The Information security policy (IS18:2018) is the single overarching information security policy for the Queensland Government. It sets out five policy requirements which together aim to ensure that Queensland Government entities apply a consistent, risk-based approach to maintain the confidentiality, integrity and availability of information for which they are responsible.
Reporting requirements
The IS18:2018 policy has specific reporting requirements. The reporting period for the information security annual return is from 1 July to 30 June.
For each financial year ending 30 June:
- departments must submit an Information security annual return endorsed by the department's accountable officer to the Queensland Government Customer and Digital Group
- a department’s accountable officers must submit a letter of attestation to the Queensland Government Chief Customer and Digital Officer.
The return must be submitted by 30 September to the Cyber Security Unit (CSU) via email to: cybersecurityunit@qld.gov.au.
Refer to the Information security return FAQs to help your agency complete your return. If you have more questions, contact CSU for support.
If your agency is unable to make the deadline, refer to the QGEA exceptions process.
IS18:2018 also requires agencies communicate incident response activities and threat intelligence as per the Information security incident reporting standard.
The Information security policy refers to the following documents that mandate security requirements for agencies: