1. Information security risk management
All school staff must take reasonable steps to ensure that any school information they create, handle or have responsibility for is securely stored and protected from loss, unauthorised access, modification, inaccessibility, disclosure or destruction. This includes when information is being transmitted, transported, migrated or converted.
Schools must consider information security risks as part of standard risk management practices. While security incidents cannot be eliminated, risks can be significantly reduced through informed decision making and effective operating controls.
When assessing information security risks, schools must:
- consider the type and sensitivity of school information and consequences of a breach on school assets and the school operating environment
- consider all locations where information is stored (for example, systems, media, facilities)
- document information security risks and treatments in the pre-populated Information security school risk register template in accordance with the risk management processes found in the Risk Management – Schools policy.
In addition, schools must include the results of the school risk register in the school’s emergency and critical incident response plan following the Emergency and Critical Incident Management Planning policy.
Reviewed 18 June 2025