The Protective Security Policy Framework (PSPF) is the Australian Government's policy framework for protective security. It is owned by the Attorney-General's Department and applies to all non-corporate Commonwealth entities — federal departments, agencies and certain statutory bodies.
The PSPF covers four security domains: governance security, personnel security, physical security, and information security. Each domain contains a small number of mandatory core requirements and supporting requirements. The information-security domain is where the PSPF mandates Essential Eight implementation (at a minimum maturity level set by the entity's risk profile) and ISM compliance for entity systems.
For private-sector firms, the PSPF matters in two ways: as context for government tendering work (Commonwealth contracts typically flow PSPF and ISM obligations through to suppliers handling government information), and as a useful policy template that mid-market boards sometimes adapt for their own protective-security policy.