Information security requirements and responsibilities

The Queensland Government’s approach to managing the security of our information systems is guided by a suite of policies, frameworks, standards and guidelines published under the Queensland Government Enterprise Architecture (QGEA) . These outline information security best practices and mandate requirements for certain Queensland Government entities.

Under the Financial and Performance Management Standard 2019 all Queensland Government departments and some government bodies (e.g. statutory bodies) must apply the QGEA, including the Information security policy (IS18:2018) .

If you’re unsure of your organisation’s responsibilities under IS18:2018 or the other policies listed below, refer to About the Queensland Government Enterprise Architecture and How to apply the enterprise architecture.

The Information security policy (IS18:2018) is the single overarching information security policy for the Queensland Government. It sets out five policy requirements which together aim to ensure that Queensland Government entities apply a consistent, risk-based approach to maintain the confidentiality, integrity and availability of information for which they are responsible.

Reporting requirements

The IS18:2018 policy has specific reporting requirements. The reporting period for the information security annual return is from 1 July to 30 June.

For each financial year ending 30 June:

  • departments must submit an Information security annual return endorsed by the department's accountable officer to the Queensland Government Customer and Digital Group
  • a department’s accountable officers   must submit a letter of attestation to the Queensland Government Chief Customer and Digital Officer.

The return must be submitted by 30 September to the Cyber Security Unit (CSU) via email to:

Refer to the Information security return FAQs to help your agency complete your return. If you have more questions, contact CSU for support.

If your agency is unable to make the deadline, refer to the QGEA exceptions process.

IS18:2018 also requires agencies communicate incident response activities and threat intelligence as per the Information security incident reporting standard.

The Information security policy refers to the following documents that mandate security requirements for agencies:

The ISO 27000 suite of standards is integral to implementing the Information security policy (IS18:2018).

ISO 27001 provides the requirements to implement, establish, maintain and continuously improve  an Information security management system (ISMS). ISO 27002 provides additional guidance around how to select, implement, and manage the controls that should be taken into consideration when implementing an ISMS as defined by ISO 27001.

SAI Global are the official distributor of ISO standards in Australia. These standards can be purchased from the SAI Global Infostore individually or through a subscription service, which some agencies may have in place. The full suite of standards includes:

  • ISO 27001 – Information security management   systems requirements
  • ISO 27002 – Code of practice for information   security controls
  • ISO 27003 – Information security management   system implementation guidance
  • ISO 27004 – Measurement
  • ISO 27005 – Information security risk   management
  • ISO 27010 – Information security management   for inter-sector and inter-organisational communications
  • ISO 27031 – Guidelines for information and   communication technology readiness for business continuity
  • ISO 27035 – information security incident   management

The ISO 27001 external site provides background and overview on each of the ISO 27000 Standards and a range of other ISO 27000 resources including technical references and technical standards which may be helpful to agencies, though the official standards should be purchased through SAI Global.

The Cyber Security Unit is also developing a whole-of-government panel arrangement for the delivery of ISMS services. Learn more by visiting the Cyber security supply arrangements page.

The ISMS Community of Practice (CoP) aims to raise awareness of information security in member agencies and develop and share information, methods and tools to enable agencies to operate a standards-based Information Security Management System (ISMS). The CoP’s focus is the implementation of the IS18 policy and the preparing the annual IS18 return. See Reporting requirements for more information.

The CoP generally meets bi-monthly and collaborates through a Microsoft Teams site to create and share a knowledge base for Queensland Government ISMS implementation and management, including checklists, hints and templates. It also provides an opportunity to meet other practitioners across the government.

Membership of this CoP is voluntary and open to all Queensland Government and Local Government Authority (LGA) employees who want to better implement, operate and mature their ISMS.

To request membership in the CoP, contact CSU via email:

To enhance Queensland Government cyber security capability and disaster readiness, the Queensland Government Cyber Security Hazard Plan formalises Queensland’s strategic arrangements, roles, and responsibilities in response to a cyber incident with state or nationwide impacts.  The Plan aligns with the state and federal disaster management arrangements, and will be used to align, integrate and embed cyber security arrangements into the plans, procedures and arrangements of individual agencies.

The Plan can be located on the Disaster Management Queensland website.