Information and cyber security policy (IS18)
Purpose
This policy will improve the protection of services to Queenslanders and maintain a focus on continuous improvement of information security to enhance organisational resilience.
The Queensland Government is responsible for a significant amount of information. To ensure trust and deliver business value, it is critical that this information is protected appropriately.
This policy seeks to ensure the Queensland Government applies a consistent, risk-based approach to the implementation of information and cyber security to maintain confidentiality, integrity, and availability.
Policy statement
The Queensland Government will identify and manage information and cyber security risks to services, information, applications, and technologies throughout their lifecycle.
Policy requirements
Requirement 1: Agencies must implement an ISMS based on ISO 27001
Agencies must implement and operate an ISMS based on the current version of ISO 27001 Information technology - Security techniques - Information security management systems – Requirements (link for government employees only). The scope of the ISMS will include the protection of all services, information, application, and technology assets.
Requirement 2: Agencies must apply a systematic and repeatable approach to security risk management
Risk management is an integral part of operating an ISMS. Agencies must integrate information security risks as part of their ISMS into corporate governance and risk management frameworks and processes. This will ensure that security risk management considers the strategic and operational business impacts and is responsive to the changing threat landscape.
Agencies should also consider the enterprise security risks associated with operational technology (OT). Agencies should ensure OT is being holistically governed.
The security risk management of OT should consider the unique requirements, stakeholders, and attributes of OT, including safety, environmental and asset protection systems. Agencies should also consider the adoption of internationally recognised OT industry standards and frameworks.
Requirement 3: Agencies must meet minimum information security requirements
To ensure a consistent information security approach and promote information sharing, Queensland Government agencies must comply with the:
- Queensland Government Information security classification framework (QGISCF)
- Data encryption standard (DES)
- Queensland Government authentication framework (QGAF)
Agencies must also implement the Australian Signals Directorate’s (ASD) Essential Eight Strategies. This includes the selection of Maturity Level target(s), with control selection (link to new control guideline (TBD)) and application based on the agency’s risk appetite.
Requirement 4: Accountable officers must obtain security assurance for systems
Every system is unique and security assurance should be applied sensibly and appropriately. Accountable officers (CEO/Director-General or equivalent) must obtain security assurance to establish an understanding of information security protections and adherence to this policy.
The level of security assurance applied to systems must be based on the criticality/significance of the system, using the business impact levels determination methodology outlined in the QGISCF.
Agencies must also conduct cyber incident simulations at least annually to test their response plans.
Requirement 5: Accountable officers must attest to the appropriateness of agency information security
Accountable officers (CEO/Director-General or equivalent) must:
- endorse the Information security annual return.
- attest to the agency information security posture and the compliance of its ISMS.
Endorsement must be obtained from the entity’s accountable officer through the corporate audit and risk committee.
Agencies must publish the attestation in the agency’s annual report and should consider publishing it in further publicly accessible locations such as the agency website.
The scope of the attestation must include the current ISMS and acknowledge the existence of an approved operational maturity uplift plan (see ISO 27001 – clauses 6 and 8.1).
Agencies should refer to the Agency Information Security Attestation Statement Example .
Reporting requirements
This policy has specific reporting requirements:
| No. | Reporting requirement | Date |
|---|---|---|
| 1 | For each financial year ending 30 June, agencies must submit to the Queensland Government Cyber Security Unit (CSU) an Information security annual return that has been endorsed by the agency’s accountable officer. | Annually at 30 September |
| 2 | Agencies must engage with the CSU at the earliest opportunity to report applicable incidents in the format and timeframes defined in the QGEA Information Security Incident reporting standard. The QGCSU encourages all Queensland Government entities (including local government) to report incidents at the earliest opportunity to the CSU to enable support and the sharing of timely threat intelligence. | Ongoing |
Advice
This policy should be read in conjunction with the Cyber Security Policy suite of documents (under development) which can assist agencies with better practice resources.
Scope
The scope of this policy includes:
- all areas of the organisation where information, applications and technology could impact service delivery to Queenslanders or the running of the business of Queensland Government (including supply chain management)
- all activities affected by information security across all information, applications, technologies, and infrastructure
- all Information security and cyber security activities including the protection of information and systems from unauthorised access, use, disclosure, disruption, modification, or destruction to ensure confidentiality, integrity, and availability
- all cyber security activities which support the ability to plan, protect, detect, respond, recover from to cyber threats.
Applicability
This policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). This policy also applies to accountable officers (not already in scope of the Public Sector Act 2022) and to statutory bodies under the Financial and Performance Management Standard 2019 in the context of internal controls, financial information management systems and risk management. Please see How to apply the QGEA for further information, including how to apply for an exception.
Agencies can apply for exceptions from the policy requirements and/or the reporting requirements as per QGEA alignment and exception (Government employees only). Where an agency has a departure from a sub requirement within a mandated standard or framework under this policy (e.g., departure from a single control), agencies can seek sign off by the agency accountable officer.
Other Queensland government entities, including local governments, are strongly encouraged to apply the policy as recommended better practice. For further information, agencies can also refer to the IS18 applicability, exceptions and departures guideline.
Implementation
This policy comes into effect from the issue date.
Where updates occur to policy requirements, including referenced standards (e.g., ISO 27001 and the Essential 8), the impact to agencies will vary depending on the extent of changes and current agency implementations. As such, agencies should undertake a gap analysis, develop a transition plan to move to the current version based on a risk assessment, signed off by the accountable officer or nominated delegate.
Please note most external standards specify a transition timeframe which agencies should have regard to.
Policy benefits
The implementation of this policy will:
- enable the Queensland Government to predict and respond to the changing threat environment
- enable Queensland Government to align to international best practice approaches
- facilitate a systematic approach to risk and improve decision making
- provide a flexible and tailored approach to meet individual agency business needs and different risk appetites in an increasingly complex ICT and business environment
- allow for independent security system reviews to provide an increased level of confidence and trust in government.
- support better allocation of time and resources to security challenges relevant to specific departments
- leverage increasing industry adoption of ISO 27001 which will assist in aligning requirements and improve transparency when using cloud and managed services
- support timely incident reporting, enabling a collective understanding on incidents that may have whole-of-government impacts, and improve prioritisation of targeted incident response support to agencies.
Issue and approval
Issue date: 4 February 2025
This QGEA policy is published within the QGEA and administered by the Queensland Government Customer and Digital Group. It was developed by the Cyber Security Unit.