Asia
Select regional store:

The VPDSS (Victorian Protective Data Security Standards)

The VPDSS (Victorian Protective Data Security Standards) are 18 high-level data security requirements for Victorian public-sector organisations.

They provide a set of criteria for consistently applying security practices across Victorian government information. The criteria cover governance, information security, personnel security, ICT (information communications technology) security and physical security.

Each of the 18 standards is supported by 4 protocols to help organisations assess their security controls against new or evolving threats and vulnerabilities throughout the information lifecycle.

The standards form part of the VPDSF (Victorian Protective Data Security Framework), which is the scheme for managing data security risks in Victoria’s public sector.

Click here for more information about the VPDSF >>


What are the Victorian Protective Data Security Standards?

The 18 standards are:

Information governance

  1. Security management framework
    An organisation must establish, implement and maintain a security management framework proportionate to their size, resources and risk posture.
  2. Security risk management
    An organisation must utilise a risk management framework to manage security risks.
  3. Security policies and procedures
    An organisation must establish, implement and maintain security policies and procedures proportionate to their size, resources and risk posture.
  4. Information access
    An organisation must establish, implement and maintain an access management regime for access to public sector data.
  5. Security obligations
    An organisation must define, document, communicate and regularly review the security obligations of all persons with access to public sector data.
  6. Security training and awareness
    An organisation must ensure all persons with access to public sector data undertake security training and awareness.
  7. Security incident management
    An organisation must establish, implement and maintain a security incident management regime proportionate to their size, resources and risk posture.
  8. Business continuity management
    An organisation must establish, implement and maintain a business continuity management program that addresses the security of public sector data.
  9. Contracted service providers
    An organisation must ensure that contracted service providers with access to public sector data, do not do an act or engage in a practice that contravenes the Victorian Protective Data Security Standards (VPDSS).
  10. Government services
    An organisation that receives a government service from another organisation must ensure that the service complies with the Victorian Protective Data Security Standards (VPDSS) in respect to public sector data that is collected, held, used, managed, disclosed or transferred.
  11. Security plans
    An organisation must establish, implement and maintain a protective data security plan to manage their security risks.
  12. Compliance
    An organisation must perform an annual assessment of their implementation of the Victorian Protective Data Security Standards (VPDSS) and report their level of compliance to the Commissioner for Privacy and Data Protection.

Information security

  1. Information value
    An organisation must conduct an information assessment considering the potential compromise to the confidentiality, integrity and availability of public sector data.
  2. Information management
    An organisation must establish, implement and maintain information security controls in their information management framework.
  3. Information sharing
    An organisation must ensure that security controls are applied when sharing public sector data.

Personnel security

  1. Personnel lifecycle
    An organisation must establish, implement and maintain personnel security controls in their personnel management regime.

ICT security

  1. ICT lifecycle
    An organisation must establish, implement and maintain Information Communications Technology (ICT) security controls in their ICT management regime.

Physical security

  1. Physical lifecycle
    An organisation must establish, implement and maintain physical security controls in their physical management regime.

Complying with the VPDSS

If your organisation needs help complying with the VPDSS and Victoria’s PDPA (Privacy and Data Protection Act), we can help.

The VPDSS states that organisations should align their security management frameworks with standards such as ISO 27001, and their access management regimes and information sharing practices with ISO 27001’s code of practice, ISO 27002.

IT Governance has more than 15 years’ experience helping hundreds of organisations worldwide implement ISO 27001, having led ISMS (information security management system) implementation projects since the Standard’s inception.

If you need more guidance or advice on implementing ISO 27001, please contact us.


Speak to an expert

Please contact us for further information or to speak to an ISO 27001 expert.

This website uses cookies. View our cookie policy