The Census is Australia’s largest data collection exercise and has followed a digital-first approach since 2016, with a majority of responses submitted online. As custodians of highly sensitive citizen-related data, Australian Government entities are expected to operate as cyber exemplars in delivering essential public services. The objective of this audit was to assess the readiness of the Australian Bureau of Statistics’ (ABSs') cyber security arrangements for the 2026 Census. 

There were four recommendations to the ABS regarding: Census risk management arrangements; early establishment of cyber security advisory arrangements; preparation, approval and review of security architecture documentation; and addressing risks stemming from the broader ABS ICT environment. The ABS agreed to the recommendations.

Key findings

• To be ready for the 2026 Census, the ABS must address key remaining cyber security vulnerabilities by ensuring critical activities will be completed in time.
• There was insufficient consideration to holistic planning for cyber security across the entirety of the ABS ICT environment, which resulted in the delayed identification of cyber security vulnerabilities.
• The ABS monitored 2026 Census cyber security risks but there were shortcomings in completeness and timeliness of risk reviews.
• The Census cyber security assurance program is on schedule, with detection and incident management testing focused on attack vectors identified through threat modelling.
• There were approximately 1 billion attempted cyber attacks repelled during the 2021 Census reported by the ABS.