Queensland Government Agency — IS18 Reporting & Assurance in 4 Weeks

At a Glance

• Client — Queensland Government agency managing sensitive public data and critical services
• Challenge — Required a single, defensible IS18 assurance report integrating ISO 27001 and Essential Eight controls to support executive reporting and funding approval
• Starting point — Fragmented assurance activities (policy drafts, risk register, M365 hardening) with no unified view across frameworks
• Goal — Produce a consolidated IS18 report, map control status, and deliver a prioritized uplift roadmap — all with verifiable evidence
• Result — IS18 report delivered in 4 weeks, readiness score improved from 48% to 82%, and approved 12-week uplift plan with clear budget confidence

The Challenge

The agency was under pressure to provide executive leadership and funding bodies with a clear, consolidated view of its cybersecurity posture.

Existing work was underway in silos:

• ISO 27001 policies and risk register drafts
• Some Essential Eight hardening in existing tools
• No single report linking governance (ISO 27001) and technical controls (Essential Eight) to IS18 requirements

The risks were significant:

• Delayed funding or executive approval due to lack of a unified assurance picture
• Inconsistent evidence across frameworks — making audits and reviews time-consuming
• Potential gaps in compliance that could expose sensitive public data

The executive team needed:

• A single IS18 report showing status across ISO 27001 and Essential Eight
• Verifiable evidence — not just self-attestations
• A prioritized uplift plan with realistic timelines, owners, and risk impact

Our Approach

We delivered a lean, integrated assurance program — focusing on what mattered most to executives and auditors.

1. Scoping & Control Mapping
   Defined IS18 scope and context, then mapped every IS18 clause to ISO 27001 governance domains and Essential Eight technical strategies — creating a single, defensible control matrix.

2. Rapid Gap Assessment (4 weeks)
   Conducted targeted interviews and sampling across key controls — assessing ISO 27001 governance (scope, roles, risk, SoA) and Essential Eight technical maturity (application control, patching, MFA, backups, etc.).

3. Evidence Readiness
   Built a repeatable evidence register — documenting sources, owners, and cadence for every control, ensuring auditors could verify status quickly.

4. Prioritized Uplift Roadmap
   Produced a 12-week plan — sequencing actions by risk reduction, delivery effort, and dependencies (e.g., MFA + conditional access unlocks multiple wins).

5. Executive & Reporting Support
   Delivered the IS18 report with clear status, gaps, and roadmap — plus an executive brief and Q&A pack for leadership review.

Results

• IS18 assurance report delivered in 4 weeks — consolidating ISO 27001 governance and Essential Eight technical status with verifiable evidence
• Readiness score improved from 48% to 82% in one quarter
• 55% reduction in evidence collection time — repeatable and defensible
• Approved 12-week uplift plan — clear milestones, owners, and budget confidence

Key Deliverables

• Consolidated IS18 assurance report — ISO 27001 + Essential Eight cross-referenced
• Control mapping matrix with status, evidence locations, and gaps
• Prioritized 12-week uplift roadmap with owners and risk impact
• Repeatable evidence register and collection cadence
• Executive brief, posture scorecard, and Q&A support

The Bottom Line

This Queensland Government agency went from fragmented assurance activities to a single, defensible IS18 report integrating ISO 27001 governance and Essential Eight technical controls — delivered in just 4 weeks — enabling executive confidence, funding approval, and a clear path to stronger cybersecurity.

Ready to unify your cyber governance and technical controls into one clear, executive-ready view?
Book a free call →