Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Compliance Mapping

Status: Accepted | Date: 2026-07-11 | Review: 2027-07-11

This mapping uses stable cyber security capability terms to show how Architecture Decision Records (ADRs) support WA Government cyber security outcomes. It intentionally avoids policy clause numbers, which can change between policy releases without changing the underlying security outcome.

Authoritative WA Sources

Read the current requirements and applicability from these sources:

The capability name is the durable link between policy intent and technical decisions. Agencies should record the exact policy release and applicable clauses in their compliance plan, assurance assessment, or risk system. This keeps shared ADRs stable while retaining point-in-time audit traceability.

How to Use This Mapping

  • Match obligations to the closest capability term, then apply all relevant ADRs and current WA guidance.
  • Strong means the ADR contains substantial, testable technical requirements for the capability. Partial means material requirements remain outside the ADR. Gap means no current ADR provides a reusable technical baseline. Organisational means the outcome belongs primarily in an agency policy, process, contract, or risk record.
  • A Proposed ADR is not accepted guidance.
  • Implementing agencies must retain the evidence named in each ADR and evidence for requirements that sit outside this repository.
  • Where a primary protection cannot be implemented, record compensating protections, residual risk, accountable executive approval, expiry date, and reassessment date in the agency risk system.

Core Protection Capabilities

CapabilitySupporting ADRsCoverageExisting support and remaining gap
Application patchingADR 004: CI/CD, ADR 009: Release StandardsPartialProvides build scanning, artifact inventory, release gates, and hotfix evidence. Estate-wide application discovery, scan cadence, remediation timeframes, and unsupported-application removal remain agency obligations.
Operating system patchingADR 010: Infrastructure as Code, ADR 004: CI/CDPartialProvides supported-version gates, secure configuration deployment, and drift evidence for managed infrastructure. Device and server inventory, scan cadence, patch deployment, and end-of-support transition are not fully covered.
Multi-factor authenticationADR 013: Identity Federation, ADR 012: Privileged Remote AccessPartialRequires risk-based MFA, phishing-resistant target methods, legacy-authentication removal, and strong privileged MFA. Full agency service coverage and identity lifecycle governance remain outside these ADRs.
Privileged access managementADR 012: Privileged Remote Access, ADR 013: Identity FederationStrongRequires dedicated identities, secure administration, just-in-time approval, expiry, quarterly review, break-glass access, session recording, and evidence. Agencies still own personnel authorisation and residual-risk approval.
Application controlNoneGapCurrent CI/CD controls released artifacts but does not control execution across managed endpoints.
Office macro securityNoneGapNo current ADR defines managed macro protections.
User application hardeningADR 016: Edge ProtectionGapBrowser-facing service headers support defence in depth, but no ADR defines managed browser, Office, PDF, or endpoint application configuration.
Backup and recoveryADR 014: Independent Backups and RecoveryStrongDefines independent, immutable, encrypted, monitored, and tested recovery for critical service data and configuration. Agency continuity governance and platform-specific implementation remain separate obligations.
Server and workload hardeningADR 010: Infrastructure as Code, ADR 016: Edge Protection, ADR 004: CI/CDPartialProvides baseline-as-code, supported versions, drift checks, artifact assurance, origin protection, and WAF protections. Detailed operating system, database, domain-controller, and platform-specific hardening remains outside the ADRs.
Email authenticity and anti-spoofingADR 008: Email AuthenticationStrongRequires domain inventory, SPF, DKIM, DMARC reject progression, parked-domain protections, inbound evaluation, monitoring, testing, and evidence.
Secure network architectureADR 001: Application Isolation, ADR 006: Automated Policy Enforcement, ADR 016: Edge Protection, ADR 021: Workload mTLS and Service AuthorisationPartialRequires trust boundaries, default-deny segmentation, approved flows, origin protection, logging, controlled egress, protective DNS, and proposed identity-based mTLS for Kubernetes east-west traffic. ADRs 006 and 021 remain proposed; enterprise and legacy network implementation remains agency-specific.
Continuous detection and responseADR 007: Centralised Security LoggingStrongRequires broad log collection, time synchronisation, tamper protection, collection health, continuous analysis, triage, testing, and WA SOC integration. Agency incident plans, staffing, and exercises remain separate obligations.
Risk-selected protectionsAll applicable ADRsRisk-dependentUse the agency cyber security context and risk assessment to select additional protections. The ADR catalogue does not replace that assessment or executive acceptance of residual risk.

Enterprise and Specialised Protection Capabilities

CapabilitySupporting ADRsCoverageExisting support and remaining gap
Cyber security awareness and role-based trainingNoneOrganisationalAwareness and role-specific training belong in workforce policy, learning records, and capability plans rather than an ADR.
Enterprise mobility and secure remote workADR 013: Identity Federation, ADR 012: Privileged Remote AccessGapAuthentication and secure administration support remote access, but no current ADR defines mobile device management, BYO device isolation, compliance, remote wipe, or travel profiles.
Procurement and supply chain securityADR 004: CI/CD, ADR 011: AI Tool and Agent GovernanceOrganisational, PartialSBOM, provenance, dependency verification, and AI supplier assessment support technical due diligence. Supplier assessment, foreign influence, insurance, contractual obligations, and subcontractor governance remain procurement responsibilities.
Data offshoring and processing locationADR 011: AI Tool and Agent Governance, ADR 006: Automated Policy EnforcementPartialAI processing-location assessment and proposed geographic guardrails support the capability. Classification, Tier 1 decisions, formal offshoring assessment, approval, and whole-of-service supplier review remain agency obligations.
Secure data removal and device disposalNoneOrganisational, GapSanitisation standards, custody, destruction, verification, and disposal records require an agency asset and media procedure.
Vulnerability managementADR 004: CI/CD, ADR 009: Release Standards, ADR 010: Infrastructure as CodePartialProvides artifact scans, continuous rescanning, supported-version protections, release evidence, and exception links. Estate inventory, scanning operations, prioritisation, remediation governance, and executive risk acceptance remain outside the ADRs.
Identity and access managementADR 013: Identity Federation, ADR 012: Privileged Remote Access, ADR 005: Secrets ManagementPartialCovers federation, authentication, privileged access, application secrets, audit, and evidence. Joiner/mover/leaver automation, customer and service-account lifecycle, password filtering, and agency-wide entitlement reviews remain gaps.
Physical security of technology assetsNoneOrganisationalFacilities access, surveillance, environmental protection, inherited cloud protections, and physical testing are outside this ADR catalogue.
Personnel security and access lifecycleADR 012: Privileged Remote AccessOrganisational, PartialTechnical access approval, review, and expiry support personnel security. Vetting, contractor management, employment obligations, and separation processes remain agency responsibilities.
Encryption and secrets protectionADR 005: Secrets Management, ADR 014: Independent Backups and Recovery, ADR 016: Edge Protection, ADR 021: Workload mTLS and Service AuthorisationPartialCovers secret encryption, encrypted backups, transport protection at web edges, and proposed Kubernetes workload mTLS. No current ADR provides an agency-wide cryptographic algorithm, key, certificate, or data-at-rest standard.
Cryptographic agility and post-quantum transitionNoneGapADR 005 explicitly excludes an agency cryptographic inventory and post-quantum transition standard.
Secure software developmentADR 004: CI/CD, ADR 009: Release Standards, ADR 010: Infrastructure as Code, ADR 003: APIsPartialProvides environment and role separation, automated tests and scans, immutable promotion, provenance, secure configuration, and release evidence. Threat modelling, non-production data protection, and broader secure development governance remain agency obligations.
Artificial intelligence securityADR 011: AI Tool and Agent GovernanceStrongRequires classification, public-AI restrictions, supplier and offshoring assessment, least privilege, isolation, logging, retention consideration, human oversight, and exception evidence. Enterprise AI still requires project-specific privacy, procurement, and risk assessment.
Operational technology and industrial control systemsADR 001: Application Isolation, ADR 007: Centralised Security LoggingGapGeneric segmentation and logging principles apply, but no current ADR addresses operational technology safety, inventory, remote access, firmware, patch constraints, or IT-OT monitoring.
Internet of Things securityADR 001: Application Isolation, ADR 006: Automated Policy EnforcementGapGeneric isolation and proposed network policy support defence in depth, but procurement, lifecycle, identity, firmware, and device-management requirements are not covered.
Cyber risk financing and insuranceNoneOrganisationalInsurance and self-insurance are financial risk decisions, not reusable architecture decisions.
Whole-of-government cyber direction and threat adviceADR 006: Automated Policy Enforcement, ADR 007: Centralised Security LoggingOrganisational, PartialProposed automated guardrails and WA SOC integration can implement technical directions. Governance, action tracking, and formal exemption requests remain agency responsibilities.

Evidence Summary

Implementing teams should assemble evidence by service rather than relying on this mapping alone:

  • Asset, identity, domain, supplier, data-flow, log-source, backup, secret, and released-artifact inventories
  • Version-controlled configurations and policy exports
  • Scan, test, restore, detection, access-review, and incident records
  • Remediation plans and dated exception records
  • Executive approvals for residual risk where primary protections are absent

Other Framework Associations

The ADRs also reference Australian Cyber Security Centre (ACSC) guidance, the WA Government AI Policy and Assurance Framework, privacy obligations, and the Digital ID Act 2024. These references provide design context. Detailed compliance claims should only be added where an ADR contains a matching normative requirement and named implementation evidence.

FrameworkSupporting ADRsScope and limitation
ACSC Information Security ManualADR 001: Isolation, ADR 004: CI/CD, ADR 005: Secrets Management, ADR 007: Logging, ADR 008: Email Authentication, ADR 010: Infrastructure as Code, ADR 012: Privileged Remote Access, ADR 013: Identity Federation, ADR 016: Edge ProtectionThese ADRs implement selected networking, software development, secrets, monitoring, email, hardening, privileged access, authentication, and gateway practices. They do not implement the complete ISM or prove conformance with individual ISM requirements.
WA Government AI Policy and Assurance FrameworkADR 011: AI Tool and Agent Governance, ADR 015: Data Pipeline Contracts, Quality and LineageSupports technical AI approval, data handling, human oversight, logging, schema, lineage, and quality protections. Accountable Officer nomination, assurance assessment, and referral remain organisational obligations.
Privacy and Responsible Information SharingADR 007: Logging, ADR 011: AI Tool and Agent Governance, ADR 015: Data Pipeline Contracts, Quality and LineageSupports minimisation of logged and AI-disclosed personal information plus data-quality evidence. Privacy assessment, authority, consent, retention, and information-sharing governance remain outside these ADRs.
Digital ID Act 2024ADR 013: Identity FederationSupports secure OIDC federation and authentication evidence. It does not itself implement voluntary participation, identifier, biometric, accreditation, or privacy safeguards.

National Guidance