In its most recent Annual Cyber Threat Report (2021), the Australian Cyber Security Centre reported a 13 per cent increase in cybercrime reports over the previous year, with no sector of the Australian economy immune to the impact. This equates to one report of a cyber attack every 8 minutes.
Cyber attacks continue to increase in frequency and sophistication, and with the Brisbane Olympic and Paralympic Games coming in 2032, our state, its services and public sector entities of all sizes will be seen as attractive targets for cyber criminals. It cannot be thought of as ‘someone else's problem’.
To manage the security and protection of all information, application, and technology assets in a coordinated and holistic manner, the Queensland Government implemented an Information Security Management System (ISMS) based on the ISO27001 standard. This became a mandatory requirement in the 2018 revision of its Information security policy (IS18:2018), as did the inclusion of all information systems and assets to be in scope of the ISMS.
ISO27001 gives entities an internationally recognised approach for the systematic management of information security risks. By taking a risk-based approach, entities can focus their efforts on securing their most sensitive information and technology assets.
Who is required to comply with IS18?
Governments, both state and local, are like any other large, distributed organisation – they’re only as strong as their weakest link. This means implementing and running an ISMS (ISO27001-based or otherwise) is crucial to every entity’s cyber security, even if IS18 isn’t applicable to them.
The Queensland Government does not require all state government entities to apply IS18, nor local governments – only departments and some selected entities. Further, statutory bodies (under the Financial and Performance Management Standard 2019) must have regard to IS18 in the context of internal controls, financial information management systems and risk management.
Despite this, some entities that aren’t directed to comply, still choose to run an ISO27001-based ISMS, while others run an ISMS based on an alternative standard (for example, the US government agency, National Institute of Standards and Technology). These are positive practices. Unfortunately, there are many entities that run no ISMS, which leaves a definite gap in their cyber security.
If public sector entities commit to implementing ISO27001, Queensland would have a unified and internationally recognised approach for the systematic management of information security risks. This would improve information sharing, cyber resilience and security, and incident coordination and response.
As a chief executive or audit chair, what should I be asking?
Chief executive officers and chairs of audit committees: if your entity is not currently running an ISMS or is running one but its scope does not cover all assets, ask your chief information officer (CIO), chief technology officer (CTO), or risk management team why.
Regardless of whether your entity complies or not, they should also answer the following questions:
- Is executive leadership informed about the current level and business impact of cyber risks to our entity and how is this done?
- Do we know the current level and business impact of cyber risks to our entity? Do we have a plan to address identified risks?
- Is our executive leadership notified of cyber incidents or data breaches, and what is the threshold for reporting?
- Is our audit and risk management committee (or equivalent) fully briefed on all organisational cyber risks, incidents, and breaches?
- Is our cyber incident response plan comprehensive and regularly tested?
- Do we know what compliance obligations our organisation has? How are we situated regarding the Information Privacy Act 2009, Office of Australian Information Commissioner Notifiable Data Breaches scheme, Australian Signals Directorate’s Essential Eight, and Australian Cyber Security Centre’s Information Security Manual?
- Does our cyber security program apply industry standards and best practice, and how does it do so?
- Are cyber security risks included in our enterprise risk management?
If the answer is ‘no’ to any of the above, your entity has an opportunity to improve its management of cyber security and information security risk and would benefit from implementing an ISO27001-based ISMS.
Where do I start with implementing an ISO27001-based ISMS?
It may seem like a daunting task but implementing ISO27001 can be reduced into smaller chunks and approached in a methodical way.
Start small and work up. Take a single system and scale outwards to accelerate understanding of the ISO27001 process. Alternately, start at the bottom by assessing, documenting, and recording all information and technology assets and scale upwards. This method is best for accelerating understanding of organisational assets and risk.
It all comes down to trust
In our hyper-connected world, we expect information to flow freely between government entities. And in an ideal situation, we would be able to login with a single unified identity and access all government services. We also expect our personal information to be handled with the utmost privacy and security.
So, how do we reconcile these apparently contradictory expectations? Trust. By using the same internationally accepted standards and approaches, entities can rely on each other to handle their data and security in a consistent way. They can also speak a consistent ‘language’ of security, collaborate more efficiently, and present a unified front and coordinated response against cyber attacks. ISO27001 can provide an excellent foundation on which to build such trust.
- The role of governance committees in managing cyber security risks | Queensland Audit Office (qao.qld.gov.au)
- Increasing concerns around cyber security risks | Queensland Audit Office (qao.qld.gov.au)
- Advice on ransomware prevention and recovery | Queensland Audit Office (qao.qld.gov.au)
- What does the Queensland Government’s information security policy (IS18:2018) mean for you? | Queensland Audit Office (qao.qld.gov.au)