Industry and sector security frameworks

Why does the sector you operate in change your security obligations?

Most Australian organisations already manage a set of cross-cutting security and resilience obligations, from privacy and work health and safety through to frameworks such as the Protective Security Policy Framework and the Security of Critical Infrastructure Act. Those apply broadly. A second layer applies only to particular sectors, because the consequences of a security failure in that sector are judged to warrant specific regulation. A breach at a port, an airport, a hospital or a controlled drugs facility carries risks that general obligations do not fully address, so dedicated legislation and standards sit over the top.

The practical effect is that an organisation in a regulated sector often has to satisfy two regimes at once. Agilient maintains two companion hubs for the cross-cutting side, security and compliance frameworks and resilience and business continuity. This hub covers the sector-specific layer that sits on top of them.

Which sectors does this hub cover?

Agilient works across six regulated sectors, each governed by its own framework. Dedicated pillar pages for each sector are being added to this hub.

How are maritime and aviation security regulated?

Maritime and aviation are the most prescriptively regulated sectors in scope. Both are administered by the Department of Home Affairs, with the maritime regime supported by the Cyber and Infrastructure Security Centre.

Maritime security operates under the Maritime Transport and Offshore Facilities Security Act 2003 and the Maritime Transport and Offshore Facilities Security Regulations 2003. Regulated participants must hold and comply with an approved maritime, ship or offshore facility security plan, and the regime sets out maritime security zones, the Maritime Security Identification Card and MARSEC security levels, aligned with the international ISPS Code.

Aviation security operates under the Aviation Transport Security Act 2004 and the Aviation Transport Security Regulations 2005. Aviation industry participants maintain transport security programs, security controlled airports separate secure and sterile areas, the Aviation Security Identification Card governs unescorted access, and people and goods are screened. Transport security reform has moved both sectors toward an all-hazards model: the Transport Security Amendment (Security of Australia’s Transport Sector) Act 2025 amended both Acts to introduce a risk-based, all-hazards approach aligned with the Security of Critical Infrastructure Act, and the Department of Home Affairs is developing amendments to the underlying regulations to give effect to it.

What governs security in healthcare, aged care and controlled drugs?

Healthcare facility security in Australia is guided by AS 4485 Security for healthcare facilities, revised in 2021 and published in two parts, AS 4485.1:2021 General requirements and AS 4485.2:2021 Procedures guide. The dominant operational risk is occupational violence and aggression, and the standard supports facility zoning, the protection of emergency departments and mental health units, and duress and access control.

Aged care security is framed by the Aged Care Quality and Safety Commission. The Aged Care Act 2024 and the strengthened Aged Care Quality Standards commenced on 01/11/2025, alongside changes to reportable incidents under the Serious Incident Response Scheme. Security here is part of resident and staff safety, covering occupational violence, wandering and elopement risk, visitor and contractor management and incident response.

Security for controlled and scheduled drugs is regulated by the Office of Drug Control and the Therapeutic Goods Administration, which together form the Health Products Regulation Group. For medicinal cannabis, security is a mandatory licence requirement under the Narcotic Drugs Act 1967, covering access control, intruder resistance, monitoring and response, and personnel security. For scheduled medicines, the Poisons Standard classifies drugs, and the states and territories set storage and handling rules for Schedule 8 controlled drugs in pharmacies, hospitals and manufacturing sites.

How is security handled in schools and education?

Security in schools, early learning and tertiary campuses is shaped by the National Principles for Child Safe Organisations and the state-based Child Safe Standards, combined with campus physical security. The central tension is balancing an open, welcoming campus against a secure one. Practical measures include crime prevention through environmental design, visitor and contractor management, and lockdown and emergency arrangements. The same approach applies across schools, childcare and early learning, and university campuses, scaled to the setting.

How do sector frameworks relate to the cross-cutting frameworks?

Sector security is applied risk management plus physical security, so every sector in this hub draws on the same foundations. Whatever the sector, the method is consistent: identify the assets and threats, assess the risk, and design proportionate controls. Agilient sets out that method on the security risk management pillar, and the built-environment controls that follow on the physical and facility security pillar.

Some sectors also intersect the cross-cutting regimes directly. Maritime and aviation are moving toward an all-hazards approach that mirrors the critical infrastructure model, so they connect closely to the security and compliance frameworks hub. Where continuity and recovery matter, the resilience and business continuity hub carries the relevant disciplines.

How does Agilient support organisations in regulated sectors?

Agilient is an independent, vendor neutral security and risk consultancy that works across all six sectors covered here. The starting point for most engagements is a security risk assessment, which establishes the threat and risk picture against the sector framework and points to the controls that matter most. From there, Agilient supports security planning and documentation, building and facility security design, security audits, and electronic security and CCTV, matched to the obligations of the sector.

Because the firm is not tied to any product or installer, advice is given on what the risk and the framework require, not on what there is to sell. Engagements are delivered for clients including major government organisations and Top 100 companies across Australia.