

We anticipate that our work will influence improved governance of cyber security risk management in the public sector by identifying effective practices.

This audit will result in a report to Parliament, which we will also publish on our website. We expect to complete this work in late 2024.

Please use the feedback form on the right if you would like to speak to a staff member about this performance audit, make a suggestion, or ask a question.