QGEA directions and guidance

QGEA self-assessment guideline

Document type:
Guideline
Version:
Final v3.0.2
Status:
CurrentNon-mandated
Effective:
November 2019–current
Security classification:
OFFICIAL-Public
Category:
Business

Alignment with the QGEA means having achieved or being on track to meet the policy and reporting requirements, or targets set within QGEA policy or principles documents.

The QGEA self-assessment workbook is a tool to assist agencies in assessing their alignment with the QGEA as part of ongoing business improvement, managing digital and ICT risks, guiding digital and ICT investments and supporting operational decision making.

The QGEA self-assessment does not need to be submitted to QGCDG.

Figure 1 depicts the hierarchical relationship of the major elements of the QGEA and shows the alignment process applied to requirements and targets. Note: some targets may be located within QGEA policies.

QGEA hierarchy

Assessment is conducted by selecting a response from a set list of values. The set list of values differs for policy requirements, principles and targets. Assessment of QGEA requirements is done in terms of compliance with requirements (either policy requirements or principles). Assessment of QGEA targets is done in terms of achievement of the target.

Table 1 lists the assessment values applicable to each of these mechanisms of the QGEA.

Document type

Assessment category

Assessment values

QGEA policy or principle document

Mandatory principle and policy requirement

(Assessed in terms of compliance with the requirement.)

  • Fully compliant
  • Substantially compliant
  • Partially compliant
  • Not compliant
  • Exception granted
  • Not applicable

Implementation target

(Assessed in terms of achievement of the target)

  • Achieved
  • On track
  • Not on track
  • Not planned
  • Exception granted
  • Not applicable

Table 1 - Assessment values for mechanisms of the QGEA

Tables 2 and 3 below provide a description of each assessment value.

QGEA policy requirements

Fully compliant

  • Meets all aspects of the mandatory principle or policy requirement.
  • Implementation has occurred throughout the entire department.

Substantially compliant

  • Most aspects of the mandatory principle or policy requirement have been met.
  • Significant implementation has occurred for all business-critical elements (systems/services/assets/domains/risks etc.) and throughout the majority of business units in the department.

Partially compliant

  • Many aspects of the mandatory principle or policy requirement have been met.
  • Implementation has occurred across many business units of the department.

Not compliant

  • Limited or no aspects of the mandatory principle or policy requirement have been met.
  • Implementation has not occurred or is ad-hoc.

Exception granted

  • An official exception to the mandatory principle or policy requirement has been approved through the QGEA governance process and/or through the Peer Review Panel.
  • Due to legislative requirements exceptions cannot be granted for the Records governance policy.
  • Where departments self-assess as an exception granted without formal approval, the department will be deemed not compliant.

Not applicable

  • A not applicable should only be used when the policy (or information standard) excludes the department.
    • A not applicable cannot be used where the department is consuming a third-party service, as the department is responsible for the compliance of the service provider.
  • All uses of not applicable need to be justified within the comments column of the self-assessment workbook.
  • Where departments incorrectly self-assess as not applicable, the department will be deemed as not compliant.

Table 2 - Description of values for mandatory principles and policy requirements

Implementation target

Achieved

  • The target has been met.

On track

  • Existing or planned future ICT initiatives will result in the target being achieved by the specified deadline.

Not on track

  • Existing or planned future ICT initiatives will result in the target being achieved later than the specified deadline.

Not planned

  • There is no current plan which is likely to result in the target being achieved.

Exception granted

  • An official exception to the target has been approved through the QGEA governance process or through the Peer Review Panel.
  • The department should indicate which type of exception has been granted in the comments.
  • Where departments self-assess as an exception granted without formal approval, the department will be deemed not planned.

Not applicable

  • A not applicable should only be used when the target excludes the department.
  • A not applicable cannot be used where the department is consuming a third-party service, as the department is responsible for the compliance of the service provider.
  • All uses of not applicable need to be justified within the comments column of the self-assessment workbook.
  • Where departments incorrectly self-assess as not applicable, the department will be deemed as not planned.

Table 3 - Description of values for Implementation targets

The self-assessment workbook comprises multiple tabs:

  • Introduction.
  • Overall summary this presents a rolled-up view of overall department compliance with the QGEA.
  • Per-artefact summary this presents a rolled up, per-artefact summary of departments compliance with the QGEA.
  • Policy statements this provides a complete set of all approved policy statements. There is no assessment for policy statements, but they are included for reference.
  • Compliance requirements this tab includes all policy requirements, mandatory principles and targets. Departments must assess and select an assessment value for each applicable row on this tab.
  • QGEA reporting requirements provides a list of other reporting requirements mandated by the QGEA.
  • Reference this tab lists the allowable values used for completing the assessment.

The compliance requirements tab includes columns that detail each requirement. Auto filters are enabled on the columns to allow selection of subsets of the requirements for easier consideration.

  • QGEA document - the name of the document which is hyperlinked to the QGEA document on the QGCIO website.
  • Type - the type of the QGEA document; policy, information standard or position paper.
  • Mechanism - the type of QGEA mechanism being assessed. There is a direct correlation with the type column. Policies include policy requirements, information standards include mandatory principles and positions, and some policies, include targets.
  • # - the unique number of the compliance requirement. Where there are multiple compliance requirements within a QGEA document they are identified by a unique number.
  • Target or requirement (mandatory principle) - this provides the text of the requirement as per the approved and published document.
  • When - the date on which the compliance requirement is expected to be complied with or the target achieved.
  • Assessment - this column is to be completed by the department. The assessment status row on the overall summary tab simply counts the values entered in this assessment column to determine if the assessment has been completed.
  • Comments - departments may enter additional information in this column to support their assessment.
  • Assigned to - departments may enter values into this column to aid with assigning portions of the self-assessment to separate areas within their department for completion.
  • Remaining columns - the remainder of the columns contain formulas that assist in calculating the summaries of assessment status. Do not change any values in these columns.
Last updated:
19 January 2023