Understanding Information security policy applicability

The Queensland Government Information security policy (IS18:2018) is the minimum requirement for Queensland Government information security. The policy mandates the use of an information security management system (ISMS) to identify and manage risks to information, applications and technologies, through their life cycle.

IS18:2018 additionally requires agencies to provide reporting on the internal information security incidents, and their ISMS adoption/progress.

This page discusses the applicability and requirements of the IS18:2018 to various entities across the Queensland Government. This page is not a substitute for the IS18:2018. For information on the Queensland Government Enterprise Architecture (QGEA) applicability in general, please see the Applicability of the QGEA.

What entities are responsible to follow IS18:2018?

The IS18:2018’s applicability is derived from the Queensland Government Enterprise Architecture (QGEA) and the Financial and Performance Management Standard (FPMS).

Core Queensland Government departments (as defined by the Public Service Act 2008) have a requirement to comply with the IS18:2018 with the scope of all information, application and technology assets.

Further all accountable officers and statutory bodies in the scope of the Financial and Performance Management Standard 2009 (FPMS) must have regard to this policy when:

  • safeguarding their assets by establishing internal controls; and
  • implementing financial information management systems.

Statutory organisations and other Queensland Government entities (e.g. Government-owned-corporations, universities, local governments, etc.) may be required by their Director General, Minister, or Chief Executive to follow some or all of the requirements of the IS18:2018.

The QGCIO places no mandate over local government bodies to comply with QGEA including the Information security policy.

Where a Queensland Government entity has no clear mandate or directive to follow the IS18:2018 we strongly encourage them to follow the IS18:2018 to demonstrate better practice.

What does it mean for you?

Core Queensland Government departments (Public Service Act 2008)

Core departments (as defined by the Public Service Act) must:

  • comply with all policy requirements 1 to 5 as outlined in the IS18:2018
  • complete all reporting requirements documented in the policy.

Reporting requirements include those found in the Information security incident reporting standard (QGISIRS), and annual reporting of their ISMS using the Information Security Checklist.

Only departments must comply with the requirements of the QGISIRS.

Statutory Bodies and departments (Financial Accountability Act 2009)

Unless directed to do so (see ‘Directed organisations’ below), statutory bodies and departments as defined by the FAA must have regard to policy requirements 1 to 5 as outlined in the IS18:2018, when:

  • safeguarding their assets by establishing internal controls and
  • implementing financial information management systems.

Statutory bodies and departments (FAA defined) should provide ISMS status reporting using the Information security annual return.

Statutory bodies and departments that reside under a core department, or exist functionally as part of larger reporting entity, should consult with their department regarding reporting arrangements and consider consolidated reporting.

These organisations do not need to comply with the QGISIRS, The Cyber Security Unit and Queensland Government Virtual Response Team are able to provide support during information security incidents and would recommend incident data is reported periodically.

Directed organisations

Queensland Government related organisations that have been directed to comply with the IS18:2018 by their Minister or executive leadership (e.g. Director-General, Chief Executive, Board, etc.) should comply with the directives as given to them.

These organisations may be directed to comply with some or all aspects of the policy, however QGCIO has not mandated the IS18:2018’s reporting requirements to these organisations. If the organisation’s executive leadership has directed their agency to provide QGISIRS or ISMS reporting, the QGCIO will accept the provided reporting.

Directed organisations that reside under a core department, or exist functionally as part of larger reporting entity, should consult with their department regarding reporting arrangements and consider consolidated reporting.

Local governments

QGCIO has no mandate over local government bodies to comply with QGEA including IS18:2018. Some local government organisations may find themselves directed to comply with IS18:2018. In these cases, the local government organisations should refer to the Directed organisations paragraph (above).

Other organisations

All other organisations that do not fit any of the described scenarios are encouraged to implement or utilise the IS18:2018 to align with better practice.

Exceptions

The QGEA recognises there are cases where departments and statutory bodies may be unable to meet policy requirements or specified time frames. There is an exception process available to assist with this.

To gain an exception, the department of statutory body must provide evidence that a risk assessment has been conducted and a business case prepared relating to any policy requirement they believe cannot or will not be met and provide evidence of a planned approach to achieving compliance.

QGEA exceptions apply to departments (as defined under the Public Service Act 2008) and departments and statutory bodies as defined by the FAA.

Full details of how to apply for an exception including what to submit to qgcio@qgcio.qld.gov.au is available on the Alignment and exceptions page.


Last Reviewed: 02 July 2019