ISMS and ISO 27000

The ISO 27000 suite of standards is integral to the implementation of Information security policy (IS18:2018).

Of primary importance to agencies, ISO 27001 provides the requirements for establishing, implementing, maintaining and continually improving an Information security management system (ISMS), and ISO 27002 provides additional guidance around the selection, implementation and management of the controls that should be taken into consideration when implementing an ISMS as defined by ISO 27001. See the ISO 27000 tab below for more information on how to access the standards.

CSU is also developing a whole-of-government panel arrangement for the deliver of ISMS services. More information is available from the Cyber Security Panels page.

ISMS implementation training workshops were held in October and November 2017. The workshops were available to Queensland Government departments and were funded by the Cyber Security Unit to share knowledge about ISMS’s.

The above course material has been made freely available to Queensland Government to deliver future training.  These documents may assist in the management of an ISMS.

An ISMS Journey workshop was also held on 8 August 2018. The full afternoon session and all individual presentations are available for viewing: Viewers will be required to enter name and email address to access.

The slides are also available below:

ISMS committees will face many challenges. Below are a few areas committees should consider:

Which threat actors are we concerned about?
  • Why would they target us?
  • What are the consequences?
What are our most valuable information assets?
  • What threats do we face?
  • Are those threats changing? Are they increasing or decreasing?
  • Which are our greatest threats?
  • Which areas of the business carry the greatest risk?
What are the consequences of cyber security incident to that information and/or business function?
  • What systems hold this data and where is it located?
  • How well are these systems protected?
  • Who is responsible for protecting them?
  • When were the protections last reviewed/tested?
How do we know the protection is up to date?
  • What vulnerabilities currently exist in the system?
  • How long have they existed?
  • How long will it take to fix them?
  • Are we reducing or accumulating risks?
  • How is this systems vulnerability posture compared to other systems?
When was the last penetration test of this system?
  • What were the findings?
  • Have those findings been addressed?
  • Who has admin access?
  • Is admin access audited/logged/reviewed?
  • Could we detect misuse of or attacks against the system?
Do we have a plan to respond to deal with a cyber incident in that system?
  • Do we have an incident response plan?
  • Do we have an assurance plan?
Have we implemented the ASD Essential 8 in all areas of the organisation?
  • What risks are we accepting (explicitly/implicitly)?
  • Who is authorised to accept these risks?
  • What is the highest priority investment currently required for cyber security in the organisation?
  • Do we have visibility of security events in our systems?
  • Which areas of the business have the least visibility/control?
Cyber Security Awareness
  • What behaviours of our staff (or clients) increase our risk?
  • What can be done to reduce these behaviours?
  • Is security awareness improving in our staff?
  • How do we compare to similar organisations?
  • How susceptible are we to phishing?
  • How susceptible are we to social engineering?
  • How susceptible are we to physical compromise (tailgating, unescorted visitors, break-in)?
Third party risks
  • Which vendors are depending on to maintain security?
  • Do we have contractual requirements for them to report security incidents to us?
  • Do we get a regular security status report from them?
  • How do we know they are managing our security effectively?
  • Are there business arrangements and partnerships that handle sensitive data about our business?
Non-IT systems
  • Do we understand the interconnectedness of IT and non-IT systems in our organisation?
  • What Operational Technology (non-IT) do we have? (SCADA, CCTV, building management, process control and other IOT)
  • Have we considered cyber risk to OT?
  • How do executives get a picture of OT risk?
  • How is remote access controlled to these OT systems?

The ISMS Community of Practice (CoP) seeks to raise awareness of information security in member agencies and to develop and share information, methods and tools to enable them to operate a standards based Information Security Management System.

The CoP generally meets bi-monthly, and collaborates through a MS Teams site which provides an opportunity to create and share a knowledge base for QG ISMS implementation and management matters including checklists, hints and templates. It also provides an opportunity to meet other practitioners across the government.

A particular interest of the CoP is the implementation of IS18 and the preparation of the annual IS18 return.

Membership of this CoP is voluntary and is open to all QG and Local Government staff who have interest in implementation, operation and maturing of their ISMS. Please contact CSU at to arrange membership to the CoP.

SAI Global are the official distributor of ISO standards in Australia. The full suite of ISO 27000 standards available is shown below. These standards can be purchased from the SAI Global Infostore either individually or through a subscription service, which some agencies may have in place.

  • ISO 27001 – Information security management systems requirements
  • ISO 27002 – Code of practice for information security controls
  • ISO 27003 – Information security management system implementation guidance
  • ISO 27004 – Measurement
  • ISO 27005 – Information security risk management
  • ISO 27010 – Information security management for inter-sector and inter-organisational communications
  • ISO 27031 – Guidelines for information and communication technology readiness for business continuity
  • ISO 27035 – information security incident management

This ISO 27001 external site provides some background and overview of each of the ISO 27000 Standards and a range of other ISO 27000 documents including technical references and technical standards which may be of some use or interest to agencies, though the actually standards should be purchased through SAI Global.

CSU has made arrangements to facilitate ISMS training including courses covering ISMS implementation and auditing including ISMS Implementer, ISMS Auditor and ISMS Lead Auditor courses.

Information about the available training including associated fees and application forms is available from the ISMS Community of Practice (CoP) MS Teams site for registered CoP members.

Last Reviewed: 04 June 2021