Author
Queensland Audit Office

The impacts of cyber attacks, and malicious or inadvertent actions of employees, present a very real risk. As highlighted in our recent report Managing cyber security risks (Report 3: 2019–20), data fraud or threat and cyber attacks are in the top five most likely global risks in terms of likelihood.

Our audits, over the years, have identified that the maturity of information security across the public sector needs to improve.

The Queensland Government’s information security policy (IS18:2018) was revised with effect from 1 October 2018. Implementing IS18:2018 presents an opportunity for departments to evaluate and improve their security posture and to apply a consistent approach to information security.

We have prepared two blog articles to help entities understand and apply the updated policy. This article focuses on who IS18:2018 applies to, what it requires and what entities should be aware of. The second article, to be published shortly, will provide insights and examples on implementing IS18:2018.

Who does IS18:2018 apply to?

All departments must apply the policy requirements in IS18:2018 to all information, applications and technology assets. 

Statutory bodies must have regard to the Queensland Government Enterprise Architecture, including IS18:2018 (that is, consider and document whether it applies to their circumstances) when:

  • establishing and maintaining an internal control structure
  • establishing, maintaining and reviewing their financial information management systems
  • managing strategic and operational risks relating to digital, information or communication technology.

Some government entities may be directed by their minister to comply with IS18:2018.

Entities that don’t have a clear directive to comply can use IS18:2018 as better practice to manage their risks relating to information assets.

What are the requirements of the current policy?

1. Departments must operate an information security management system (ISMS) based on the current version of ISO 27001 Information technology – Security techniques – Information security management systems – Requirements. This means that departments are to use these standards to develop a holistic view of their information security risks and implement comprehensive internal controls. The scope of the ISMS will include protecting all information, application and technology assets.

2. Departments must integrate their ISMS into their corporate risk management processes, with information security risks considered at the business level.

3. Departments must meet minimum security requirements and comply with the:

  • Queensland Government Information Security Classification Framework (the framework)
  • Data Encryption Standard
  • Queensland Government Authentication Framework
  • ‘Essential eight’ strategies from the Australian Signals Directorate (ASD).

4. Accountable officers must obtain assurance for the security of information and information assets based on the criticality/significance of the system.

5. Accountable officers must endorse the information security annual return and attest to the security posture and compliance of its ISMS by 30 October 2019, and 30 September in future years. They must publish the attestation in a publicly accessible manner.

What has changed since the previous policy?

IS18:2018 requires all business areas within an entity to consider information security risks and produce a response consistent with the entity’s risk appetite. The policy now requires entities to use an information security management system and comply with minimum security requirements, and accountable officers to publicly attest to their information security posture.

This elevation of information security risks reflects the significance of threats to information security in the current environment, and that information technology professionals cannot address these threats alone.

What do entities need to be aware of?

Those charged with governance must champion and the business, in collaboration with risk management and information security professionals, should lead the successful implementation of IS18:2018.

Audit committees need to ensure people, processes and systems are in place to support the preparation of accurate and timely annual returns under IS18:2018. When formulating their annual internal audit plan, entities may consider whether a review of their annual return is required, to ensure the efficiency and effectiveness of the reporting process.

Further resources

Information security policy (IS18:2018)

Queensland Government Enterprise Architecture