Skip links and keyboard navigation

Restrictions on the use of artificial intelligence (AI) platform DeepSeek on government provided devices are now in place.

Read the policy

QGEA directions and guidance

IS18 applicability, exceptions and departures guideline

Document type:
Guideline
Version:
v1.0.0
Status:
CurrentNon-mandated
Owner:
QGCDG
Effective:
January 2025–current
Security classification:
OFFICIAL-Public
Category:
Cyber security

Background

The Information security policy (IS18) is part of the Queensland Government Enterprise Architecture (QGEA). IS18seeks to ensure all agencies apply a consistent, risk-based approach to the implementation of information security to maintain confidentiality, integrity, and availability. IS18 encourages all entities to adopt IS18 and have regard to the cyber security obligations and better practice resources that are available. These resources can assist agencies to better manage information security risks, so we can collectively address whole-of-government risks and build a resilient digital environment.

The evolving cyber threat landscape highlights the importance of robust cyber security. As digital threats become more sophisticated, the Queensland Government Cyber Security Unit (QGCSU) is committed to expanding their services and the support provided by the Queensland Government Chief Information Security Officer (QGCISO). This commitment is reflected in the continuous and significant investments made in QGCSU and the product offerings QGCSU provide to Queensland government entities.

Purpose

This guideline provides guidance on the applicability of IS18 for all government entities.

Scope

This guidelines does not cover other policies in the QGEA, refer to how to apply the QGEA for further information on the applicability of other policies in the QGEA.

Definitions

Queensland Government entities

Queensland government entities is collective term to capture all Queensland government organisations. For example:

  • Government departments
  • Statutory bodies
  • Statutory authorities
  • Government owned corporations
  • Local government councils

Note: Queensland government entities, should not be confused with public sector entities defined under the Public Sector Act 2022 (Qld).

Queensland Government agencies

Queensland government agencies is a collective term to capture entities in scope of IS18. This includes:

IS18 Applicability

Agencies which must apply IS18:

Government departments

IS18 applies to departments under the Public Sector Act 2022 (Qld).

Queensland Government departments must apply mandatory policy and reporting requirements under IS18.

Public service entities

IS18 applies to public service entities under the Schedule 1 of the Public Sector Act 2022 (Qld).

Public service entities must apply mandatory policy and reporting requirements under IS18.

Directed government entities

Ministers or Responsible Heads (e.g. Directors-General) can direct entities which fall under their responsibility to comply with IS18. A directed government entity is a statutory or government authority, board, commission, corporation, agency, or other distinct entity established by legislation or government action. Generally, this needs to be in writing and a notification to QGCSU via cybersecurityunit@qld.gov.au is recommended. Where there is a machinery of government change, Ministers or Responsible Heads are encouraged to review entities under their responsibility and re-establish directives where needed.

See Appendix A for an example letter template.

Government entities using department owned services and assets

Generally, where other government entities use a service, application or technology owned by a department, that government entity must also apply the relevant policies applicable for that asset.

For example, a statutory body may be using a department’s payroll and timekeeping solution. The department may have decided to implement two factor authentication, and other security processes to align with best practices. The statutory body should also adhere to the practices and processes that the department has put in place to ensure the continued security of the asset.

Departments may choose to put service level agreements in place to ensure obligations are clearly documented, communicated, and understood by the government entity that are using their services or assets.

Agencies which ‘must have regard to’ IS18:

Statutory bodies

Statutory bodies under the Financial and Performance Management Standard 2019 (Qld) must have regard to IS18. See What does ‘must have regard to’ mean? for information regarding this requirement.

In May 2024, the Queensland Audit Office completed a performance audit on Responding to and recovering from cyber-attacks. A recommendation was made that all statutory bodies document their assessment as to whether IS18 is applicable to their circumstances and report this information to QGCSU. If applicable, statutory bodies should apply and adopt IS18 requirements. We strongly recommend that Statutory Bodies follow this advice from the Queensland Audit Office

Accountable officers

Accountable officers not already in scope of the Public Sector Act 2022 (Qld), but are in scope of the Financial and Performance Management Standard 2019 (Qld), must have regard to IS18. See What does ‘must have regard to’ mean? for information regarding this requirement.

Other entities strongly recommended to apply IS18

Local government

Local government councils are not required to comply with IS18 unless their Minister or Responsible Head, who has a shared responsibility for the local government council, has directed them to do so. However, it is strongly recommended that local government councils adopt IS18 (inclusive of all policy requirements and reporting requirements) to improve cyber posture and importantly, engage with the QGCSU for any incidents. It is also strongly recommended that local government report incidents to the QGCSU at the earliest opportunity to enable support and sharing of intelligence.

In May 2024, the Queensland Audit Office completed a performance audit on Responding to and recovering from cyber-attacks. A recommendation was made that all local governments document whether IS18 is appropriate for their environments, and if not, which frameworks are being applied to manage information security risks. We strongly recommend that local government follow this advice from the Queensland Audit Office

Government owned corporations

Government owned corporations (GOCs) are not required to comply with IS18 unless their Minister or Responsible Head, who has a shared responsibility for the GOC, has directed them to do so. However, it is strongly recommended government owned corporations adopt IS18 (inclusive of all policy requirements and reporting requirements) to improve cyber posture and importantly, engage with the QGCSU for incidents. It is also strongly recommended that GOCs report incidents to the QGCSU at the earliest opportunity to enable support and sharing of intelligence.

In May 2024, the Queensland Audit Office completed a performance audit on Responding to and recovering from cyber-attacks. A recommendation was made that all government owned corporations document whether IS18 is appropriate for their environments, and if not, which frameworks are being applied to manage information security risks. We strongly recommend that government owned corporations follow this advice from the Queensland Audit Office

See Appendix B for an overview of IS18 applicability across all entities.

Applying IS18

The QGEA uses key word conventions to communicate what is and isn’t mandatory when interpreting QGEA documents. IS18 adopts this same keyword convention.

Please note that documents such as standards and frameworks that are mandated under IS18 will generally adopt the same keyword convention but may use the word ‘SHALL’ as an alternative to ‘MUST’, but the same description will apply.

What does ‘must apply’ mean?

Agencies within scope (e.g., departments, public service entities, directed entities) must apply both the policy requirements and the reporting requirements within IS18.

What does ‘must have regard to’ mean?

Section 5 of Financial and Performance Management Standard 2019 (Qld) defines ‘must have regard to’ to mean that the accountable officer or statutory body complies by:

  • considering the contents of the document (IS18).
  • deciding whether the contents apply in the circumstances.
  • if the contents apply – applying the contents.

That is, ‘must have regard to’ means making a conscious and documented decision to follow or not to follow (and therefore not apply) IS18.

If you are considering making a conscious and documented decision not to follow IS18, we highly recommend you undertake a risk assessment and ensure the accountable officer signs off on the risk assessment and final decision.

Where you choose to apply IS18, you must implement all policy requirements and reporting requirements. In particular it is extremely important you report cyber incidents in a timely manner to the Queensland Government Information Security Virtual Response Team (QGISVRT) as per the QGEA Information Security Incident Reporting Standard.

See Appendix C for a decision flow chart about applicability.

Exceptions and departures

Agencies can document non-compliance with IS18 in two ways: through an exception, or a departure.

Exceptions

An exception is where an agency cannot comply with one or more IS18 policy requirements and/or reporting requirements.

Agencies can apply for exceptions as per the QGEA Alignment and exceptions process. In summary, to gain an exception an agency must provide evidence that a risk assessment has been conducted to understand the impact to the agency, to other impacted agencies, or to whole-of government where a policy requirement cannot be met. This risk assessment must be signed off by the accountable officer or relevant nominated delegate.

Exceptions are submitted to the Queensland Government Chief Customer and Digital Officer for endorsement. Exceptions may also be submitted to a relevant whole-of-government governance body if deemed necessary.

Departures

A departure is where an agency cannot or elects not to meet part of a QGEA policy requirement or reporting requirement. This can also include not meeting a sub requirement within a mandated standard or framework under IS18 (e.g., departure from a single control).

Where an agency has a departure from a sub requirement within a mandated standard or framework under IS18 (e.g., departure from a single control), agencies can undertake a risk assessment and have this approved by the agency accountable officer.

Departures do not require any whole-of-government endorsement.

Documenting exceptions and departures can be useful evidence for agencies auditing purposes.

When do multiple departures become an exception?

If you answer yes to any of the following questions, then you should apply for an exception:

  • Are multiple departures impacting whole-of-government operations, or more than one agency?
  • Is there an exceptional degree of complexity or unknown factors?
  • Are there significant risks which would warrant additional consideration from a whole-of-government perspective?
  • Could the multiple departures impact auditing reports?

Exception example:

A statutory body has just been notified by their shareholding minister that they are in scope of IS18. This statutory body has not completed an annual return before and would like to focus on implementing IS18 for the first 12 month before starting reporting. They have asked for a 12-month exception from the annual return.

Departure or exception?

An agency has recently been moved into a new government department. They have identified that they are meeting half of the Essential Eight controls and have documented it as a departure. However, after documenting the risk assessment, the agency has determined these risks to be such that warrant an exception due to the potential impact to other agencies. The agency then requests a 6-month exception from parts of the Essential Eight.

Departure example:

An agency is considering a departure from a single Essential Eight Requirement: Online services that are no longer supported by vendors are removed - SM-1905. The vendor for the service is no longer suitable but the risk of stopping the service is greater than the risk of no vendor support. There are limited vendors for this service, so the agency is considering a departure for 6-months, or until a new vendor has been chosen.

To [Government Entity],

As the shareholding minister/responsible head of [Government Entity], I am writing to inform you of requirements relating to the Queensland Government Information Security Policy (IS18).

Following recent assessments, it has been determined that all entities under our purview must uplift their information security practices. This is to ensure the integrity, availability, and confidentiality of our information are preserved against potential cyber threats.

As the shareholding minister/responsible head of [Government Entity], I direct [Government Entity] and its subsidiaries to apply IS18. This includes both the policy requirements and the reporting requirements. [Government Entity] must also have regard to the cyber security policy suite of better practice resources in the interest of Queensland’s cyber security.

As cyber security threats continue to evolve and pose significant risks to our operations, data, and services, it is imperative that [Government Entity] complies fully with the provisions of IS18.

I would be grateful if you could apply IS18 and its controls. I also request that you provide updates on your progression of applying IS18.

If you require further information regarding the requirements of IS18, I encourage you to contact the Queensland Government Cyber Security Unit by email at cybersecurityunit@qld.gov.au.

Yours sincerely,

[Name]

[Portfolio]

 IS18Cyber security better
practice resources		Reporting requirements
Queensland Government
departments		Must applyMust have regard toMust apply
Public Service entitiesMust applyMust have regard toMust apply
Directed Government entitiesMust applyMust have regard toMust apply
Government entities using
departmental owned resources		Must applyMust have regard toMust apply

Entities which are not directed

Statutory Bodies under FPMSMust have regard toMust have regard toMust have regard to
Local GovernmentStrongly recommendedStrongly recommendedStrongly recommended
Government Owned CorporationsStrongly recommendedStrongly recommendedStrongly recommended

IS18 applicability flowchart

Last updated:
4 February 2025