Claudia Warwar, Director, Governance, Risk & Compliance (GRC)
Introduction
As many Local Government Authorities (LGAs) in Queensland embark on their submissions for this year’s IS:18 compliance, they navigate a landscape fraught with challenges and opportunities in information security management. IS:18, closely aligned with ISO 27001 principles, introduces specific requirements tailored to Queensland’s context, and thus shaping LGAs’ information security efforts across IT and Operational Technology (OT).
This journey unfolds against the backdrop of resource constraints, varying levels of maturity, and the imperative of continuous improvement.
Having supported a large number of local government and state government agencies on their submission undertaking, Claudia Warwar, CyberCX’s Queensland Director Governance Risk and Compliance, shares key observations her team have made when working with LGAs, offering insights and better practices to navigate the complexities of IS:18 requirements effectively.
1. IS:18 vs. ISO 27001
IS:18 closely aligns with ISO 27001 principles but introduces specific requirements tailored to Queensland’s context.
While ISO 27001 provides a broad framework for Information Security Management Systems (ISMS), IS:18 mandates certain aspects, such as inclusion of ASD Essential 8 and annual reporting requirements, to ensure alignment with Queensland government objectives. This means that LGAs must not only adher to ISO 27001 standard but also address the additional requirements outlined in IS:18. To achieve this, LGAs should conduct a thorough analysis of the requirements and develop a compliance strategy that effectively manages risk to an acceptable level.
Read more: CyberCX’s Unlocking the Essential Eight: A complete guide for Australian organisations
2. Control Guidance vs. Control Requirements
LGAs often face challenges in distinguishing between control guidance and control requirements. While control guidance offers flexibility in implementation, LGAs must consider control adoption and compensating controls based on their risk appetite, ensuring that controls are appropriate and effective in lowering risk. This requires a clear understanding of the intent behind control requirements and the organisation’s unique risk landscape. LGAs should engage in open dialogue between the business and their cyber team to clarify any ambiguities and ensure that controls implementation meet risk expectations.
3. Resource Constraints and Capacity Challenges
Limited cyber resources and capacity constraints present significant hurdles for LGAs in achieving IS:18 compliance. Budgetary limitations, staffing shortages, and competing priorities can hinder the allocation of sufficient skilled resources to information security initiatives.
To address this, LGAs should prioritise compliance efforts strategically, focusing on high-impact areas and exploring opportunities for resource sharing and collaboration. This may involve leveraging external cyber expertise, partnering with other government entities, or engaging in regional knowledge-sharing initiatives to optimise their capabilities and overcome resource constraints effectively.
4. Independent Assurance vs. Internal Assurance
LGAs have the option to seek either independent or internal assurance for IS:18 compliance.
Independent assurance, provided by external auditors or assurance providers, offers streamlined processes and expert validation of controls. In contrast, internal assurance entails self-assessment and reporting, requiring extensive documentation and interaction with central governing bodies.
LGAs must carefully weigh the benefits and trade-offs of each approach, considering factors such as skilled resource availability, organisational readiness, and regulatory requirements. While independent assurance may offer greater credibility and impartiality, internal assurance allows LGAs to leverage internal expertise.
5. Continuous Improvement Mindset
Embracing a culture of continuous improvement is essential for LGAs striving for IS:18 compliance and effective risk management.
Compliance is not a one-time endeavour but an ongoing journey of refinement and enhancement. LGAs should leverage support from the Central Security Unit (CSU) and other stakeholders to identify areas for improvement, address past non-conformances, and stay abreast of evolving threats and technologies. This involves conducting regular reviews of the ISMS, identifying improvement opportunities, and implementing corrective and preventive actions to enhance the effectiveness of controls. By fostering a culture of innovation and adaptability, LGAs can drive meaningful progress towards enhancing their information security posture and resilience.
6. Policies Maintenance and Review
Policies are the backbone of information security governance, providing clear guidelines and standards for personnel to follow. LGAs must ensure that policies are communicated, regularly reviewed and updated to reflect changes in technology, regulations, and organisational requirements. Failure to maintain up-to-date policies can lead to automatic non-conformance and compromise the effectiveness of the Information Security Management System (ISMS). Regular policy reviews allow LGAs to assess the relevance and adequacy of existing policies, identify gaps or inconsistencies, and address emerging threats or requirements proactively. By establishing a structured policy review process and assigning clear responsibilities for policy maintenance, LGAs can ensure that their information security policies remain current, relevant, and aligned with organisational objectives.
7. Managing Expectations and Deadlines
Effective management of expectations and adherence to strict deadlines are crucial for LGAs throughout the compliance process. Delays in workshop scheduling, submission preparations, or stakeholder engagement are common challenges that can jeopardise the compliance timeline. To mitigate these risks, LGAs must engage in proactive planning and communication with stakeholders, setting realistic expectations and allocating buffer time for unforeseen delays. Clear communication channels and regular updates on progress are essential for keeping stakeholders informed and engaged throughout the submission process. By prioritising time management and adopting a proactive approach to deadline management, LGAs can ensure timely submission and meet regulatory requirements effectively.
8. Interconnectedness and Interdependencies
LGAs operate within complex ecosystems characterised by interconnected networks, shared services, and dependencies with other government entities and external stakeholders. Collaboration and information sharing among stakeholders are essential for addressing common vulnerabilities and threats effectively. LGAs should actively engage with partners and stakeholders to strengthen the resilience of their information systems and infrastructure. This involves establishing formal communication channels, sharing threat intelligence and better practices, and coordinating response efforts in case a security risk eventuates. By fostering a culture of collaboration and partnership, LGAs can leverage collective expertise and resources to enhance the security posture of the entire ecosystem.
9. Variation in Maturity Levels
LGAs exhibit varying degrees of maturity in their information security management practices. While some LGAs demonstrate a high level of sophistication with well-established policies, procedures, and controls, others are still in nascent stages, grappling with foundational aspects of information security. Tailored support mechanisms and interventions are necessary to address the specific needs of each LGA and facilitate their journey towards improved maturity. This may involve providing training and capacity-building initiatives, offering mentorship and guidance from more mature organisations, or facilitating knowledge-sharing and collaboration opportunities among LGAs. By recognising and addressing the diversity of maturity levels within the LGA community, stakeholders can foster a culture of continuous improvement and accelerate progress towards information security risk management.
Summary
Navigating IS:18 requirements demands strategic resource allocation, nuanced interpretation, and a commitment to continuous improvement from Local Government Authorities (LGAs) in Queensland.
While closely aligned with ISO 27001, IS:18 introduces specific requirements tailored to the state’s context, requiring careful consideration by LGAs. By prioritising compliance efforts, managing expectations, and fostering collaboration, the LGA can enhance their information security posture and strengthen public trust. However, a culture of continuous improvement, facilitated by proactive planning and stakeholder engagement, is crucial for sustained success.
Local governments should consider knowledge sharing with other similar organisations or working closely with external or independent assurance organisations to streamline processes and validate controls, further enhancing the robustness of their information security risk management efforts.
Through these concerted efforts, LGAs can fortify their defences and mitigate emerging threats effectively.
Ready to get started?
Find out how CyberCX can help support your organisation with IS:18 compliance.
