XML 289 R8.htm IDEA: XBRL DOCUMENT

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Our Cyber Resilience Process and Risk Management

Woodside’s approach to managing material risks from cybersecurity threats is integrated into our overall risk management processes.

Woodside’s cybersecurity resilience and risk management strategy and process are based on the National Institute of Standards and Technology Cybersecurity Framework.

Woodside’s Cyber Resilience Process consists of various Group-wide policies, procedures and guidelines concerning cybersecurity matters. These documents, published within the Woodside Management System (WMS), have these aims:

to design, build and maintain Woodside’s Information Technology (IT), Operational Technology (OT) and Industrial Internet of Things systems with the right cybersecurity controls to support confidentiality, integrity and availability.

to monitor and strengthen Woodside’s cybersecurity posture while preventing, detecting, analysing and responding to cybersecurity incidents.

to embed a cyber-safe culture across Woodside and foster industry collaboration.

to enable compliance with all applicable legislation.

The process involves five key activities: identify, protect, detect, respond and recover.

In addition to the Cyber Resilience Process, the Data, Information and Systems Management process documented within the WMS, includes the Woodside Information Technology Systems – Conditions of Use Procedure. This procedure sets out Woodside’s mandatory conditions applicable to the use of Woodside’s IT, OT and digital systems.

Woodside manages cybersecurity risks utilising the same Woodside risk management process as described in Item 3.D Risk Factors.

Our Cyber Resilience Process assurance

Woodside’s cybersecurity team engages third-party vendors as part of our Cyber Resilience Process to perform a variety of technical assessments such as penetration testing. As part of these assessments, the third parties test our internal and external defences and help us with identifying weaknesses and vulnerabilities within our environment. These assessment findings are risk ranked and prioritised for remediation. Woodside internal audit team conducts audits on cybersecurity on a biennial basis. The internal audit function engages external expertise to conduct the audits. The most recent cybersecurity audit concluded in 2023.

Third-party Cybersecurity Risk Management

Woodside identifies and manages risks from cybersecurity threats associated with third parties accessing, storing and processing Woodside data. This is done through

up-front

cybersecurity assessment processes that leverage independently verified security programs including ISO 27001 certification and SOC 2 Type II compliance, and through contractual terms and conditions.

Woodside manages risk of third-party access to Woodside systems through

on-boarding

and induction processes for personnel including mandatory training. Third-party personnel accessing Woodside systems are subject to the same cyber security controls as Woodside staff. This includes the requirement to complete annual cybersecurity training and additional role based training if applicable. Higher risk scenarios such as direct network connectivity from third-party networks are not permitted.

Material impact from cybersecurity risks, threats or previous cybersecurity incidents

Cybersecurity threats have the potential to materially affect Woodside’s business strategy, results of operations and financial conditions. This risk is described in Item 3.D Risk Factors.

Woodside continuously monitors its digital information landscape and has various threat detection measures in place. Woodside is not aware of any cybersecurity incidents or threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial conditions.

Cybersecurity governance and internal controls

As part of its oversight of the Risk Management Policy, the Audit & Risk Committee oversees risks from cybersecurity threats. The Audit & Risk Committee aims to hold at least five regular meetings a year at which cybersecurity risks and the Group’s management of such risks are reviewed as part of those meetings.

The identification and direct management of cybersecurity risks and threats are performed by Woodside’s cybersecurity function, with subject matter expertise provided as part of our cyber resilience process.

The cybersecurity function is led by Woodside’s VP Digital and a group of competent and experienced cybersecurity professionals. Our VP Digital has over a decade of industry experience and has held multiple technology and business facing roles.

The Cyber Resilience Process includes the monitoring, prevention, detection, mitigation and remediation of cybersecurity risks and incidents.

The Woodside Board and the Audit & Risk Committee are kept informed of any material cybersecurity risks and incidents through formal risk registers, briefing papers, internal audit reports, periodic reporting in person at Audit & Risk Committee meetings or as required through Woodside’s crisis and emergency management

process

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Woodside’s approach to managing material risks from cybersecurity threats is integrated into our overall risk management processes.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Cybersecurity Risk Board of Directors Oversight [Text Block]

Woodside’s cybersecurity resilience and risk management strategy and process are based on the National Institute of Standards and Technology Cybersecurity Framework.

to monitor and strengthen Woodside’s cybersecurity posture while preventing, detecting, analysing and responding to cybersecurity incidents.

to embed a cyber-safe culture across Woodside and foster industry collaboration.

to enable compliance with all applicable legislation.

The process involves five key activities: identify, protect, detect, respond and recover.

Woodside manages cybersecurity risks utilising the same Woodside risk management process as described in Item 3.D Risk Factors.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

process

Cybersecurity Risk Role of Management [Text Block]

Woodside’s cybersecurity resilience and risk management strategy and process are based on the National Institute of Standards and Technology Cybersecurity Framework.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

process

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The Cyber Resilience Process includes the monitoring, prevention, detection, mitigation and remediation of cybersecurity risks and incidents.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

process

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true