Queensland Government Agency — IS18 Assurance Report in 4 Weeks

At a Glance

The Challenge

IS18 is the Queensland Government’s mandatory information security policy, requiring alignment with both the ISO 27001 governance framework and the ASD Essential Eight technical controls. An IS18 assurance report is not a self-assessment — it requires documented evidence mapped to specific controls, a clear view of gaps, and a credible remediation path.

This agency had been working on its security posture, but the work had accumulated in silos:

• ISO 27001 governance activities (policies, risk register, leadership roles) had progressed separately from technical controls
• Essential Eight hardening had been partially implemented in Microsoft 365 but never formally assessed or evidenced against maturity level requirements
• Evidence was scattered across SharePoint folders, email threads, and spreadsheets — not organised for auditability
• No single person or team had a consolidated view of the agency’s IS18 posture

The business pressure was acute. A funding approval was contingent on demonstrating a credible security posture and a funded improvement roadmap. Without the IS18 report, the budget cycle was at risk.

The timeline was four weeks — not a preference, but a hard deadline tied to the executive reporting cycle.

Our Approach

The four-week timeline required a disciplined, focused programme — no unnecessary scope, no gold-plating, and rapid evidence triage to separate what existed and needed organising from what genuinely didn’t exist and needed to be built.

1. Scope and control mapping (week 1)

Defined the IS18 assurance scope in the context of the agency’s operations and data classifications. Produced a single control matrix mapping every IS18 clause to the relevant ISO 27001 governance domain and Essential Eight technical control — the analytical backbone of the whole programme.

This control matrix served two purposes: it was the structure for the gap assessment, and it became the evidence index for the final report. Work done once, used twice.

2. Rapid gap assessment (weeks 1–3)

Conducted targeted interviews with control owners and evidence sampling across three assessment streams in parallel:

ISO 27001 governance stream:

• ISMS scope and context of the organisation
• Leadership roles and security objectives
• Risk assessment and risk treatment plan
• Statement of Applicability status
• Internal audit programme

Essential Eight technical stream:

• Application control coverage and enforcement state
• Patch management cadence and tooling
• Office macro configuration via Intune
• User application hardening profiles
• Administrative privilege management and logging
• MFA enforcement and coverage
• Backup configuration, retention, and restore evidence

Evidence readiness stream:

• Existing documentation triaged into auditable vs non-auditable
• Evidence sources identified and owners confirmed
• Gaps requiring new evidence distinguished from gaps requiring better organisation of existing evidence

3. Evidence organisation and uplift (weeks 2–4)

For controls that existed but were undocumented, evidence was structured and formalised. For controls with genuine gaps, targeted uplift was implemented — prioritised by IS18 risk rating and feasibility within the timeline.

A repeatable evidence register was built in SharePoint — documenting every control’s evidence source, responsible owner, collection frequency, and last review date. This wasn’t just for the IS18 report; it became the agency’s ongoing evidence management infrastructure.

4. IS18 assurance report and executive deliverables (week 4)

Produced the IS18 assurance report with:

• Consolidated control status across ISO 27001 governance and Essential Eight technical domains
• Evidence-backed findings for each assessed control
• Readiness score with domain breakdown
• Prioritised 12-week uplift roadmap with owners, risk impact, effort estimates, and budget implications
• Executive brief designed for the funding approval process
• Posture scorecard for ongoing management reporting

Results

Readiness improved from 48% to 82% in four weeks — with a funded 12-week uplift roadmap approved and the budget cycle proceeding on schedule.

IS18 assurance report delivered in 4 weeks — consolidating ISO 27001 governance and Essential Eight technical controls into a single, evidence-backed document that satisfied both executive leadership and the funding body’s requirements.

Readiness score improved from 48% to 82% — partly through evidence organisation (controls that were operating but undocumented) and partly through targeted uplift of genuine gaps.

Evidence collection time reduced by 55% — the repeatable evidence register and SharePoint infrastructure turned ongoing evidence collection into a routine activity rather than a project.

Funding approval secured — the executive team had a credible, defensible posture document and a funded improvement roadmap. The budget cycle proceeded on schedule.

Key Deliverables

• IS18 control matrix mapping every IS18 clause to ISO 27001 governance and Essential Eight technical controls
• Gap assessment across both governance and technical streams with evidence-backed findings
• Consolidated IS18 assurance report — status, evidence, gaps, and risk ratings
• Prioritised 12-week uplift roadmap with owners, effort estimates, and budget implications
• Repeatable evidence register with sources, owners, and collection cadence
• Executive brief and posture scorecard for leadership reporting
• Funding approval support documentation

The Bottom Line

IS18 assurance isn’t a theoretical exercise — it sits in the middle of budget cycles, executive reporting, and audit programmes. Agencies that arrive at the reporting deadline with fragmented, undocumented security activities face two bad options: delay the process, or produce a report that doesn’t survive scrutiny.

This agency had four weeks, a 48% readiness score, and a hard funding deadline. The result: an 82% readiness score, a defensible IS18 report, and a funded improvement programme — delivered on time.