An audit has warned that not all the lessons of the 2016 Census failure have been learned.

The Australian Bureau of Statistics (ABS) has only imposed “partly appropriate” cyber security measures for the next Census, according to a review by the Australian National Audit Office (ANAO).

The review (accessible here in PDF form) found several gaps in the agency's cyber security planning. It comes after the 2016 Census was hampered by failures, due to the high amount of traffic on the Census website site.

“The ABS is partly effective in its development of IT systems for the 2021 Census,” the report says.

“Generally appropriate frameworks have been established covering the Census IT systems and data handling, and the procurement of IT suppliers.

“The ABS has not put in place arrangements to ensure that improvements to its architectural framework, change management processes and cyber security measures will be implemented ahead of the 2021 Census.”

While the ANAO found that planning and governance is overall “largely appropriate”, the report notes a lack of any overarching plan.

“The high-level measures and controls in the ABS’ cyber security strategy for the 2021 Census are sound. However, the strategy has not been fully implemented,” the report says.

The ABS was also found not to be in compliance with Australia Cyber Security Centre’s essential eight cyber mitigation strategies, leaving it relying on an interim set of controls that “have not been introduced… in a systemic way”.

“There is a risk that the ABS’ essential eight uplift will not be implemented in time for the Census to provide sufficient coverage over the breadth of the ABS’ threat environment,” the report says.

The audit made seven recommendations, three of which relate to IT. All of the recommendations have been accepted by the ABS.