Print

QGEA Alignment and exceptions

Visit QGEA Document governance to understand how mandatory requirements for QGEA alignment apply to departments and government bodies.

Use the  QGEA Implementation prioritisation technique to help you prioritise your alignment to QGEA policies. While all QGEA policies are mandatory, the technique demonstrates how government bodies can prioritise their QGEA implementation.

See our QGEA implementation prioritisation technique guideline for an explanation of this technique and use our QGEA implementation prioritisation technique spreadsheet as an example.

Government bodies are not required to use the QGEA implementation prioritisation technique. You may have other methods for planning and prioritising alignment (e.g. risk assessment).

Government bodies are not required to report on QGEA alignment. This does not mean you do not have to align with QGEA requirements.

Government bodies should continue to assess their alignment with the QGEA as part of ongoing business improvement, managing digital and ICT risks, guiding digital and ICT investments and supporting operational decision making.

Use the QGEA self-assessment workbook (government log in required) and see the self-assessment guidelines below for help.

Using the self-assessment workbook

The self-assessment workbook comprises multiple tabs:

  • Introduction.
  • Overall summary—this presents a rolled-up view of overall department compliance with the QGEA.
  • Per-artefact summary—this presents a rolled up, per-artefact summary of departments compliance with the QGEA.
  • Policy statements—this provides a complete set of all approved policy statements. There is no assessment for policy statements, but they are included for reference.
  • Compliance requirements—this tab includes all policy requirements, mandatory principles and targets. Departments must assess and select an assessment value for each applicable row on this tab.
  • QGEA reporting requirements—provides a list of other reporting requirements mandated by the QGEA.
  • Reference—this tab lists the allowable values used for completing the assessment.

The compliance requirements tab includes columns that detail each requirement. Auto filters are enabled on the columns to allow selection of subsets of the requirements for easier consideration.

  • QGEA document—the name of the document which is hyperlinked to the QGEA document on the QGCIO website.
  • Type—the type of the QGEA document; policy, information standard or position paper.
  • Mechanism—the type of QGEA mechanism being assessed. There is a direct correlation with the type column. Policies include policy requirements, information standards include mandatory principles and positions, and some policies, include targets.
  • #—the unique number of the compliance requirement. Where there are multiple compliance requirements within a QGEA document they are identified by a unique number.
  • Target or requirement (mandatory principle)—this provides the text of the requirement as per the approved and published document.
  • When—the date on which the compliance requirement is expected to be complied with or the target achieved.
  • Assessment—this column is to be completed by the department. The assessment status row on the overall summary tab simply counts the values entered in this assessment column to determine if the assessment has been completed.
  • Comments—departments may enter additional information in this column to support their assessment.
  • Assigned to—departments may enter values into this column to aid with assigning portions of the self-assessment to separate areas within their department for completion.
  • Remaining columns—the remainder of the columns contain formulas that assist in calculating the summaries of assessment status. Do not change any values in these columns.

Self-assessment guidelines

Use our set list of values to assess your alignment. The values differs for policy requirements, principles and targets. Assessment of QGEA requirements is done in terms of ‘compliance’ with requirements (either policy requirements or principles). Assessment of QGEA targets is done in terms of ‘achievement’ of the target.

Document type Assessment category Assessment values
QGEA policy
or
principle document		 Mandatory principle and policy requirement (assessed in terms of compliance with the requirement.)
  • Fully compliant
  • Substantially compliant
  • Partially complaint
  • Not compliant
  • Exception granted
  • Not applicable
Implementation target (assessed in terms of achievement of the target)
  • Achieved
  • On track
  • Not on track
  • Not planned
  • Exception granted
  • Not applicable

Compliance assessment values

Assessment valueDescription
Fully compliant
  • Meets all aspects of the mandatory principle or policy requirement.
  • Implementation has occurred throughout the entire   department.
Substantially compliant
  • Most aspects of the mandatory principle or policy   requirement have been met.
  • Significant implementation has occurred for all business-critical elements (systems/services/assets/domains/risks etc.) and throughout the  majority of business units in the department.
Partially compliant
  • Many aspects of the mandatory principle or policy  requirement have been met.
  • Implementation has occurred across many business units of the department.
Not compliant
  • Limited or no aspects of the mandatory principle or policy requirement have been met.
  • Implementation has not occurred or is ad-hoc.
Exception granted
  • An official exception to the mandatory principle or policy requirement has been approved through the QGEA governance process and/or through the Peer Review Panel.
  • Due to legislative requirements exceptions cannot be granted for the Records governance policy.
  • Where departments self-assess as an ‘exception   granted’ without formal approval, the department will be deemed ‘not compliant’.
Not applicable
  • A ‘not applicable’ should only be used when the policy (or information standard) excludes the department.
  • A ‘not applicable’ cannot be used where the department is consuming a third-party   service, as the department is responsible for the compliance of the service provider.
  • All uses of ‘not applicable’ need to be justified within the comments column of the self-assessment workbook.
  • Where departments incorrectly self-assess as ‘not applicable’, the department will be deemed as ‘not compliant’.

Achievement assessment values

Assessment valueDescription
Achieved
  • The target has been met
On track
  • Existing or planned future ICT initiatives will result in the target being achieved by the specified deadline.
Not on track
  • Existing or planned future ICT initiatives will result in the target being achieved later than the specified deadline.
Not planned
  • There is no current plan which is likely to result in the target being achieved
Exception granted
  • An official exception to the target has been approved through the QGEA governance process or through the Peer Review Panel.
  • The department should indicate which type of exception has been granted in the comments.
  • Where departments self-assess as an ‘exception granted’ without formal approval, the department will be deemed ‘not planned’.
Not applicable
  • A ‘not applicable’ should only be used when the target excludes the department.
  • A ‘not applicable’ cannot be used where the department is consuming a third-party service, as the department is responsible for the compliance of the service provider.
  • All uses of ‘not applicable’ need to be justified within the comments column of the self-assessment workbook.
  • Where departments incorrectly self-assess as ‘not applicable’, the department will be deemed as ‘not planned’.

You can apply for an exception to QGEA alignment if you’re unable to meet your alignment requirements or to plan to meet them within a specified time frame.

Who can apply for an exception to QGEA alignment?

Generally, the exception process applies to departments, directed government bodies and any entities in scope of QGEA documents with broader applicability.

See How to apply the QGEA which includes a list of documents with broader applicability.

What documents can be excepted for QGEA alignment?

Generally, you can apply for policy and reporting requirements alignment exceptions, and targets within QGEA policies as these state specific rules.

Exceptions to QGEA principles can be applied for whenever deemed necessary. However, exceptions are rare, since principles are core beliefs and values that guide decision making. At times principles may conflict as they are designed to assist in making decisions in different contexts and changing environments. Visit QGEA Document governance to learn more about QGEA principles.

How to apply for an exception to QGEA alignment

Complete the Application for an exception to the QGEA form (DOCX, 901.53 KB).

You must provide evidence that you have:

  • completed a risk assessment and prepared a business case outlining the benefits gained by obtaining an exception
  • gained endorsement by your department’s Chief Information Officer (CIO) or relevant executive for your business plan
  • identified the impact and consequences of non-compliance to both your government body and the whole-of-government directions
  • detailed the remedial action proposed to address the inconsistencies with your government body and whole-of-government directions
  • nominated a timeframe in which the you expect to become compliant
  • authorisation from your CIO or relevant executive to apply for the exception.

Submit your completed application to qgea@qld.gov.au.

For help see the QGEA exception guideline or email qgea@qld.gov.au.

The QGEA have approved the following list of alignment exceptions.

Department: Department of Health

QGEA publication: Information security policy (IS18:2018)

Requirement

Policy requirement 3: Agencies must meet minimum security requirements - Queensland Government Authentication Framework (QGAF)

Exception expiry date:

N/A

Last updated:
7 December 2022
Share this page: