What are the cyber security policies?

The Queensland Government’s approach to managing the security of its information systems is guided by a suite of policies, frameworks, standards and guidelines published under the QGEA. These documents outline information security best practices and also mandate requirements for certain Queensland Government entities.

Currently there is a single policy covering Information / Cyber Security - IS18.

Information security policy (IS18:2018)

The Information security policy (IS18:2018) is the overarching information security policy for the Queensland Government. It sets out five policy requirements which together aim to ensure that Queensland Government entities are applying a consistent, risk-based approach to maintaining the confidentiality, integrity and availability of information for which they are responsible.

Under the remade Financial and Performance Management Standard 2019, all Queensland Government departments and some government bodies (e.g. statutory bodies) must apply the QGEA, including IS18:2018. If your organisation is unsure of its responsibilities under IS18:2018, please refer to Applicability of the QGEA and QGEA and government bodies under the FPMS.


IS18:2018 has specific reporting requirements. For each financial year ending 30 June:

  • Departments must submit an Information security annual return that has been endorsed by the department's accountable officer to the Queensland Government Customer and Digital Group.
  • Departmental accountable officers must submit a letter of attestation to the Queensland Government Chief Customer and Digital Officer.

CSU has developed an FAQ to assist agencies in completing their information security annual return.

The reporting period for the information security annual return is from 1 July to 30 June.
The return must be submitted by 30 September.
The return should be sent to cybersecurityunit@qld.gov.au.

If your agency is unable to make the deadline, please refer to the QGEA exceptions process.

IS18:2018 also requires agencies communicate incident response activities and threat intelligence as per the Information security incident reporting standard.

Standards and frameworks under the Information security policy (IS18:2018)

Last Reviewed: 07 May 2021