What are the information security policies?

The Queensland Government’s approach to managing the security of its information systems is guided by a suite of policies, frameworks, standards and guidelines published under the Queensland Government Enterprise Architecture (QGEA). These documents outline information security best practices and also mandate requirements for certain Queensland Government (QG) entities.

Information security policy (IS18:2018)

The Information security policy (IS18:2018) is the overarching information security policy for the Queensland Government, approved by the Queensland Government Chief Information Officer on 13 December 2017. It sets out five policy requirements which together aim to ensure that QG entities are applying a consistent, risk-based approach to maintaining the confidentiality, integrity and availability of the information for which they are responsible.

Under the FPMS (2019), all Queensland Government departments and some government bodies (e.g. statutory bodies) must apply the QGEA, including IS18:2018.

The Cyber Security Unit (CSU) maintains a list of entities that have been directed by a Director-General to comply with IS18:2018.

If your organisation is unsure of its responsibilities under IS18:2018, please refer to Applicability of the QGEA and QGEA and government bodies under the FPMS.


IS18:2018 has specific reporting requirements. From 2020, for each financial year ending 30 June:

  • Departments must submit an Information security annual return that has been endorsed by the department's accountable officer to the Queensland Government Customer and Digital Group.
  • Departmental accountable officers must submit a letter of attestation to the Queensland Government Chief Customer and Digital Officer

The reporting period for the information security annual return is from 1 July to 30 June.
The return must be submitted by 30 September.
The return should be sent to cybersecurity@qld.gov.au.

If your agency is unable to make the deadline, please refer to the QGEA exceptions process.

IS18:2018 also requires that agencies communicate incident response activities and threat intelligence as per the Information security incident reporting standard.

Policy and standards under the information security policy

The information security policy also refers to a number of other policies which place mandatory security requirements on agencies

Information security guidelines

The Queensland Government produces many guidelines to assist agencies meet the requirements of the Information Security Policy.

Please go to - How should I secure my information?

Last Reviewed: 03 August 2017