Replacement Information Security Policy

Agencies are currently required to comply with Information Security Information Standard (IS18:2009).

From 1 October 2018, agencies will be required to comply with the replacement Information Security Policy (IS18:2018).

The new Information Security Policy includes five policy requirements, as opposed to the 10 policy requirements which applied under IS18:2009.  The key policy requirement is for agencies to implement an Information Security Management System (ISMS) based on the current version of ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements.

It is common for agencies to require third party suppliers to comply with the current IS18:2009 in most services contracts, particularly those for ICT products and services. Agencies should ensure that, when imposing obligations on suppliers, the current policy or standard is specified to avoid any future disputes.

General information about the replacement of IS18:2009 and implementation of IS18:2018, including course materials from ISMS Implementation Training workshops, is available here. Another recent change to Queensland Government policies and standards about information management was the replacement of two Information Standards, being Retention and Disposal of Public Records (IS31) and Recordkeeping (IS40), with a new  Records Governance Policy and  Guideline on 29 June 2018.