Information security annual return FAQ

This FAQ has been developed by the QGCIO Cyber Security Unit to provide clarity on the new information security annual return.

These common questions or concerns were distilled from consultation with stakeholders.

If any response in this document is unclear or you would like any clarification, please contact the cybersecurityunit@qgcio.qld.gov.au

Cover and reporting requirements

What are the differences between the red and green tabs in the Annual return?

The green tabs are used to assess agencies against the current Information security policy (IS18:2018) policy requirements. Specifically, an agency’s;

  • current state of their ISMS adoption
  • Essential 8 control domains
  • compliance with the minimum-security requirements of IS18:2018

The red tabs are used as a measure of existing controls from the previous IS18:2009 mandatory clauses. The red tabs only need to be completed if an agency cannot provide the mandatory reporting documentation for ISMS adoption.

Does an agency need to provide the red and green tabs?

No. All agencies subject to the reporting requirements of IS18:2018 must complete the green tabs in the annual return.

If an agency cannot provide the required ISMS adoption evidence, they must provide the green and red tabs.

This is to ensure that we have a consistent measure for all organisations.

Why have the red tabs been included?

Different agencies exhibit different levels of maturity for their ISMS adoption. Some agencies may not meet the minimum mandatory reporting requirements. Where this occurs, the QGCIO requires some level of assurance that Queensland Government agencies are sufficiently protecting Queensland Government and Queensland citizen information.

What does QGCIO do with the collected information and evidence?

The Cyber Security Unit provides agencies with an annual report that outlines departmental, as well as whole-of-government, cyber security maturity progression. This report includes agency by agency as well as a whole of government comparison view. This report is also delivered to various other QG forums and steering committees as well as being shared with interstate counterparts.

Obtaining a whole-of-government perspective also provides the Cyber Security Unit with a unique perspective and the opportunity to focus investment to assist in providing specific services and capability uplift where government cyber security maturity appears to be lower.

ISMS tab

What is the purpose of the Information security annual return?

The intent of the Information security annual return is to measure agencies progression towards implementation of thorough cyber security governance arrangements and implementation of the Essential Eight security controls.

How did the Cyber Security Unit decide which ISMS evidence pieces were included?

The inclusion of any evidence or reporting requirements were made through collaboration and a consultation with reporting stakeholders and a process identifying what ISO27001 audits require as a bare minimum when assessing an ISMS.

What do the terms “Mandatory”, “Recommended”, and “Optional” mean in the context of the ISMS reporting requirements?

Definitions for each of these terms have been included on the reference tab of the annual return.

Mandatory ISMS evidence are the minimum requirements that determine if agencies need to complete the red tabs.

We strongly encourage agencies to confer with the Cyber security unit well before the return date if they consider that they may be required to fill in the red tabs.

Will the Cyber Security Unit be validating/vetting the quality or completeness of the provided evidence?

The only absolute requirement is that the agency accountable officer (DG/CEO or equivalent) has signed off on the return and attestation.

The Cyber Security Unit will not decline a submission based on our interpretation of the quality of provided ISMS evidence.  The primary purpose of the return is to confirm that agencies have in place governance and processes to surface information security risks to the accountable officer.

If the leader of the agency is comfortable with the quality of the return, the assurances provided and the information security risks that are commensurately accepted by his/her organisation, we will accept the submission. The responsibility rests with the accountable officer for assurance of their individual submission.

The Cyber Security Unit may request clarification or further details from an agency if a return includes claims or artefacts which are significantly outside the mean or are lacking in detail or substantiation.

It appears the requirements 3.4 and 3.5 are the same, why is it included twice?

Requirement 3.4 is a mandatory piece of evidence that refers to a sample of the agencies risk register.

Requirement 3.5 is a recommended piece of evidence and refers to the complete agency risk register, if 3.5 is provided agencies would meet the mandatory requirement of 3.4.

Agencies are reminded that they should also cleanse the return of any SENSITIVE information from their risk register when providing their return to the Cyber Security Unit.

Can the ISMS tabs reporting requirements be relabelled to align with Clauses 4 – 10 of ISO27001?

No, the requirements the Cyber Security Unit is collecting do not align directly to the ISO27001 clauses.

Essential 8 tab

Do the Essential 8 requirements apply to all assets or all assets in the scope of the agency ISMS?

The Essential 8 requirements apply to all agency information assets.

When agencies are assessing their Essential 8 control domains, are agencies assessing their external service providers (e.g. SaaS, IaaS, and PaaS) or just workstations and servers which the agency manages and has full control over in-house?

Essential 8 control domains refer to information assets the agency owns or has control over. Where services and information are managed by external service providers (e.g. SaaS, IaaS, and PaaS) agencies need to ensure provisions for the Essential 8 controls are included in contracts and/or risk assessed by agencies.

Will the Cyber Security Unit be policing the quality or completeness of the provided evidence?

The only absolute requirement is that the agency accountable officer (DG/CEO or equivalent) has signed off on the return and attestation.

Where agencies have declared themselves to be covered by mitigating control sets there may be a need to validate this assertion. However, this will be addressed on a case by case basis once the return has been received.

This may involve reviewing the surrounding evidence and risk management processes used by the agency. This is to ensure the reports provided back by the Cyber Security Unit to agencies are an accurate representation of the maturity across government.

The Cyber Security Unit however will not decline any submission from an agency that has been approved by the agency accountable officer.

Policy requirement tab

Why does the Annual return refer to the requirements of the Network Transmission Security Assurance Framework (NTSAF) rather than the Data encryption standard?

The NTSAF has been replaced by the Data encryption standard as at June 2019. The current annual return reporting covers the 2018 - 2019 reporting year ending 30 June and agencies will have still been operating under the use of the NTSAF.

What do the different status ratings on the Policy requirement tab mean?

The definitions for the policy status rating are included on the reference tab.

Do agencies need to provide evidence of compliance with NTSAF, QGAF and QGISCF to the Cyber Security Unit?

No, example evidence is for agencies to determine their compliance rating and to provide assurance to their agency accountable officer prior to sign-off.

Attestation

Do agencies need to use the example attestation developed by the Cyber Security Unit.

No. The example attestation distributed to agencies does not need to be used. Agency attestations should be relevant to the business and meet the intent of an assertion that the accountable officer is aware of the level of security controls and governance in place and that this is appropriate for the information they are responsible for.

Does the attestation need to state complete alignment to the ISO27001 standard?

No. Most agencies do not have complete alignment to the ISO27001 standard or a fully functional ISMS that covers the full scope of the agency.

Agency accountable officers should only attest to the extent that they are confident the information security controls and governance in place is commensurate to protect the information they are responsible for.

What should I do as an accountable officer (DG or equivalent), if I am uncomfortable signing the attestation?

The accountable officer has a responsibility to endorse the information security annual return and provide a letter of attestation on the agency’s information security posture and compliance of its ISMS. Where the accountable officer is not comfortable attesting or endorsing there are some options they should consider, this includes;

  • seeking additional external assurance (e.g. security reviews, external audit, etc.)
  • including caveats in the letter of attestation related to control areas where they cannot be assured the information security is appropriate
  • organising regular penetration testing for at-risk systems where assurance is lower
  • seeking certification for limited scopes of your ISMS

For more information, please refer to the Information Security Assurance and Classification Guideline

The Cyber Security Unit is also available to provide advice directly to agency senior executives on a one to one basis.


Last Reviewed: 11 June 2019