Information security requirements and responsibilities
The Queensland Government’s approach to managing the security of our information systems is guided by a suite of policies, frameworks, standards and guidelines published under the Queensland Government Enterprise Architecture (QGEA) . These outline information security best practices and mandate requirements for certain Queensland Government entities.
The Information security policy (IS18:2018) is the single overarching information security policy for the Queensland Government. It sets out five policy requirements which together aim to ensure that Queensland Government entities apply a consistent, risk-based approach to maintain the confidentiality, integrity and availability of information for which they are responsible.
The IS18:2018 policy has specific reporting requirements. The reporting period for the information security annual return is from 1 July to 30 June.
ISO 27001 provides the requirements to implement, establish, maintain and continuously improve an Information security management system (ISMS). ISO 27002 provides additional guidance around how to select, implement, and manage the controls that should be taken into consideration when implementing an ISMS as defined by ISO 27001.
SAI Global are the official distributor of ISO standards in Australia. These standards can be purchased from the SAI Global Infostore individually or through a subscription service, which some agencies may have in place. The full suite of standards includes:
ISO 27001 – Information security management systems requirements
ISO 27002 – Code of practice for information security controls
ISO 27003 – Information security management system implementation guidance
ISO 27004 – Measurement
ISO 27005 – Information security risk management
ISO 27010 – Information security management for inter-sector and inter-organisational communications
ISO 27031 – Guidelines for information and communication technology readiness for business continuity
ISO 27035 – information security incident management
The ISO 27001 external site provides background and overview on each of the ISO 27000 Standards and a range of other ISO 27000 resources including technical references and technical standards which may be helpful to agencies, though the official standards should be purchased through SAI Global.
The Cyber Security Unit is also developing a whole-of-government panel arrangement for the delivery of ISMS services. Learn more by visiting the Cyber security supply arrangements page.
The ISMS Community of Practice (CoP) aims to raise awareness of information security in member agencies and develop and share information, methods and tools to enable agencies to operate a standards-based Information Security Management System (ISMS). The CoP’s focus is the implementation of the IS18 policy and the preparing the annual IS18 return. See Reporting requirements for more information.
The CoP generally meets bi-monthly and collaborates through a Microsoft Teams site to create and share a knowledge base for Queensland Government ISMS implementation and management, including checklists, hints and templates. It also provides an opportunity to meet other practitioners across the government.
Membership of this CoP is voluntary and open to all Queensland Government and Local Government Authority (LGA) employees who want to better implement, operate and mature their ISMS.
To enhance Queensland Government cyber security capability and disaster readiness, the Queensland Government Cyber Security Hazard Plan formalises Queensland’s strategic arrangements, roles, and responsibilities in response to a cyber incident with state or nationwide impacts. The Plan aligns with the state and federal disaster management arrangements, and will be used to align, integrate and embed cyber security arrangements into the plans, procedures and arrangements of individual agencies.
SSO is an authentication process that allows you to access multiple services and applications with one username and password.
Most Queensland Government agencies use SSO. If your agency doesn't use SSO, contact your agency IT service desk and let them know you would like to use it.
Most government-owned corporates, non-government organisations, and statutory authorities do not currently use SSO. If your organisation doesn't use SSO, contact your IT service desk and let them know you would like to use it.